From nobody Tue Sep 6 05:52:55 2022 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MMF1L3gjRz4cChH for ; Tue, 6 Sep 2022 05:53:26 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from se6.syd.hostingplatform.net.au (se6.syd.hostingplatform.net.au [IPv6:2400:b800:5::52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MMF1J03PDz3SHJ for ; Tue, 6 Sep 2022 05:53:23 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from s121.syd3.hostingplatform.net.au ([103.27.34.4]) by se6.syd.hostingplatform.net.au with esmtps (TLSv1.2:AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from ) id 1oVRW9-0004XQ-AK for questions@freebsd.org; Tue, 06 Sep 2022 15:53:10 +1000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nimnet.asn.au; s=default; h=Message-ID:From:CC:To:Subject: Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To: Date:Sender:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=QyGX74jLFoBQxpvWy9wjgfCGmOrA4Ndg6cqETSRenlI=; b=D2DxBoyUc0MwFizcx1OsCFE+jo s/QBbdMMsLX+plcZS4PtPxuKPZYHqPrfsSUMWX/+nG/SVo3dmDJrOBkiOHqWV7FLaoK8M3ZCr9dMn fTdGsY5uQ+yVnJ3fcYQiZiPgsnUNXZtc0VzGcSG78S2B6jXHUx6Pt00BtKN2axMJ1WobzkHD9kWk5 VTLoZEBaTcwaIqnwN576PTqCEb4BDpu5txiNtrIhGHLMcGstG3jlbpS3SPEOdS53MRa8OIrf9Jhy9 jYL3XnynaUMqfGJiXSCGZ3xlSCxqNfu05mdmcECXSnEYOsOL5PwqzOfpclCYTDSCx2eDB9Y24vSxc 2DRgcPag==; Received: from [1.145.92.146] (port=1048 helo=Galaxy-J5-Pro) by s121.syd3.hostingplatform.net.au with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.95) (envelope-from ) id 1oVRW6-004E3w-Je; Tue, 06 Sep 2022 15:52:58 +1000 Date: Tue, 06 Sep 2022 15:52:55 +1000 User-Agent: K-9 Mail for Android In-Reply-To: <9BFB27DC-BA45-49B5-8EAD-B5BE7BC14E20@gushi.org> References: <3FAB82EC-2C82-4201-AA47-B1AA92B89677@gushi.org> <9BFB27DC-BA45-49B5-8EAD-B5BE7BC14E20@gushi.org> List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: Firewall rules in a directory To: "Dan Mahoney (Ports)" CC: questions@freebsd.org,kpn@neutralgood.org From: Ian Smith Message-ID: <268E4C90-FC85-4534-88AC-D3B82052EF0C@nimnet.asn.au> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - s121.syd3.hostingplatform.net.au X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - nimnet.asn.au X-Get-Message-Sender-Via: s121.syd3.hostingplatform.net.au: authenticated_id: smithi@nimnet.asn.au X-Authenticated-Sender: s121.syd3.hostingplatform.net.au: smithi@nimnet.asn.au X-Source: X-Source-Args: X-Source-Dir: X-Originating-IP: 103.27.34.4 X-SpamExperts-Domain: out-3.hostingplatform.net.au X-SpamExperts-Username: 103.27.34.4 X-SpamExperts-Outgoing-Class: ham X-SpamExperts-Outgoing-Evidence: Combined (0.03) X-Recommended-Action: accept X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT+OfGaAJc2PJtTMN7kJXRFiPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5xvLEOBbT1XKgR/Y7v+xkdqSkoRUrY7wjLKakXn3YGqrtcV PSoHm0W/3adFfiYl2nv5tnZ9yrVfNQLYhoYBulIH/T4GcPvCLvSpAEEGy7kYxorAt+siDBP9xxcm oVGDOrNVGrp2mkTqyqZTeTGseBN6A7NNeYihHoXiWnDcGUu/Sh6IjGdSKn6aI9pXlx3shQzV784Z AnZq2JW70fAC9gkiwEjU70hqHQfv/n8OIGkOTmNQ4NQp/4X4JvMf78aNCvMAKQlQdTfwbSciar+2 JCMst0dEunmtVTQWqR0MJGYnYGBIZS4rRgm1GD0QN7Psq7kMoOLjGsRz/MUE6aIZoCcUNXR4aVG4 tVHU1Zldyy+zffRki4F4QVFPj2p7OlUOs27n+17tVhIdLDeSsKRuXhdvL4QFy0eB/isP83e9uHLE BeHTPI/rzJIRbhotX0RECi7kpFW0bjAnA2u5xu022M/lLUw5MY3VG0HxGZ+ft/9JF4FwePnf9uyw M+J4ElP9X0HdZh03ExTqDquACpNsmDrlcntZzD+8euQ3PTJH+fGZGHMcN6qoXPjenLhIOF1oeRb8 