From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 16 07:07:57 2012 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B36C6106564A for ; Mon, 16 Jan 2012 07:07:57 +0000 (UTC) (envelope-from vip71541@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 80DF58FC08 for ; Mon, 16 Jan 2012 07:07:57 +0000 (UTC) Received: by obcwo16 with SMTP id wo16so801868obc.13 for ; Sun, 15 Jan 2012 23:07:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=83KBIAIo86zmpsnGPVBgAKRD3FCSZohKGN2u2cpyMoc=; b=CmyicmaPjQvI7s1Dxew78kNRpLka2WUKQqA+ZT+7N2OeoGbwSWxLroGCaZGkE9j+55 c5/19EIZ8wXldqgBSKkMHHJU2MZct0pjlezDfE/vCcSDRe8f2s0CsTOyBmX1OAH3VbqU VW3wqEHp7fCM+e6TvzLKQ5qVPiPMGGd7UhD2s= MIME-Version: 1.0 Received: by 10.182.225.9 with SMTP id rg9mr9991756obc.4.1326695791435; Sun, 15 Jan 2012 22:36:31 -0800 (PST) Received: by 10.60.24.1 with HTTP; Sun, 15 Jan 2012 22:36:31 -0800 (PST) Date: Mon, 16 Jan 2012 08:36:31 +0200 Message-ID: From: vip 71541 To: ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Problem with passive ftp in IPFW! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2012 07:07:57 -0000 Good morning, everybody. My name is Eugene. I know that not a new issue ... But there is a problem as competently / properly write the rules for passive ftp in ipfw on a gateway for my LAN. Gateway running Freebsd 8.2p6. For kernal NAT. Now goes to the local network FTP on such rules here: 00159 0 0 skipto 65000 tcp from 192.168.10.0/24 to any dst-port21,1024-65535 out xmit em0 keep-state -- 00211 skipto 65000 tcp from any 21,1024-65535 to ${wan_ip} in recv em0 -- 65000 0 0 nat 90 ip from any to any via em0 --- Are there any in ipfw analogue state RELATED and two modules nf_nat_ftp, nf_conntract_ftp in IPTABLES. As an intelligent man ipfw how to open his information was not found. So, would not open the ports above 1024 ... But somehow not very good firewall such as leaves and there is sort of not ... This kernel is compiled with options such: # *IPFW* options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE=100 options IPFIREWALL_FORWARD options IPFIREWALL_NAT options LIBALIAS options IPDIVERT options DUMMYNET options HZ=1000 P.S And plan to add such a state in the next version of freebsd? Thank you for your attention. I will wait your reply. --- From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 16 11:07:04 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BCE91106564A for ; Mon, 16 Jan 2012 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id AA94D8FC27 for ; Mon, 16 Jan 2012 11:07:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0GB74gt057665 for ; Mon, 16 Jan 2012 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0GB74ak057663 for freebsd-ipfw@FreeBSD.org; Mon, 16 Jan 2012 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 16 Jan 2012 11:07:04 GMT Message-Id: <201201161107.q0GB74ak057663@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2012 11:07:04 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 41 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 16 19:32:25 2012 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49A49106564A for ; Mon, 16 Jan 2012 19:32:25 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 0118E8FC13 for ; Mon, 16 Jan 2012 19:32:24 +0000 (UTC) Received: by vbbey12 with SMTP id ey12so893302vbb.13 for ; Mon, 16 Jan 2012 11:32:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=tn9niggEp/CcvrZ1fuDkrQRGXsUeScbK83yxtzpbQ+c=; b=nP9pz9VhW4ajMkQLQTxcY/cUGsCJL/SUmcxTDunXRp4B6NHJ0/Xr+3E7LGwjFwbFCn reeTzchSBFIaZa3w0bZX2zJiZKwnnEE9VkyiO0HR6FLgzoqNLNtp8qaOGf4YbcOXd1Jx qHF5LkwfinT4e4by+5Dtb9pvGXPk+Lyji0BqM= MIME-Version: 1.0 Received: by 10.52.91.17 with SMTP id ca17mr6724226vdb.56.1326740735659; Mon, 16 Jan 2012 11:05:35 -0800 (PST) Received: by 10.220.191.130 with HTTP; Mon, 16 Jan 2012 11:05:35 -0800 (PST) In-Reply-To: References: Date: Mon, 16 Jan 2012 11:05:35 -0800 Message-ID: From: Freddie Cash To: vip 71541 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: ipfw@freebsd.org Subject: Re: Problem with passive ftp in IPFW! