Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Oct 2001 14:51:45 -0400
From:      Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Re: ipfw question - hostname/address spec?
Message-ID:  <20011009145144.C64668@acadia.ne.mediaone.net>
In-Reply-To: <20011009035651.N350@blossom.cjclark.org>
References:  <20011004071834.A2458@acadia.ne.mediaone.net> <20011004135129.E297@blossom.cjclark.org> <20011009005629.D589@acadia.ne.mediaone.net> <20011009035651.N350@blossom.cjclark.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--EuxKj2iCbKjpUGkD
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

On 10/09/01 03:56 AM, Crist J. Clark sat at the `puter and typed:
> [snip]
> 
> /etc/rc.firewall would be good.

Ok, you asked for it . . .

> [snip]
>  
> > # sh /etc/rc.firewall
> > Starting firewalling... 
> > IPADDR: 65.96.185.189
> > NAMESERVER_1: 24.218.0.229
> > NAMESERVER_2: 24.218.0.228
> > NAMESERVER_3: 24.128.1.81
> 
> DNS works fine here. I assume if we see rc.firewall, these are before
> any 'ipfw -f flush?'

Actually, this printout, as you'll see at the beginning of my firewall
script is just printing out the nameserver vars as snatched from
/etc/resolv.conf.  Kind of an ugly kludge, but AT&T just changed the
servers here and hosed my old system.  I don't know if this is a
temporary fix or a permanent change.

> [snip]
> 
> Eeewww... You used nslookup(8) to do the query. Never use
> nslookup(8). nslookup(8) bad. nslookup(8) depricated. Use host(1).

Ok, I've been told this before, but can't seem to get out of the habit
- I do have to use other Unices that don't have host, so . . .

> If DNS works fine once the system is up, but doesn't work when running
> the rc.firewall script, it sure sounds like you are killing your own
> lookups due to the rule ordering.

It doesn't work at all.  Not even via direct IP.

Thanks for your help.  I'm sure to learn something useful in all this.
Which is the point, I guess.

Cheers
Lou
-- 
Louis LeBlanc       leblanc@acadia.ne.mediaone.net
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net                 ԿԬ

I have yet to see any problem, however complicated, which, when
you looked at it in the right way, did not become still more complicated.
    -- Poul Anderson


--EuxKj2iCbKjpUGkD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="rc.firewall_rules"

#!/bin/sh

# Script generated Mon Oct  8 23:14:47 2001

echo "Starting firewalling... "

# ----------------------------------------------------------------------------
IPADDR=`/sbin/ifconfig xl0 | grep netmask | awk '{print $2}'`

LOCALNET="10.8.20.0/24"		# whatever private range you use

# DHCP_SERVER="24.128.0.0/16"
DHCP_SERVER="any"

# Lets see how this works in case AT&T decides to change the servers again
NAMESERVER_1=`head -2 /etc/resolv.conf | tail -1 | awk '{print $2}'`
NAMESERVER_2=`tail -2 /etc/resolv.conf | head -1 | awk '{print $2}'`
NAMESERVER_3=`tail -1 /etc/resolv.conf | awk '{print $2}'`
# NAMESERVER_1="24.218.0.229"
# NAMESERVER_2="24.218.0.228"
# NAMESERVER_3="24.128.1.81"

echo "IPADDR: $IPADDR"
echo "NAMESERVER_1: $NAMESERVER_1"
echo "NAMESERVER_2: $NAMESERVER_2"
echo "NAMESERVER_3: $NAMESERVER_3"

SMTP_SERVER="smtp.ne.mediaone.net"	# Your ISP mail gateway. Your relay.
NEWS_SERVER="news.ne.mediaone.net"	# Your ISP news server
POP_SERVER="any"			# Your ISP pop mail server.
IMAP_SERVER="any"			# Your ISP imap mail server.
#NEWS_SERVER="any"			# Your ISP news server
#SMTP_SERVER="any"			# Your ISP mail gateway.

