From owner-freebsd-questions  Tue Aug 14 12:50:17 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100])
	by hub.freebsd.org (Postfix) with ESMTP id 5752B37B40B
	for <freebsd-questions@freebsd.org>; Tue, 14 Aug 2001 12:50:11 -0700 (PDT)
	(envelope-from hawkeyd@visi.com)
Received: from sheol.localdomain (hawkeyd-host193.dsl.visi.com [208.42.101.193])
	by brea.mc.mpls.visi.com (Postfix) with ESMTP id 8C9632DDCA5
	for <freebsd-questions@freebsd.org>; Tue, 14 Aug 2001 14:50:09 -0500 (CDT)
Received: (from hawkeyd@localhost)
	by sheol.localdomain (8.11.1/8.11.1) id f7EJo8B02246
	for freebsd-questions@freebsd.org; Tue, 14 Aug 2001 14:50:08 -0500 (CDT)
	(envelope-from hawkeyd)
Date: Tue, 14 Aug 2001 14:50:08 -0500
From: D J Hawkey Jr <hawkeyd@visi.com>
To: freebsd-questions@freebsd.org
Subject: traceroute under ipfilter
Message-ID: <20010814145008.A2171@sheol.localdomain>
Reply-To: hawkeyd@visi.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello All.

Well, after going through ipfilter's manual (several times), DejaNews,
and Google searches, everything says that all I need for stateful
'traceroute's is:

    pass  out quick on dc1 proto udp from any to any port \
    33434 >< 33525 keep state

(the newline is for readability; it's not in /etc/ipf.rules). But it
just doesn't. Not until I add:

    pass in quick on dc1 proto icmp from any to any icmp-type 3
    pass in quick on dc1 proto icmp from any to any icmp-type 11

will 'traceroute' work. This is OK, except that I don't want the world
to successfully 'traceroute' back to "me", so I'd much prefer just the
stateful outbound rule.

What have I missed? See below my ASCII-dig for my /etc/ipf.rules and
/etc/ipnat.rules, in case context matters. Note that it's the inbound
"catch-all" rule that stops the transaction when the inbound ICMP rules
are omitted.

I also wouldn't mind any insightful critiques; 'nmap' from the outside
says only SSH and HTTP are open, but I'm not above constructive criticism.

TIA,
Dave

-- 

Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"

---8<--- /etc/ipf.rules

# Inside interface: dc0
#        address:   A.B.C.2
#        network:   A.B.C.0/24

# Outside interface: dc1
#         address:   X.Y.Z.193
#         network:   X.Y.Z.192/30
    
# Web server: A.B.C.3
# DNS server: any
# NTP server: 128.101.101.101
    
    
block in quick on dc1 all head 1
    # Stop RFC1918 networks
    block in     quick on dc1 from 192.168.0.0/16 to any  group 1
    block in     quick on dc1 from 172.16.0.0/12 to any   group 1
    block in     quick on dc1 from 10.0.0.0/8 to any      group 1
    block in     quick on dc1 from 127.0.0.0/8 to any     group 1
    # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
    # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
    block in     quick on dc1 from 0.0.0.0/8 to any       group 1
    block in     quick on dc1 from 169.254.0.0/16 to any  group 1
    block in     quick on dc1 from 192.0.2.0/24 to any    group 1
    block in     quick on dc1 from 204.152.64.0/23 to any group 1
    block in     quick on dc1 from 224.0.0.0/3 to any     group 1
    # Allow only these: HTTP and SSH
    pass  in     quick on dc1 proto tcp from any to any port = 80 flags S keep state keep frags group 1
    pass  in     quick on dc1 proto tcp from any to X.Y.Z.193 port = 22 flags S keep state keep frags group 1
    # Allow only these: traceroute
    pass  in     quick on dc1 proto icmp from any to any icmp-type 3 group 1
    pass  in     quick on dc1 proto icmp from any to any icmp-type 11 group 1
    # Catch-all defaults
    block return-rst                    in     quick on dc1 proto tcp all group 1
    block return-icmp-as-dest(port-unr) in     quick on dc1 proto udp all group 1
    block                               in log       on dc1 all group 1

block out quick on dc1 all head 10
    # Stop RFC1918 networks
    block out     quick on dc1 from any to 192.168.0.0/16  group 10
    block out     quick on dc1 from any to 172.16.0.0/12   group 10
    block out     quick on dc1 from any to 10.0.0.0/8      group 10
    block out     quick on dc1 from any to 127.0.0.0/8     group 10
    # Stop draft-mannoutg-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
    # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
    block out     quick on dc1 from any to 0.0.0.0/8       group 10
    block out     quick on dc1 from any to 169.254.0.0/16  group 10
    block out     quick on dc1 from any to 192.0.2.0/24    group 10
    block out     quick on dc1 from any to 204.152.64.0/23 group 10
    block out     quick on dc1 from any to 224.0.0.0/3     group 10
    # Allow only these: HTTP[S], SMTP, NNTP, POP[23], passive FTP,
    # SSH, and telnet
    pass  out     quick on dc1 proto tcp from any to any port = 80 flags S keep state keep frags group 10
    pass  out     quick on dc1 proto tcp from any to any port = 443 flags S keep state keep frags group 10
    pass  out     quick on dc1 proto tcp from any to any port = 25 flags S keep state keep frags group 10
    pass  out     quick on dc1 proto tcp from any to any port = 119 flags S keep state keep frags group 10
    pass  out     quick on dc1 proto tcp from any to any port 108 >< 111 flags S keep state keep frags group 10
    pass  out     quick on dc1 proto tcp from any to any port = 21 flags S keep state keep frags group 10
    pass  out     quick on dc1 proto tcp from any to any port 32999 >< 63001 flags S keep state keep frags group 10
    pass  out     quick on dc1 proto tcp from any to any port = 22 flags S keep state keep frags group 10
    pass  out     quick on dc1 proto tcp from any to any port = 23 flags S keep state keep frags group 10
    # Allow only these: DNS, NTP, traceroute, and ping
    pass  out     quick on dc1 proto udp from any to any port = 53 keep state group 10
    pass  out     quick on dc1 proto udp from any to 128.101.101.101 port = 123 keep state group 10
    pass  out     quick on dc1 proto udp from any to any port 33434 >< 33525 keep state group 10
    pass  out     quick on dc1 proto icmp from any to any keep state group 10
    # Catch-all defaults
    block out log       on dc1 all group 10

--->8---

---8<--- /etc/ipnat.rules

# Inside interface: dc0
#        address:   A.B.C.2
#        network:   A.B.C.0/24

# Outside interface: dc1
#         address:   X.Y.Z.193
#         network:   X.Y.Z.192/30

# Web server: A.B.C.3
# DNS server: any
# NTP server: 128.101.101.101


# NAT
map dc1 A.B.C.0/24 -> X.Y.Z.193/32

# Redirect HTTP
rdr dc1 X.Y.Z.193/32 port 80 -> A.B.C.3 port 80

--->8---


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message