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2012 19:32:25 -0000 On Sun, Jan 15, 2012 at 10:36 PM, vip 71541 wrote: > Good morning, everybody. My name is Eugene. I know that not a new issue .= .. But > there is a problem as competently / properly write the rules for passive = ftp in > ipfw on a gateway for my LAN. Gateway running Freebsd 8.2p6. For kernal N= AT. > Now goes to the local network FTP on such rules here: > > 00159 =C2=A00 =C2=A0 =C2=A00 skipto 65000 tcp from 192.168.10.0/24 to any > dst-port21,1024-65535 > out xmit em0 keep-state > -- > 00211 skipto 65000 tcp from any 21,1024-65535 to ${wan_ip} =C2=A0in recv = em0 > -- > 65000 =C2=A00 =C2=A0 =C2=A00 nat 90 ip from any to any via em0 > --- Personally, I don't use skipto rules, as I find them to just cause confusion. At least at first. Once you have a working ruleset with several hundred/thousand rules in it, then skipto can be used to optimised things. You only have a NAT rule, you don't have any allow rules. The default rule (65535) in IPFW is "deny ip from any to any". Thus, if you don't explicity allow the traffic, then the packets are dropped. Personally, I also don't use stateful filter rules, just because of the poor way they interact with NAT in IPFW (at least with divert/natd; not sure if things are better with in-kernel NAT). Thus, the rules would be something like the following: ipfw add allow tcp from 192.168.0.0/24 to any 21,49152-65535 in recv ipfw add nat 90 tcp from 192.168.0.0/24 to any 21,49152-65535 out xmit ipfw add allow tcp from to any 21,49152-65535 out xmit ipfw add nat 90 tcp from any 21,49152-65535 to in recv established ipfw add allow tcp from any 21,49152-65535 to 192.168.0.0/24 in recv established ipfw add allow tcp from any 21,49152-65535 to 192.168.0.0/24 out xmit established The flow of the rules are: - allow traffic on the internal NIC - NAT the traffic going out the external NIC - allow the NAT'd traffic going out the external NIC And then reverse it for the incoming/return traffic - NAT the traffic coming in on the external NIC - allow the NAT'd traffic coming in on the external NIC - allow the traffic going out the internal NIC The established at the end of the rule catches only TCP packets that are part of the outgoing connection. The 49152-65535 is the default "ephemereal" port range on FreeBSD (and most TCP/IP using systems), used for things like FTP connections. It's a much smaller range. There's also FTP NAT tracking modules for IPFW, but I've never personally used any of them. --=20 Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 16 19:53:27 2012 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC8031065670 for ; Mon, 16 Jan 2012 19:53:27 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id A28758FC13 for ; Mon, 16 Jan 2012 19:53:27 +0000 (UTC) Received: by vbbey12 with SMTP id ey12so912664vbb.13 for ; Mon, 16 Jan 2012 11:53:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9qBzFrUXcJVqrEzt4WmwMQ3dQMULtSPAf/Mao9GmCZA=; b=NflSQVuzth+GLLiKhNgdRvPyLwhn5tgt7kvQyn/m7+DCtWxWDj94ohHhTAzqVB2czF AAhwk9GOt3V0+9h8QtVIs1A7ByAg47xEoy9pp58PS+qL+0SBzcb3A0yDDaMGXtNMGndu nfnunZ7fgY4Yk1mUWlqCjwiXtFWkbh80EvPU0= MIME-Version: 1.0 Received: by 10.52.33.12 with SMTP id n12mr6800850vdi.5.1326743606861; Mon, 16 Jan 2012 11:53:26 -0800 (PST) Received: by 10.220.191.130 with HTTP; Mon, 16 Jan 2012 11:53:26 -0800 (PST) In-Reply-To: References: Date: Mon, 16 Jan 2012 11:53:26 -0800 Message-ID: From: Freddie Cash To: Michael Sierchio Content-Type: text/plain; charset=UTF-8 Cc: vip 71541 , ipfw@freebsd.org Subject: Re: Problem with passive ftp in IPFW! