Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Jun 2005 13:57:36 -0600
From:      RYAN vAN GINNEKEN <luck@computerking.ca>
To:        freebsd-questions@freebsd.org
Subject:   ipf not working correctly???
Message-ID:  <42B87130.6050203@computerking.ca>

next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------030901050306080205090502
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hello all i use FreeBSD stable 4.11 and wish to use built in ipf version 
3.x something.i have been using ipfw with type set to open however i 
have recently been attacked and need to beef up security.

 

I have followed the basic setup that is in the freebsd handbook and read 
through the world famous ipf howto lots of times.

 

Currently I have the below options compiled into my kernel the docs I 
have read say you do not need to compile ipfilter options into the 
kernel to use it.  I was going to uncomment the ipfilter stuff and 
comment out the ipfirewall options when I got ipfilter working.  Is it 
necessary to recompile the kernel without ipfirewall options to make 
ipfilter work.

 

Kernel OPTIONS========================

 

options         IPFIREWALL

options         IPFIREWALL_VERBOSE

options         IPFIREWALL_VERBOSE_LIMIT=100

options         IPDIVERT

 

#options                IPFILTER

#options                IPFILTER_LOG

#options                IPFILTER_DEFAULT_BLOCK

 

IN MY /etc/rc.conf==========================

#IPF & IPNAT

ipfilter_enable="YES"             # Start ipf firewall

#ipfilter_rules="/etc/ipf.rules"   # loads rules definition text file

ipfilter_rules="/etc/ipfopen.rules"

 

ipmon_enable="YES"                # Start IP monitor log

ipmon_flags="-Ds"                 # D = start as daemon, s = log to 
syslog, v =

 

ipnat_enable="YES"                # Start ipnat function

ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat

 

AS WELL AS THIS TO TURN OF IPFILTER AND NATD

 

#IPFW & NATD

firewall_enable="NO

firewall_type="OPEN"

firewall_quiet="NO"

#firewall_scrYESt="/etc/rc.firewall"

 

natd_enable="NO

natd_interface="xl0"

natd_flags="-f /etc/natd.conf"

HERE IS /etc/ipnat.rules=============================================

# the rule that forwards everthing

map xl0 192.168.0.0/16 -> 0/32

#VNC HOSTS
#HOST 1
#java
rdr xl0 0/32 port 5801 -> 192.168.0.1 port 5801
#no java
rdr xl0 0/32 port 5901 -> 192.168.0.1 port 5901

#HOST 2
#java
rdr xl0 0/32 port 5802 -> 192.168.0.1 port 5802
#no java
rdr xl0 0/32 port 5902 -> 192.168.0.1 port 5902

===============================================================

PLEASE FIND MY ipf.rules ATTACHED TO this email I have even tried to use 
the following rules set to see if I could get ipf to work as an open 
firewall but it still seems to block to much.

===============================================================

pass out quick on lo0 all

pass in quick on lo0 all

 

pass out quick on xl1 all

pass in quick on xl1 all

 

pass out quick on xl0 all

pass in quick on xl0 all

 
when I ping google.ca I get errors about unknown hostname.  When I ping 
googles ipaddress I get permission denied over and over again.  When I 
try to use lynx I get alert destination host unreachable.  Seems like 
dns?? When I turn off ipf and use ipfw set to open everything works fine 
again.  Please someone help what is going wrong.  ipmon/ipfstat do not 
seem to help but mabey i need some guidance with these tools.



--------------030901050306080205090502
Content-Type: text/plain;
 name="iprules.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="iprules.txt"

#################################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN
#################################################################

pass out quick on xl1 all
pass in quick on xl1 all

#fail safe open all on outside interface

#pass out quick on x10 all
#pass in quick on x10 all
#pass out quick on xl0 from any to any all
#pass in quick on xl0 from any to any all

#################################################################
# No restrictions on Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all

#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network
# or from this gateway server destine for the public Internet.
#################################################################

# Allow out access to my ISP's Domain name server.
# xxx must be the IP address of your ISP's DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
#pass out quick on xl0 proto tcp from any to 192.168.0.202 port = 53 flags S keep state
#pass out quick on xl0 proto udp from any to 192.168.0.202 port = 53 keep state
#pass out quick on xl0 proto tcp from any to 64.59.135.133 port = 53 flags S keep state 
#pass out quick on xl0 proto udp from any to 64.59.135.135 port = 53 keep state
pass out quick on xl0 proto tcp from any to any port = 53 flags S keep state
pass out quick on xl0 proto udp from any to any port = 53 keep state

# Allow out access to my ISP's DHCP server for cable or DSL networks.
# This rule is not needed for 'user ppp' type connection to the
# public Internet, so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
pass out log quick on xl0 proto udp from any to any port = 67 keep state
#pass out quick on xl0 proto udp from any to z.z.z.z port = 67 keep state

# Allow out non-secure standard www function
pass out quick on xl0 proto tcp from any to any port = 80 flags S keep state

# Allow out secure www function https over TLS SSL
pass out quick on xl0 proto tcp from any to any port = 443 flags S keep state

# Allow out send & get email function
pass out quick on xl0 proto tcp from any to any port = 993 flags S keep state
pass out quick on xl0 proto tcp from any to any port = 143 flags S keep state
pass out quick on xl0 proto tcp from any to any port = 110 flags S keep state
pass out quick on xl0 proto tcp from any to any port = 25 flags S keep state