CLASS_A="10.0.0.0/8"			# class A private networks
CLASS_B="172.16.0.0/12"			# class B private networks
CLASS_C="192.168.0.0/16"		# class C private networks
CLASS_D_MULTICAST="224.0.0.0/4"		# class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5"	# class E reserved addresses
BCAST_SRC="0.0.0.0"			# broadcast source address
BCAST_DEST="255.255.255.255"		# broadcast destination address
PRIVPORTS="0-1023"			# well known, privileged port range
UNPRIVPORTS="1024-65535"		# unprivileged port range

# ----------------------------------------------------------------------------
# Implicitly trusted networks
MII_NET_1="209.192.210.0/24"
MII_NET_2="209.58.140.0/24"
# ----------------------------------------------------------------------------
NFS_PORT="2049"                         # TCP/UDP NFS
SOCKS_PORT="1080"                       # TCP Socks

# X Windows port allocation begins at 6000 and increments to 6063
# for each additional server running.
XWINDOW_PORTS="6000-6063"               # TCP X windows

# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1020-65535"            # port range for local clients
SSH_REMOTE_PORTS="513-65535"            # port range for remote clients

# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769-65535"
TRACEROUTE_DEST_PORTS="33434-33523"

# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections

# Remove all existing rules belonging to this filter
ipfw -q flush

# use this for testing the chain without breaking connectivity.
# ipfw add allow ip from any to any

# ----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.

ipfw add allow all from any to any via lo0 in  
ipfw add allow all from any to any via lo0 out 

# ----------------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the fireall machine.

ipfw add allow all from $LOCALNET to any via fxp0 in
ipfw add allow all from any to $LOCALNET via fxp0 out

# ----------------------------------------------------------------------------
# Unlimited traffic from within MII_NET
# All MII machines have access to the fireall machine.

ipfw add allow all from $MII_NET_1 to $IPADDR via xl0 in
ipfw add allow all from $MII_NET_2 to $IPADDR via xl0 in

# ipfw add allow all from any to $MII_NET_1 via xl0 out
# ipfw add allow all from any to $MII_NET_2 via xl0 out

# ----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks
# --------------------
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipfw add deny all from src to any via xl0 in
# rules to block from any access.

# Refuse any connection from problem sites
if [ -f /etc/rc.firewall.blocked ]; then
   . /etc/rc.firewall.blocked
fi

# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

# Refuse incoming packets pretending to be from the external address.
# ipfw add deny log all from $IPADDR to any via xl0 in  

# Refuse incoming packets claiming to be from a Class A, B or C private network
# ipfw add deny all from $CLASS_A to any via xl0 in  
# ipfw add deny all from $CLASS_B to any via xl0 in  
# ipfw add deny all from $CLASS_C to any via xl0 in  

# ----------------------------------------------------------------------------
# Masquerade internal traffic.
# All internal traffic is masqueraded externally.
ipfw add divert 8668 all from any to any via xl0

# ----------------------------------------------------------------------------
# Refuse broadcast address SOURCE packets
ipfw add deny log all from $BCAST_DEST to any via xl0 in  
ipfw add deny log all from any to $BCAST_SRC via xl0 in  

# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
# ipfw add deny all from $CLASS_D_MULTICAST to any via xl0 in  

# Refuse Class E reserved IP  addresses
# ipfw add deny log all from $CLASS_E_RESERVED_NET to any via xl0 in  

# Refuse special addresses defined as reserved by the IANA.
# Note:  The remaining reserved addresses are not included.
# Filtering them causes problems as reserved blocks are
# being allocated more often now.

# Note:  this list includes the loopback, multicast, & reserved addresses.

# 0.*.*.*           - Can't be blocked for DHCP users.
# 127.*.*.*         - LoopBack
# 169.254.*.*       - Link Local Networks
# 192.0.2.*         - TEST-NET
# 224-255.*.*.*     - Classes D & E, plus unallocated.

# ipfw add deny log all from 127.0.0.0/8 to any via xl0 in  
# ipfw add deny log all from 169.254.0.0/16 to any via xl0 in  
# ipfw add deny log all from 192.0.2.0/24 to any via xl0 in  
# ipfw add deny log all from 224.0.0.0/3 to any via xl0 in  

# ----------------------------------------------------------------------------
# NOTE:
#      The symbolic names used in /etc/services for the port numbers vary by
#      supplier.  Using them is less error prone and more meaningful, though.

# ----------------------------------------------------------------------------
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.