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2012 19:53:28 -0000 On Mon, Jan 16, 2012 at 11:40 AM, Michael Sierchio wrote: > On Mon, Jan 16, 2012 at 11:05 AM, Freddie Cash wrote: > >> Personally, I don't use skipto rules, as I find them to just cause >> confusion. ... > > skipto rules are essential in numerous instances, especially once you > start using tableargs, or want to partition your ruleset based on > incoming interface. You deleted the part where I mentioned some situations where they are useful. :) When we started implementing FreeBSD-based firewalls (using FreeBSD 4.0), we used skiptos everywhere. Turned into a giant mess that was very hard to follow and to update. We've since moved away from skipto, and just grouped rules according to server (ex: server1 uses 10000-10999, server2 uses 11000-11999, etc). Works great for us. Some firewalls now have several thousand rules (with tables, but not tablearg), and we're considering using skiptos to optimise the path packets take through the rules. It all depends on how you want to manage things. :) But when first starting out, I find that KISS applies best. Which means skipping the skiptos and tables and other fancy features until you have a working ruleset, and a good understanding on how things work in IPFW. >> Personally, I also don't use stateful filter rules ... > > Perhaps not, but they're useful for outbound connections/dns queries/etc. For TCP connections, you just add the "established" criteria to the rules for the inbound packets. Same result, but easier to manage (IMO/IME; YMMV). For UDP, it may be easier to use keep-state, since there's no "established" analogue for UDP. But, when using divert/natd, keep-state is a pain due to the order that the packets are processed. Things may have improved with libalias-based in-kernel NAT. Don't know, never tried, never investigated it. Only this school year that I've started migrating firewalls from divert/natd to "ipfw nat". And all our rulesets are non-stateful. Of course, everyone's use-cases are different. Hence why I prefaced everything with "personally", to show that it's just my experience/opinion, and not "zomg, this is the only way things must be done!1! I am uber!". :) -- Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 16 20:09:46 2012 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F116E1065673 for ; Mon, 16 Jan 2012 20:09:46 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id C32DA8FC17 for ; Mon, 16 Jan 2012 20:09:46 +0000 (UTC) Received: by obcwo16 with SMTP id wo16so1979158obc.13 for ; Mon, 16 Jan 2012 12:09:46 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.52.66 with SMTP id r2mr12231462obo.56.1326742809007; Mon, 16 Jan 2012 11:40:09 -0800 (PST) Received: by 10.60.96.161 with HTTP; Mon, 16 Jan 2012 11:40:08 -0800 (PST) In-Reply-To: References: Date: Mon, 16 Jan 2012 11:40:08 -0800 Message-ID: From: Michael Sierchio To: Freddie Cash Content-Type: text/plain; charset=ISO-8859-1 Cc: vip 71541 , ipfw@freebsd.org Subject: Re: Problem with passive ftp in IPFW! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2012 20:09:47 -0000 On Mon, Jan 16, 2012 at 11:05 AM, Freddie Cash wrote: > Personally, I don't use skipto rules, as I find them to just cause > confusion. ... skipto rules are essential in numerous instances, especially once you start using tableargs, or want to partition your ruleset based on incoming interface. > Personally, I also don't use stateful filter rules ... Perhaps not, but they're useful for outbound connections/dns queries/etc.