2hx/5HnfpIsCd/W/PCtCi2Z2wpYgSa3EQIt61zmxYw+e2Vys3fiSI/5zaYbWyYwZbxiCGDthfkCX 0CVoFc3euSKNTEp3fPS9t/vPx+AgLE1ApSwq92znw3dBwC5byCaLBDMrD7q/cJogwbqzsuok7gAQ YIqiHEj3Pcep26XdvnOs3oJxPwTOpF2Q4nG0t+hlMDvY1Q26cFutbiPIGy6Vx0qKFOkB/nCesdO5 RvFNEJjgovi6qVlhPddRmUdvQq/lu6BVLnOB/rt7wcDbbBA00xmQvzCpA0tU+p9L3xZQP9NlaWnT QEdHUkdr3oHZsGDOnC5s/4F8e5uR/xqqfZWkNKQUobI7huBVoZeJJKD+WKEsmgNU80KTDQcWwe0S 4mB30j5nlErnGbOGRQ3KaeE391IyW7bVDpANUQvyZzPgihL3FhyCT+8vOSJGHGnDZXw8f9eIYW4H Vh/UxFgv3Vl8SugHuMPfP9NtOxkpv0M3bEqPjumnp8Gmev19nmuGQVM= X-Report-Abuse-To: spam@se.syd.hostingplatform.net.au X-Rspamd-Queue-Id: 4MMF1J03PDz3SHJ X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=nimnet.asn.au header.s=default header.b=D2DxBoyU; dmarc=none; spf=pass (mx1.freebsd.org: domain of smithi@nimnet.asn.au designates 2400:b800:5::52 as permitted sender) smtp.mailfrom=smithi@nimnet.asn.au X-Spamd-Result: default: False [-3.34 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.84)[-0.836]; R_SPF_ALLOW(-0.20)[+ip6:2400:b800:5:0::49/123]; R_DKIM_ALLOW(-0.20)[nimnet.asn.au:s=default]; MIME_GOOD(-0.10)[text/plain]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_VIA_SMTP_AUTH(0.00)[]; DMARC_NA(0.00)[nimnet.asn.au]; ARC_NA(0.00)[]; HAS_X_GMSV(0.00)[smithi@nimnet.asn.au]; TO_MATCH_ENVRCPT_SOME(0.00)[]; HAS_X_AS(0.00)[smithi@nimnet.asn.au]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:45638, ipnet:2400:b800:5::/48, country:AU]; HAS_X_SOURCE(0.00)[]; TO_DN_SOME(0.00)[]; HAS_XOIP(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; HAS_X_ANTIABUSE(0.00)[]; DKIM_TRACE(0.00)[nimnet.asn.au:+]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On 5 September 2022 12:18:02 pm AEST, "Dan Mahoney (Ports)" wrote: >=20 > > On Aug 31, 2022, at 10:47 AM, Ian Smith > wrote: > >=20 > > On 30 August 2022 2:40:34 pm AEST, "Dan Mahoney (Ports)" > wrote: > >> Note, this wasn=E2=80=99t intended to be =E2=80=9Chere=E2=80=99s a d= iff, please put it > in=E2=80=9D, > >> just an illustration of how trivial an addition it is=2E > >>=20 > >>> On Aug 29, 2022, at 9:36 PM, Dan Mahoney (Ports) > >> wrote: > >>>=20 > >>> All, > >>>=20 > >>> At the dayjob, we=E2=80=99ve taken to putting our ipfw rules into a > >> directory using rcorder=E2=80=99able files=2E This way, each of our= puppet > >> manifests can drop its own rules into place without having to > manage > >> a monolithic file=2E > >>>=20 > >>> It=E2=80=99s a simple patch to rc=2Efirewall, where if you set > firewall_type > >> to a file, it just runs it, but if it=E2=80=99s a directory, it woul= d > treat > >> it as such: > >>>=20 > >>> *) > >>> if [ -r "${firewall_type}" ]; then > >>> if [ -f "${firewall_type}" ]; then > >>> ${fwcmd} ${firewall_flags} ${firewall_type} > >>> else > >>> if [ -d "${firewall_type}" ]; then > >>> for fwfile in `rcorder $firewall_type/*` > >>> do > >>> ipfw -q $fwfile; > >>> done > >>> fi > >>> fi > >>>=20 > >>> Is there a possibility of getting this into base? > >>>=20 > >>> -Dan > >=20 > > Getting code into rc=2Efirewall has proven difficult over the years, > for me impossible=2E It even took julian@ a couple of years to get a > sensible use of tables into firewall_type 'simple' - but things may > have changed=2E https://lists=2Efreebsd=2Eorg/archives/freebsd-ipfw/ From=20my perspective, this used to be a great list=2E Now it's nearly all = just bugzilla reports with very occasional human seeking discussion=2E