Date: Mon, 18 Nov 2024 13:23:20 +0100 From: Dries Michiels <driesm@freebsd.org> To: Ronald Klop <ronald@freebsd.org> Cc: freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org, FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: IPFW statefull firewall ruleset - some sites or applications do not work as expected Message-ID: <CACx_iRE1cF8%2Bfz_GvtSJF6iFWDkAzGgk9tr4gAER6ORUaU8O3w@mail.gmail.com> In-Reply-To: <610cbd98-0e4c-474f-b352-9786fc9e6a70@FreeBSD.org> References: <CACx_iREW_UKAHgwcq0xyTj=aHwC38ZHEovjqnihGUjfPnQO=sw@mail.gmail.com> <610cbd98-0e4c-474f-b352-9786fc9e6a70@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000001aef6306272efcc2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, unfortunately that's not the case, as I have onepass to off, meaning that after every rule, the packet continues to be processed by the next rule (so the NAT does get reached). Op do 14 nov 2024 om 11:17 schreef Ronald Klop <ronald@freebsd.org>: > Op 02-11-2024 om 16:30 schreef Dries Michiels: > > Hello, > > > > So I have a very basic ruleset, as described in the FreeBSD handbook, > see below. I have "blurred" my open ports as seen in the ruleset below. > > Igc0 is my WAN port and in the table "trusted_if" are like my LAN if an= d > some bridges. > > > > 00001 reass ip from any to any in > > 00010 allow ip from any to any via table(trustedif) > > 00050 deny log ip from any to any not antispoof in > > 00100 nat 1 ip4 from any to any in recv igc0 > > 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state > :default > > 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :defaul= t > > 05000 allow tcp from any to me *some open ports* in recv igc0 setup > keep-state :default > > 05001 allow udp from any to me *some open ports* in recv igc0 keep-stat= e > :default > > 09998 deny log tcp from any to any > > 09999 deny log udp from any to any > > 10000 nat 1 ip4 from any to any out xmit igc0 > > 65535 allow ip from any to any > > > > Now comes the tricky part. There are some applications that don't work > correctly with this ruleset. > > For example, itsme (belgium application) to identify yourself with a lo= t > of accounts, does not work. > > Recently my banking website also stopped working. So now I'm wondering > how do I start to troubleshoot this issue? > > Are there any ceavets with this ruleset when redirects are happening fo= r > example? I'm also wondering if Belgian PF users have the same issue?=C2= =A3 > > > > I'm hopeful to get to the bottom of this as its quite annoying needing > to switch wifi channels to my ISP's router which does work with these > applications. > > > > Regards > > Dries > > > > > > Hi, > > It is a while ago that I build ipfw firewalls, but doesn't rule 10 match > all internal (from LAN) traffic, preventing outgoing (to WAN) packets to > get to the nat rules? > > I would suggest something like this: > > 00001 reass ip from any to any in > 00050 deny log ip from any to any not antispoof in > 00100 nat 1 ip4 from any to any via igc0 > 00300 check-state :default > 00200 allow ip from any to any in table(trustedif) keep-state :default > 05000 allow tcp from any to me *some open ports* in recv igc0 setup > keep-state :default > 05001 allow udp from any to me *some open ports* in recv igc0 keep-state > :default > 09999 deny log ip from any to any > 65535 allow ip from any to any > > > > Regards, > Ronald. > > --0000000000001aef6306272efcc2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Hi, unfortunately=C2=A0that's not the case, as I have = onepass to off, meaning that after every rule, the packet continues to be p= rocessed=C2=A0by the next rule (so the NAT does get reached).<div><br></div= ></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr"= >Op do 14 nov 2024 om 11:17 schreef Ronald Klop <<a href=3D"mailto:ronal= d@freebsd.org">ronald@freebsd.org</a>>:<br></div><blockquote class=3D"gm= ail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,= 204,204);padding-left:1ex">Op 02-11-2024 om 16:30 schreef Dries Michiels:<b= r> > Hello,<br> > <br> > So I have a very basic ruleset, as described in the FreeBSD handbook, = see below. I have "blurred" my open ports as seen in the ruleset = below.<br> > Igc0 is my WAN port and in the table "trusted_if" are like m= y LAN if and some bridges.<br> > <br> > 00001 reass ip from any to any in<br> > 00010 allow ip from any to any via table(trustedif)<br> > 00050 deny log ip from any to any not antispoof in<br> > 00100 nat 1 ip4 from any to any in recv igc0<br> > 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state = :default<br> > 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :defau= lt<br> > 05000 allow tcp from any to me *some open ports* in recv igc0 setup ke= ep-state :default<br> > 05001 allow udp from any to me *some open ports* in recv igc0 keep-sta= te :default<br> > 09998 deny log tcp from any to any<br> > 09999 deny log udp from any to any<br> > 10000 nat 1 ip4 from any to any out xmit igc0<br> > 65535 allow ip from any to any<br> > <br> > Now comes the tricky part. There are some applications that don't= =C2=A0work correctly with this ruleset.<br> > For example, itsme (belgium application) to identify yourself with a l= ot of accounts, does not=C2=A0work.<br> > Recently my banking=C2=A0website also stopped working. So now I'm = wondering how do I start to troubleshoot=C2=A0this issue?<br> > Are there any ceavets=C2=A0with this ruleset when redirects are happen= ing for example? I'm also wondering if Belgian PF users have the same i= ssue?=C2=A3<br> > <br> > I'm hopeful=C2=A0to get to the bottom of this as its quite annoyin= g needing to switch wifi channels to my ISP's router which does work wi= th these applications.<br> > <br> > Regards<br> > Dries<br> > <br> > <br> <br> Hi,<br> <br> It is a while ago that I build ipfw firewalls, but doesn't rule 10 matc= h all internal (from LAN) traffic, preventing outgoing (to WAN) packets to = get to the nat rules?<br> <br> I would suggest something like this:<br> <br> 00001 reass ip from any to any in<br> 00050 deny log ip from any to any not antispoof in<br> 00100 nat 1 ip4 from any to any via igc0<br> 00300 check-state :default<br> 00200 allow ip from any to any in table(trustedif) keep-state :default<br> 05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-st= ate :default<br> 05001 allow udp from any to me *some open ports* in recv igc0 keep-state :d= efault<br> 09999 deny log ip from any to any<br> 65535 allow ip from any to any<br> <br> <br> <br> Regards,<br> Ronald.<br> <br> </blockquote></div> --0000000000001aef6306272efcc2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACx_iRE1cF8%2Bfz_GvtSJF6iFWDkAzGgk9tr4gAER6ORUaU8O3w>