Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 16 Jun 2004 08:35:26 +0300
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        "Reuben A. Popp" <gobinau@digitalcelt.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: ipfw question
Message-ID:  <20040616053526.GA21650@gothmog.gr>
In-Reply-To: <200406151832.10733.gobinau@digitalcelt.net>
References:  <200406151832.10733.gobinau@digitalcelt.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2004-06-15 18:31, "Reuben A. Popp" <gobinau@digitalcelt.net> wrote:
> I was tinkering around trying to get my firewall set the way I wanted
> it, but seem to be running into an issue.  I know that I have logging
> set in the kernel and in rc.conf, as well as in my ruleset, but for
> some odd reason, the firewall is not logging connections to the
> services I wanted watched (ftp, ssh, web, etc).

That's because your ruleset uses the following rule:

    # Allow TCP through if setup succeeded
    ipfw add 1200 pass tcp from any to any established

before any of the other rules are reached.  This lets every TCP packet
through without logging and you never get a chance of picking out what
to log or what to block :)

A simplified version of your ruleset could be this one.  Notice that
I've removed all explicit rule numbers.  IPFW does a pretty good job at
automatically numbering the rules and you don't have too many rules for
it to work.  On the other hand, having hardcoded numbers means that you
might miss some "reordering" of the rules and waste hours upon hours
trying to find out why it doesn't work like it's supposed to.  Not a
good possibility...  Anyway, here's a ruleset very similar to yours:

    #
    # Part 1. Semi-standard stuff copied from rc.firewall.
    #

    # Flush the existing ruleset
    echo "Flushing the existing ruleset, stand by..."
    ipfw -f flush

    # Only allow lo0 to send packets as 127.0.0.1
    ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0
    ipfw add deny all from any to 127.0.0.0/8
    ipfw add deny ip from 127.0.0.0/8 to any

    # Stop RFC1918 nets on the outside interface
    ipfw add deny all from 10.0.0.0/8 to any via em0
    ipfw add deny all from 172.16.0.0/12 to any via em0
    ipfw add deny all from 192.168.0.0/16 to any via em0

    # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
    # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
    # on the outside interface
    ipfw add deny all from 0.0.0.0/8 to any via $em0
    ipfw add deny all from 169.254.0.0/16 to any via $em0
    ipfw add deny all from 192.0.2.0/24 to any via $em0
    ipfw add deny all from 224.0.0.0/4 to any via $em0
    ipfw add deny all from 240.0.0.0/4 to any via $em0

    #
    # Part 2.  Local rules that allow and log selected TCP services.
    #

    # Pass all ICMP messages through.
    # Make sure they're rate-limited by setting `net.inet.icmp.icmplim'
    add allow icmp from any to any

    # First of all state checking.  This will allow through any packet
    # that is marked as "legitimate" by one of the following rules.
    ipfw add check state
    ipfw add deny tcp from any to any established

    # Allow DNS or NTP sessions that originate from us.
    ipfw add allow udp from any to any 53,123 out keep-state

    # Add all TCP connections that originate from us
    ipfw add allow tcp from any to any out setup keep-state

    # Pass and log all incoming ftp-data connections.
    ipfw add allow tcp from any 20 to any in setup keep-state

    # Pass and log all incoming connections to: ftp, ssh, mail and www.
    ipfw add allow tcp from any to any 21,22,25,80,443 to in setup keep-state

AFAIK, anything else can be blocked without stopping you from doing your
real work.

- Giorgos



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040616053526.GA21650>