Date: Thu, 14 Nov 2024 11:17:27 +0100 From: Ronald Klop <ronald@FreeBSD.org> To: Dries Michiels <driesm@freebsd.org>, freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org, FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: IPFW statefull firewall ruleset - some sites or applications do not work as expected Message-ID: <610cbd98-0e4c-474f-b352-9786fc9e6a70@FreeBSD.org> In-Reply-To: <CACx_iREW_UKAHgwcq0xyTj=aHwC38ZHEovjqnihGUjfPnQO=sw@mail.gmail.com> References: <CACx_iREW_UKAHgwcq0xyTj=aHwC38ZHEovjqnihGUjfPnQO=sw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Op 02-11-2024 om 16:30 schreef Dries Michiels: > Hello, > > So I have a very basic ruleset, as described in the FreeBSD handbook, see below. I have "blurred" my open ports as seen in the ruleset below. > Igc0 is my WAN port and in the table "trusted_if" are like my LAN if and some bridges. > > 00001 reass ip from any to any in > 00010 allow ip from any to any via table(trustedif) > 00050 deny log ip from any to any not antispoof in > 00100 nat 1 ip4 from any to any in recv igc0 > 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state :default > 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :default > 05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-state :default > 05001 allow udp from any to me *some open ports* in recv igc0 keep-state :default > 09998 deny log tcp from any to any > 09999 deny log udp from any to any > 10000 nat 1 ip4 from any to any out xmit igc0 > 65535 allow ip from any to any > > Now comes the tricky part. There are some applications that don't work correctly with this ruleset. > For example, itsme (belgium application) to identify yourself with a lot of accounts, does not work. > Recently my banking website also stopped working. So now I'm wondering how do I start to troubleshoot this issue? > Are there any ceavets with this ruleset when redirects are happening for example? I'm also wondering if Belgian PF users have the same issue?£ > > I'm hopeful to get to the bottom of this as its quite annoying needing to switch wifi channels to my ISP's router which does work with these applications. > > Regards > Dries > > Hi, It is a while ago that I build ipfw firewalls, but doesn't rule 10 match all internal (from LAN) traffic, preventing outgoing (to WAN) packets to get to the nat rules? I would suggest something like this: 00001 reass ip from any to any in 00050 deny log ip from any to any not antispoof in 00100 nat 1 ip4 from any to any via igc0 00300 check-state :default 00200 allow ip from any to any in table(trustedif) keep-state :default 05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-state :default 05001 allow udp from any to me *some open ports* in recv igc0 keep-state :default 09999 deny log ip from any to any 65535 allow ip from any to any Regards, Ronald.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?610cbd98-0e4c-474f-b352-9786fc9e6a70>