# Allow out Time
pass out quick on xl0 proto tcp from any to any port = 37 flags S keep state

# Allow out nntp news
pass out quick on xl0 proto tcp from any to any port = 119 flags S keep state

# Allow out gateway & LAN users non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on xl0 proto tcp from any to any port = 21 flags S keep state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
pass out quick on xl0 proto tcp from any to any port = 22 flags S keep state

# Allow out non-secure Telnet
pass out quick on xl0 proto tcp from any to any port = 23 flags S keep state

# Allow out FBSD CVSUP function
pass out quick on xl0 proto tcp from any to any port = 5999 flags S keep state

# Allow out ping to public Internet
pass out quick on xl0 proto icmp from any to any icmp-type 8 keep state

# Allow out whois for LAN PC to public Internet
pass out quick on xl0 proto tcp from any to any port = 43 flags S keep state

# I have added these misc services ===========================================
# VNC
pass out quick on xl0 proto tcp from any to any port = 5800 flags S keep state
pass out quick on xl0 proto tcp from any to any port = 5900 flags S keep state

# Most Dlink Router boxes
pass out quick on xl0 proto tcp from any to any port = 8080 flags S keep state

#==============================================================================
# Block and log only the first occurrence of everything
# else that's trying to get out.
# This rule enforces the block all by default logic.
block out log first quick on xl0 all

#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################

# Block all inbound traffic from non-routable or reserved address spaces
block in quick on xl0 from 192.168.0.0/16 to any    #RFC 1918 private IP
block in quick on xl0 from 172.16.0.0/12 to any     #RFC 1918 private IP
block in quick on xl0 from 10.0.0.0/8 to any        #RFC 1918 private IP
block in quick on xl0 from 127.0.0.0/8 to any       #loopback
block in quick on xl0 from 0.0.0.0/8 to any         #loopback
block in quick on xl0 from 169.254.0.0/16 to any    #DHCP auto-config
block in quick on xl0 from 192.0.2.0/24 to any      #reserved for docs
block in quick on xl0 from 204.152.64.0/23 to any   #Sun cluster interconnect
block in quick on xl0 from 224.0.0.0/3 to any       #Class D & E multicast

##### Block a bunch of different nasty things. ############
# That I do not want to see in the log
# But I do

# Block frags
block in log first quick on xl0 all with frags
#block in quick on xl0 all with frags

# Block short tcp packets
block in log first quick on xl0 proto tcp all with short
#block in quick on xl0 proto tcp all with short

# block source routed packets
block in log first quick on xl0 all with opt lsrr
#block in quick on xl0 all with opt ssrr

# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on xl0 proto tcp from any to any flags FUP

# Block anything with special options
block in log first quick on xl0 all with ipopts
#block in quick on xl0 all with ipopts
# Block public pings
block in log first quick on xl0 proto icmp all icmp-type 8
#block in quick on xl0 proto icmp all icmp-type 8

# Block ident
block in log first quick on xl0 proto tcp from any to any port = 113
#block in quick on xl0 proto tcp from any to any port = 113

# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log first quick on xl0 proto tcp/udp from any to any port = 137
block in log first quick on xl0 proto tcp/udp from any to any port = 138
block in log first quick on xl0 proto tcp/udp from any to any port = 139
block in log first quick on xl0 proto tcp/udp from any to any port = 81

# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type. Only necessary for
# cable or DSL configurations. This rule is not needed for
# 'user ppp' type connection to the public Internet.
# This is the same IP address you captured and
# used in the outbound section.
# change from any any should be the ip address mentioned above
pass in quick on xl0 proto udp from any to any port = 68 keep state

# Allow in standard www function because I have apache server
# pass in quick on xl0 proto tcp from any to any port = 80 flags S keep state

# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID/PW passed over public Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
#pass in quick on xl0 proto tcp from any to any port = 23 flags S keep state

# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
pass in quick on xl0 proto tcp from any to any port = 22 flags S keep state

# SERVER OPERATIONS=======================================================
#Email Server
#smtp
pass in quick on xl0 proto tcp from any to any port = 25 flags S keep state
pass in quick on x10 proto tcp from any to any port = 587 flags S keep state

#imap and imaps
pass in quick on xl0 proto tcp from any to any port = 143 flags S keep state
pass in quick on xl0 proto tcp from any to any port = 993 flags S keep state

#pop3 and pop3 secure not being used currently
#pass in quick on xl0 proto tcp from any to any port = 110 flags S keep state
#pass in quick on xl0 proto tcp from any to any port = 995 flags S keep state

#Web Server
#http and https
pass in quick on xl0 proto tcp from any to any port = 80 flags S keep state
pass in quick on xl0 proto tcp from any to any port = 443 flags S keep state

#Samba Server?
#Mysql Server?
#vnc?
#games?

# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence stops a .denial of service. attack targeted
# at filling up your log file space.
# This rule enforces the block all by default logic.

block in log first quick on xl0 all

#Home world 2 ports
#pass in quick on xl0 proto tcp from any to any port = 6737 flags S keep frags keep state
#pass in quick on xl0 proto tcp from any to any port = 2302: 2400 flags S keep frags keep state

#VNC

################### End of rules file ################
--------------030901050306080205090502--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42B87130.6050203>