From owner-freebsd-questions@freebsd.org Fri Jul 1 13:44:06 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9DAD5B884C0 for ; Fri, 1 Jul 2016 13:44:06 +0000 (UTC) (envelope-from wam@hiwaay.net) Received: from fly.hiwaay.net (fly.hiwaay.net [216.180.54.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5F27B203D for ; Fri, 1 Jul 2016 13:44:06 +0000 (UTC) (envelope-from wam@hiwaay.net) Received: from kabini1.local (dynamic-216-186-209-65.knology.net [216.186.209.65] (may be forged)) (authenticated bits=0) by fly.hiwaay.net (8.13.8/8.13.8/fly) with ESMTP id u61Di36B024180 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Fri, 1 Jul 2016 08:44:04 -0500 Subject: Re: ipfw question References: <20160701223303.S324@sola.nimnet.asn.au> Cc: freebsd-questions@freebsd.org From: "William A. Mahaffey III" Message-ID: <92b4920c-eafa-1677-ff5a-ccf7e28bcce5@hiwaay.net> Date: Fri, 1 Jul 2016 08:49:33 -0453.75 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <20160701223303.S324@sola.nimnet.asn.au> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2016 13:44:06 -0000 On 07/01/16 08:30, Ian Smith wrote: > In freebsd-questions Digest, Vol 630, Issue 5, Message: 2 > On Thu, 30 Jun 2016 10:23:54 -0453.75 "William A. Mahaffey III" wrote: > > > I had an oddball occurence this A.M. I sat down to check E-mails & surf > > & found that I couldn't recover any E-mails. I poked around a bit & > > found some entries in /var/log/security indicating that traffic from my > > DNS server was being dropped by the firewall: > > > > > > [root@kabini1, ~, 10:04:03am] 587 % tail -20 /var/log/security ; date > [.. omitting unrelated entries ..] > > Jun 30 08:24:04 kabini1 kernel: ipfw: 65500 Deny UDP 209.244.0.3:53 192.168.0.27:46927 in via re0 > > Jun 30 08:25:30 kabini1 kernel: ipfw: 65500 Deny UDP 209.244.0.3:53 192.168.0.27:44681 in via re0 > > Jun 30 08:25:32 kabini1 kernel: ipfw: 65500 Deny UDP 209.244.0.3:53 192.168.0.27:29687 in via re0 > > Jun 30 08:27:20 kabini1 kernel: ipfw: 65500 Deny UDP 209.244.0.3:53 192.168.0.27:51623 in via re0 > > Jun 30 08:34:56 kabini1 kernel: ipfw: 65500 Deny UDP 209.244.0.3:53 192.168.0.27:46764 in via re0 > > Jun 30 08:34:57 kabini1 kernel: ipfw: 65500 Deny UDP 209.244.0.3:53 192.168.0.27:24172 in via re0 > > This usually indicates that responses from an upstream DNS server are > arriving after the keep-state rule that allowed your DNS request packet > out has since timed out, which usually indicates some perhaps temporary > problem with the link, the upstream server, or the phase of the moon. > > > 01400 allow udp from me to any keep-state > > Consult ipfw(8) about increasing dynamic rule timeouts, if it's a > regular occurrence. Usually your {mail,web,whatever} client will just > try again .. UDP is not expected to be reliable, by definition. > > > I haven't made any changes to my firewall setup in months, maybe a year > > or more (so long that I found I had forgotten what to do initially :-/ > > I see that it's based on rc.firewall 'workstation' rules, as reference. > Does rc.conf specify firewall_type="workstation" or have you copied that > to custom rules? At first glance it looks stock, but I'm not up for a > line by line comparison :) Absolutely correct, modified from box-stock workstation rules. From my rc.conf: [root@kabini1, /etc, 8:43:43am] 471 % grep -i firewall rc.conf firewall_enable="YES" firewall_type="workstation" firewall_quiet="NO" firewall_logdeny="YES" # firewall_nologports="111,137,138,513" firewall_nologports="111,137,138" firewall_allowservices="192.168.0.0/24" firewall_myservices="any" # firewall_myservices="nfs,111,513,550,lockd,quotad,ssh,ntp,timed,new-rwho" # firewall_myservices="nfs,lock,quota,ssh,ntp,timed,new-rwho" # firewall_myservices="nfsd,lockd,quota,ssh,ntp,timed,new-rwho" [root@kabini1, /etc, 8:46:53am] 472 % > > > ). I eventually recalled where to tweak & added a line to my rc.fiewwall > > file & restarted ipfw. It spit out all rules, including my new one, > > which implied that I hadn't botched the syntax. E-mail went back to > > working & all is well. However, I want to make sure I didn't open up > > more than I think I am. My rule list as echoed out from the restart is > > below: > > You may have opened up a lot more than you bargained for .. > > > [root@kabini1, /etc, 8:52:59am] 467 % service ipfw restart > > net.inet.ip.fw.enable: 1 -> 0 > > net.inet6.ip6.fw.enable: 1 -> 0 > > Flushed all rules. > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00300 deny ip from 127.0.0.0/8 to any > > 00400 deny ip from any to ::1 > > 00500 deny ip from ::1 to any > > 00600 allow ipv6-icmp from :: to ff02::/16 > > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 > > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > > 01100 check-state > > 01200 allow tcp from me to any established > > 01300 allow tcp from me to any setup keep-state > > 01400 allow udp from me to any keep-state > > 01500 allow icmp from me to any keep-state > > 01600 allow ipv6-icmp from me to any keep-state > > 01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out > > 01800 allow udp from any 67 to me dst-port 68 in > > 01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in > > 02000 allow udp from fe80::/10 to me dst-port 546 in > > > 02100 allow udp from any 53 to me in # <-------- my new rule !!!! > > Don't do this! Anyone and his dog can send UDP packets to any UDP port > or service they like on your machine, by (trivially) forging the source > port as 53. Now you've outed this hole publically, best fix it soon .. Hmmmm .... OK, glad I asked :-/ .... > > Given you're using dynamic rules, the way it was is the correct way to > use external UDP services. > > > 02200 allow icmp from any to me icmptypes 8 > > 02300 allow ipv6-icmp from any to any ip6 icmp6types 128,129 > > 02400 allow icmp from any to me icmptypes 3,4,11,13 > > 02500 allow ipv6-icmp from any to any ip6 icmp6types 3 > > 02600 allow tcp from 192.168.0.0/24 to me > > 02700 allow udp from 192.168.0.0/24 to me > > 02800 allow udp from 192.168.0.0/24 513 to 192.168.0.0/24 dst-port 513 > > 02900 allow udp from 192.168.0.0/24 525 to 192.168.0.0/24 dst-port 525 > > 65000 count ip from any to any > > 65100 deny { tcp or udp } from any to any dst-port 111,137,138 in > > 65200 deny { tcp or udp } from 192.168.0.0/24 to me > > 65300 deny ip from any to 255.255.255.255 > > 65400 deny ip from any to 224.0.0.0/24 in > > 65500 deny udp from any to any dst-port 520 in > > 65500 deny tcp from any 80,443 to any dst-port 1024-65535 in > > 65500 deny log logamount 50000 ip from any to any > > Firewall rules loaded. > > [root@kabini1, /etc, 8:53:11am] 468 % > > > > > > with my new rule marked. I noticed that the dropped DNS packets were > > destined for oddball ports on my box, so I have no port specification in > > my rule. Am I just allowing DNS replies back in, or > > (humorously/tragically) more :-) ? This box is my daily driver > > workstation desktop, *NOT* a public server, so I want it locked down as > > much as possible. > > After removing that bogus rule, if you see more of this and increasing > timeouts somewhat doesn't help, try running tcpdump on port 53 to watch > what's happening .. you will see DNS requests from mail pickup, browsing > etc do use 'oddball' high ports; watch 'em go and responses come back .. 10-4, wilco. > > > [root@kabini1, /etc, 8:53:11am] 468 % uname -a > > FreeBSD kabini1.local 9.3-RELEASE-p33 FreeBSD 9.3-RELEASE-p33 #0: Wed > > Jan 13 17:55:39 UTC 2016 > > I'm still running 9.3 too. 6 months to go! > > cheers, Ian Yeah, too bad, I do like 9.3, feelin' like old leather by now :-/ .... -- William A. Mahaffey III ---------------------------------------------------------------------- "The M1 Garand is without doubt the finest implement of war ever devised by man." -- Gen. George S. Patton Jr.