# NFS: establishing a TCP connection
ipfw add deny log tcp from any to any $NFS_PORT via xl0 in  setup 
ipfw add reject tcp from any to any $NFS_PORT via xl0 out setup 

# Xwindows: establishing a connection
ipfw add deny log tcp from any to any $XWINDOW_PORTS via xl0 in  setup 
ipfw add reject tcp from any to any $XWINDOW_PORTS via xl0 out setup 

# SOCKS: establishing a connection
ipfw add deny log tcp from any to any $SOCKS_PORT via xl0 in  setup 
ipfw add reject tcp from any to any $SOCKS_PORT via xl0 out setup 

# ----------------------------------------------------------------------------
# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.

ipfw add deny log udp from any to any $NFS_PORT via xl0 in  

# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523

ipfw add deny log udp \
     from any $TRACEROUTE_SRC_PORTS to any $TRACEROUTE_DEST_PORTS via xl0 in  

# ------------------------------------------------------------------
# DNS client 53
# ---------------
ipfw add allow udp from $IPADDR $UNPRIVPORTS to $NAMESERVER_1 53 via xl0 out 
ipfw add allow udp from $NAMESERVER_1 53 to $IPADDR $UNPRIVPORTS via xl0 in  
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to $NAMESERVER_1 53 via xl0 out 
ipfw add allow tcp from $NAMESERVER_1 53 to $IPADDR $UNPRIVPORTS \
     via xl0 in  established 

ipfw add allow udp from $IPADDR $UNPRIVPORTS to $NAMESERVER_2 53 via xl0 out 
ipfw add allow udp from $NAMESERVER_2 53 to $IPADDR $UNPRIVPORTS via xl0 in  
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to $NAMESERVER_2 53 via xl0 out 
ipfw add allow tcp from $NAMESERVER_2 53 to $IPADDR $UNPRIVPORTS \
     via xl0 in  established 

ipfw add allow udp from $IPADDR $UNPRIVPORTS to $NAMESERVER_3 53 via xl0 out 
ipfw add allow udp from $NAMESERVER_3 53 to $IPADDR $UNPRIVPORTS via xl0 in  
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to $NAMESERVER_3 53 via xl0 out 
ipfw add allow tcp from $NAMESERVER_3 53 to $IPADDR $UNPRIVPORTS \
     via xl0 in  established 

# ------------------------------------------------------------------
# HTTP server 80
# ----------------
ipfw add allow tcp from any $UNPRIVPORTS to $IPADDR 80 via xl0 in  
ipfw add allow tcp from $IPADDR 80 to any $UNPRIVPORTS \
     via xl0 out established 


# HTTP client 80
# ----------------
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to any 80 via xl0 out 
ipfw add allow tcp from any 80 to $IPADDR $UNPRIVPORTS \
     via xl0 in  established 

# ------------------------------------------------------------------
# HTTPS server 443
# ------------------
ipfw add allow tcp from any $UNPRIVPORTS to $IPADDR 443 via xl0 in  
ipfw add allow tcp from $IPADDR 443 to any $UNPRIVPORTS \
     via xl0 out established 

# HTTPS client 443
# ------------------
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to any 443 via xl0 out 
ipfw add allow tcp from any 443 to $IPADDR $UNPRIVPORTS \
     via xl0 in established 

# ------------------------------------------------------------------
# NNTP NEWS client 119
# ----------------------
# Apparently I need to get out of the habit of using nslookup :)
# host news.ne.mediaone.net

ipfw add allow tcp from $IPADDR $UNPRIVPORTS to $NEWS_SERVER 119 via xl0 out 
ipfw add allow tcp from $NEWS_SERVER 119 to $IPADDR $UNPRIVPORTS \
     via xl0 in established 

# ------------------------------------------------------------------
# POP client 110
# ----------------
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to any 110 via xl0 out 
ipfw add allow tcp from any 110 to $IPADDR $UNPRIVPORTS \
     via xl0 in established 

# ------------------------------------------------------------------
# IMAP server 143
# -----------------
ipfw add allow tcp from any $UNPRIVPORTS to $IPADDR 143 via xl0 in  
ipfw add allow tcp from $IPADDR 143 to any $UNPRIVPORTS \
     via xl0 out established 

# IMAP client 143
# -----------------
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to $IMAP_SERVER 143 via xl0 out 
ipfw add allow tcp from $IMAP_SERVER 143 to $IPADDR $UNPRIVPORTS \
     via xl0 in  established 

# ------------------------------------------------------------------
# SMTP server 25
# ----------------
ipfw add allow tcp from any $UNPRIVPORTS to $IPADDR 25 via xl0 in  
ipfw add allow tcp from $IPADDR 25 to any $UNPRIVPORTS \
     via xl0 out established 

