From owner-freebsd-ipfw@freebsd.org Sun Jan 29 17:53:07 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 424B1CC72D6 for ; Sun, 29 Jan 2017 17:53:07 +0000 (UTC) (envelope-from freebsd@rakor-net.de) Received: from mail.denkrobat.de (mail.denkrobat.de [176.9.53.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.denkrobat.de", Issuer "StartCom Class 1 DV Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A56351D8E for ; Sun, 29 Jan 2017 17:53:06 +0000 (UTC) (envelope-from freebsd@rakor-net.de) Received: from martins-mbp.fritz.box (062-142-067-156.ip-addr.inexio.net [156.67.142.62]) by mail.denkrobat.de (OpenSMTPD) with ESMTPSA id e2d87657 TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO; Sun, 29 Jan 2017 18:52:58 +0100 (CET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) Subject: Re: How to use IPFW to filter routing From: Rakor In-Reply-To: <20170129164035.GB10963@host> Date: Sun, 29 Jan 2017 18:52:58 +0100 Cc: freebsd-ipfw@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <6B3C8792-2FEE-4FCE-952E-F13AF59E0927@rakor-net.de> References: <3C00AFCB-E2EF-4F89-8FBD-181C99DAC1FF@rakor-net.de> <20170129164035.GB10963@host> To: =?utf-8?Q?Thom=C3=A1s?= X-Mailer: Apple Mail (2.3259) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jan 2017 17:53:07 -0000 Hi and thanks for your reply! > Am 29.01.2017 um 17:40 schrieb Thom=C3=A1s : >=20 > Sat, Jan 28, 2017 at 01:58:01PM +0100, Rakor: >> As far as I know a packet is once scanned by IPFW an then first hit = wins. So, if I set the following a packet coming from VLAN3 for port 80 = is permitted to travel all way it wants, even to VLAN2. Putting an > +other rule behind just allowing to travel out using igb2 is not = checked, because the search terminated after first hit. >> ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state >=20 > Have you tried something like this? >=20 > ipfw add deny tcp 10.10.30.0/24 to 10.10.10.0/24 setup keep-state > ipfw add deny tcp 10.10.30.0/24 to 10.10.20.0/24 setup keep-state > ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state This will work. But for any new subnet I=E2=80=99ll have to remember to = deny it for any other subnets. I think this can become unhandy very = soon. >> If I try the follwing the packets are all rejected. I think the = inspection is done before the routing, so IPFW does not know it should = be forwarded using igb2. >> ipfw add allow tcp 10.10.30.0/24 to any 80 out via igb2 setup = keep-state >=20 > IPFW can do routing table lookups as needed. Something else must be > going on here. Log rules may be of help to debug and understand your > ruleset. I also tried it using recv and xmit rules. First I tried: ipfw add allow tcp from 10.10.30.0/24 to any out recv igb0.30 = xmit igb2 setup keep-state it does not work. and later I tried this=20 ipfw add allow tcp from 10.10.30.0/24 to any out xmit igb2 setup = keep-state=20 also not working Anytime it was caught by my default rule at the end: 00150 deny log logamount 5 ip from any to any /var/log/security said: 150 Deny TCP 10.10.30.5:51145 82.193.243.115:80 in via igb0.30 So to me it looks like he does not know that the packet will be = transmitted via igb2 at the moment it is inspected. >> So I don=E2=80=99t know how to filter packets that should be routed = in a exact manner. Can you help me? >=20 > There are plenty of ways to filter packets in that setup, the "exact" > one depends on what you are trying to achieve. OK. So I=E2=80=99d like to have deny by default (as ipfw is working). = Then I=E2=80=99d like to say exactly which traffic is allowed. So in my = mind I=E2=80=99ll have no additional deny-rules. I=E2=80=99d like to say = from which interface to which interface the traffic is traveling, = because this respects my VLANs. OK, because there is an IP attached to = the devices using the subnets would do it also (but I feel more = comfortable seeing my interfaces - maybe it=E2=80=99s stupid). So the rules I=E2=80=99d like to write say: "allow tcp from VLAN3 to Internet using ports 80,443 coming from igb0.3 = going to igb2 and deny all the rest."