Cle= arly, developers must prefer it that way=2E I'm inclined to trim quotes somewhat Dan, but for starters let me say that a) I think this is a really good idea, b) getting it out there as a patch with explanation would be good at some= where like /usr/share/examples/ipfw, and c) I wouldn't blow too much time trying to get it into /etc/rc=2Efirewall Apart from arguably 'workstation', which I've found amenable to adding a f= ew rules in /etc/rc=2Elocal, for years I've copied rc=2Efirewall to rc=2Emy= firewall ono and hacked away, mostly on 'simple' for local nets=2E > > If it's really intended to launch multiple instances of ipfw, it > may win more favour - as a bug / feature request as Kevin suggests - > if you're sure how things like 'service ipfw status' or 'restart' > handle them in /etc/rc=2Ed/ipfw? I see now that you're adding sections to the one instance, which makes the= above moot as these are just lists of ipfw commands, not scripts=2E [=2E=2E] > So, right now, there are two knobs you can tweak in /etc/rc=2Econf -- > firewall_type, and firewall_script=2E Firewall_script defaults to > /etc/rc=2Efirewall which understands things like "open" or "client" or > "unknown", or a file=2E The last bit of the stock rc=2Efirewall looks > like this: >=20 > [Cc][Ll][Oo][Ss][Ee][Dd]) > ${fwcmd} add 65000 deny ip from any to any > ;; > [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) > ;; > *) > if [ -r "${firewall_type}" ]; then > ${fwcmd} ${firewall_flags} ${firewall_type} > fi > ;; > esac >=20 > Two problems there=2E 1) -r only checks for readability, not for it > being an actual file=2E "-r True if file exists and is readable" I usually find -s more useful, but I often add 0-byte files as comments: touch -r flxbz 'what this flxbz is' And in any case, only running ipfw on a file will tell you if it contained= valid contents - suggesting that the script should check ipfw's return cod= e, and say something useful if it's non-zero? > and 2) For us, we *like* it being a directory=2E >=20 > Here's an output of rcorder: >=20 > rcorder /etc/ipfw=2Ed/* > /etc/ipfw=2Ed/setup > /etc/ipfw=2Ed/production_networks > /etc/ipfw=2Ed/production_static > /etc/ipfw=2Ed/routing > /etc/ipfw=2Ed/services > /etc/ipfw=2Ed/snmp_agent > /etc/ipfw=2Ed/ssh_service > /etc/ipfw=2Ed/tftp_service > /etc/ipfw=2Ed/mosh_service > /etc/ipfw=2Ed/node_exporter_agent > /etc/ipfw=2Ed/nrpe_agent > /etc/ipfw=2Ed/ssh_vpn > /etc/ipfw=2Ed/outbound > /etc/ipfw=2Ed/local > /etc/ipfw=2Ed/krb5_client > /etc/ipfw=2Ed/dns_client > /etc/ipfw=2Ed/syslog_client > /etc/ipfw=2Ed/ntp_client > /etc/ipfw=2Ed/final >=20 > And=2E=2E=2Eas an example, here's some of /etc/ipfw=2Ed/setup (note the > PROVIDE and BEFORE entries at top, like rcorder wants)=2E >=20 > # > # PROVIDE: setup blocked bogons > # BEFORE: services routing outbound final > # >=20 > # remove all existing tables > table all destroy > table blocked create All good stuff=2E > # standard (non-service specific) tables > table bogons create > table bogons add 0=2E0=2E0=2E0/8 > table bogons add 10=2E0=2E0=2E0/8 > table bogons add 172=2E12=2E0=2E0/12 > table bogons add 192=2E168=2E0=2E0/16 > table bogons add 169=2E254=2E0=2E0/16 > table bogons add 240=2E0=2E0=2E0/4 >=20 > # permit existing TCP sessions > add allow tcp from any to any established >=20 > # permit existing stateful traffic > add check-state :default // permit stateful traffic >=20 > # permit internal loopback traffic > add allow ip from any to any via lo0 > add allow ip from any to any via lo1 >=20 > # deny directed loopback traffic > add deny ip from any to 127=2E0=2E0=2E0/8 in > add deny ip from any to ::/64 in >=20 > # deny unexpected sources > add deny ip from table(bogons) to me in // unexpected sources >=20 > # deny explicitly disabled (non-persistent) sources > add deny ip from table(blocked) to me in // emergency > (non-persistent) blocklist >=20 > # allow bsd-standard-port traceroutes > add allow udp from me to any 33434-33600 // traceroute in > add allow udp from any to me 33434-33600 // traceroute out >=20 > # moderately permissive ICMPv4 > add allow icmp from any to any icmptypes 0,3,8,11,13,14 // safe > ICMPv4 I couldn't get even icmptypes 0,3,8,11 into 'client' and especially 'simpl= e' seen as a good idea, but that was before phk@ added 'workstation' which = fixed that there=2E I'll have to take your word on ipv6=2E > # link-local ICMPv6 (RS, RA, NS, NA) - per FreeBSD standard rules > add allow ipv6-icmp from :: to fe80::/10 // ICMPv6 DAD > add allow ipv6-icmp from fe80::/10 to fe80::/10 // ICMPv6 NDP > add allow ipv6-icmp from fe80::/10 to ff02::/16 // ICMPv6 NDP > add allow ipv6-icmp from any to any icmp6types 1,2,3,128,129,135,136 > // safe ICMPv6 >=20 > =2E=2E=2E=2E >=20 > And here's a service entry=2E=2E=2E >=20 > more /etc/ipfw=2Ed/ssh_service > # REQUIRE: services > # PROVIDE: ssh_service ssh_clients > # BEFORE: outbound >=20 > table ssh_clients create >=20 > table ssh_clients add 1=2E2=2E3=2E4 > table ssh_clients add 2001:dead:beef:cafe::d00d >=20 > add allow tcp from table(ssh_clients) to me 22 in setup // > inbound SSH >=20 > =3D=3D >=20 > Also unique to our setup: the "local" script is created by puppet but > not managed by it, so if you need to drop an emergency override in > there for something (i=2Ee=2E block an attacker, or open a port that yo= u > haven't added to automation yet, add a counter to debug an issue, you > can, quickly)=2E >=20 > Some of our scripts are placeholders, just existing as a no-op to > anchor things like BEFORE=2E To me, this is a great example of leveraging things like rcorder to anothe= r if similar purpose=2E > If people wanted things to put in /usr/share/examples (say > /usr/share/examples/ipfw/client, or /usr/share/examples/ipfw/closed?) > that mimic'd the main setup, I'd be happy to contribute them=2E Maybe you could offer the whole thing as a script that includes a) a patch to rc=2Efirewall making say /etc/rc=2Efirewall_builder b) sysrc commands to set firewall_script to that, and firewall_type to th= e directory, perhaps a subdir off 'here'=2E c) 2 or 3 example sections? So at least there'd be somewhere people could point or refer to, while awa= iting favour from ipfw deities :) > (I'm also not thrilled with the fact that the stock firewall script > adds rules before it determines what kind of firewall you want, and > then applies your rules=2E=2E=2Ethat could perhaps be a different bug > though)=2E You've included setup_loopback and setup_ipv6_mandatory rules anyway, most= ly, but you could always just start off with perhaps delete 1-1200 > If there's a diffferent list I should be posting this to, let me > know=2E Excuse my cynicism re once-great lists; I've been too long out of touch=2E cheers, Ian