# SMTP client 25
# ----------------
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to $SMTP_SERVER 25 via xl0 out 
ipfw add allow tcp from $SMTP_SERVER 25 to $IPADDR $UNPRIVPORTS \
     via xl0 in  established 

# ------------------------------------------------------------------
# SSH server 22
# ---------------
ipfw add allow tcp from any $SSH_REMOTE_PORTS to $IPADDR 22 via xl0 in  
ipfw add allow tcp from $IPADDR 22 to any $SSH_REMOTE_PORTS \
     via xl0 out established 

# SSH client 22
# ---------------
ipfw add allow tcp from $IPADDR $SSH_LOCAL_PORTS to any 22 via xl0 out 
ipfw add allow tcp from any 22 to $IPADDR $SSH_LOCAL_PORTS \
     via xl0 in  established 

# ------------------------------------------------------------------
# AUTH server 113
# -----------------
# Reject, rather than deny, the incoming auth port. NET-3-HOWTO
ipfw add reject tcp from any $UNPRIVPORTS to $IPADDR 113 via xl0 in  

# AUTH client 113
# -----------------
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to any 113 via xl0 out 
ipfw add allow tcp from any 113 to $IPADDR $UNPRIVPORTS \
     via xl0 in  established 

# ------------------------------------------------------------------
# WHOIS client 43
# -----------------
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to any 43 via xl0 out 
ipfw add allow tcp from any 43 to $IPADDR $UNPRIVPORTS \
     via xl0 in  established 

# ------------------------------------------------------------------
# FINGER client 79
# ------------------
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to any 79 via xl0 out 
ipfw add allow tcp from any 79 to $IPADDR $UNPRIVPORTS \
     via xl0 in  established 

# ------------------------------------------------------------------
# FTP server 21
# ---------------
# incoming request
ipfw add allow tcp from any $UNPRIVPORTS to $IPADDR 21 via xl0 in  
ipfw add allow tcp from $IPADDR 21 to any $UNPRIVPORTS \
     via xl0 out established 

# PORT MODE data channel responses
ipfw add allow tcp from $IPADDR 20 to any $UNPRIVPORTS via xl0 out 
ipfw add allow tcp from any $UNPRIVPORTS to $IPADDR 20 \
     via xl0 in  established 

# FTP client 21
# ---------------
# outgoing request
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to any 21 via xl0 out 
ipfw add allow tcp from any 21 to $IPADDR $UNPRIVPORTS \
     via xl0 in  established 

# PORT mode data channel
ipfw add allow tcp from any 20 to $IPADDR $UNPRIVPORTS via xl0 in  
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to any 20 \
     via xl0 out established 

# ------------------------------------------------------------------
# IRC client 6667
# -----------------
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to any 6667 via xl0 out 
ipfw add allow tcp from any 6667 to $IPADDR $UNPRIVPORTS \
     via xl0 in  established 
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to any $UNPRIVPORTS via xl0 out 
ipfw add allow tcp from any $UNPRIVPORTS to $IPADDR $UNPRIVPORTS via xl0 in  

# ------------------------------------------------------------------
# RealAudio / QuickTime client
# ----------------------------
ipfw add allow tcp from any 554 to $IPADDR $UNPRIVPORTS \
     via xl0 in established
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to any 554 via xl0 out 

# TCP is a more secure method:  7070:7071
ipfw add allow tcp from any 7070:7071 to $IPADDR $UNPRIVPORTS \
     via xl0 in  established 
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to any 7070:7071 via xl0 out 

# UDP is the preferred method:  6970:6999
# For LAN machines, UDP requires the RealAudio masquerading module and
# the ipmasqadm third-party software.
ipfw add allow udp from any $UNPRIVPORTS to $IPADDR 6970:6999 via xl0 in  
ipfw add allow udp from $IPADDR 6970:6999 to any $UNPRIVPORTS via xl0 out 

# ------------------------------------------------------------------
# ICQ client 4000
# -----------------
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to any 2000:4000 via xl0 out 
ipfw add allow tcp from any 2000:4000 to $IPADDR $UNPRIVPORTS \
     via xl0 in  established 
ipfw add allow udp from $IPADDR $UNPRIVPORTS to any 4000 via xl0 out 
ipfw add allow udp from any 4000 to $IPADDR $UNPRIVPORTS via xl0 in  

# ----------------------------------------------------------------------------
# UDP accept only on selected ports
# ---------------------------------

# DHCP client 67, 68
# --------------------
# allow dhcp server 67 to connect to dhcp client 68
# Note: the DHCP server is the only externel source of broadcast
#       messages we should see, ever.
ipfw add allow udp from $DHCP_SERVER 67 to $IPADDR 68 via xl0 in  
ipfw add allow udp from $IPADDR 68 to $DHCP_SERVER 67 via xl0 out 
ipfw add allow udp from $DHCP_SERVER 67 to $BCAST_DEST 68 via xl0 in  
ipfw add allow udp from $BCAST_SRC 68 to $DHCP_SERVER 67 via xl0 out 

# Getting renumbered
ipfw add allow udp from $BCAST_SRC 67 to $BCAST_DEST 68 via xl0 in  
ipfw add allow udp from $BCAST_SRC 68 to $BCAST_DEST 67 via xl0 out 

# As a result of the above, we're supposed to change our IP address with
# this message, which is addressed to our new address before the dhcp
# client has received the update.
ipfw add allow udp from $DHCP_SERVER 67 to any 68 via xl0 in  
ipfw add deny log udp from any 67 to $IPADDR 68 via xl0 in  

# ------------------------------------------------------------------
# NTP TIME clients 123
# ----------------------
# ipfw add allow udp from bitsy.mit.edu 123 to $IPADDR 123 via xl0 in 
# ipfw add allow udp from $IPADDR 123 to bitsy.mit.edu 123 via xl0 out 

ipfw add allow udp from any 123 to $IPADDR 123 via xl0 in 
ipfw add allow udp from $IPADDR 123 to any 123 via xl0 out 
# ------------------------------------------------------------------
# OUTGOING TRACEROUTE
# -------------------
ipfw add allow log udp from $IPADDR $TRACEROUTE_SRC_PORTS \
     to any $TRACEROUTE_DEST_PORTS via xl0 out 

# ----------------------------------------------------------------------------
# ICMP

#    To prevent denial of service attacks based on ICMP bombs, filter
#    incoming Redirect 5 and outgoing Destination Unreachable 3.
#    Note, however, disabling Destination Unreachable 3 is not
#    advisable, as it is used to negotiate packet fragment size.

# For bi-directional ping.
#     Message Types:  Echo_Reply 0,  Echo_Request 8
#     To prevent attacks, limit the src addresses to your ISP range.
# 
# For outgoing traceroute.
#     Message Types:  INCOMING Dest_Unreachable 3, Time_Exceeded 11
#     default UDP base: 33434 to base+nhops-1
# 
# For incoming traceroute.
#     Message Types:  OUTGOING Dest_Unreachable 3, Time_Exceeded 11
#     To block this, deny OUTGOING 3 and 11

#  0: echo-reply pong
#  3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
#  4: source-quench
#  5: redirect
#  8: echo-request ping
# 11: time-exceeded
# 12: parameter-problem

ipfw add allow icmp from any to $IPADDR via xl0 in  icmptypes 0 
ipfw add allow icmp from any to $IPADDR via xl0 in  icmptypes 3 
ipfw add allow icmp from any to $IPADDR via xl0 in  icmptypes 4 
ipfw add allow icmp from any to $IPADDR via xl0 in  icmptypes 11 
ipfw add allow icmp from any to $IPADDR via xl0 in  icmptypes 12 

ipfw add allow icmp from $IPADDR to any via xl0 out icmptypes 4 
ipfw add allow icmp from $IPADDR to any via xl0 out icmptypes 8 
ipfw add allow icmp from $IPADDR to any via xl0 out icmptypes 12 

# ----------------------------------------------------------------------------
# Enable logging for selected denied packets

ipfw add deny log tcp from any to any via xl0 in  
ipfw add deny log udp from any to any $PRIVPORTS via xl0 in  
ipfw add deny log udp from any to any $UNPRIVPORTS via xl0 in  

ipfw add deny log icmp from any to any via xl0 in  icmptypes 5 
# ipfw add deny log icmp from any to any via xl0 in  icmptypes 13-255 

ipfw add reject log all from any to any via xl0 out 

# ----------------------------------------------------------------------------

echo "done"

exit 0

--EuxKj2iCbKjpUGkD--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011009145144.C64668>