From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 14 18:49:21 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B96AFDF9 for ; Sun, 14 Apr 2013 18:49:21 +0000 (UTC) (envelope-from spil.oss@gmail.com) Received: from mail-ia0-x22c.google.com (mail-ia0-x22c.google.com [IPv6:2607:f8b0:4001:c02::22c]) by mx1.freebsd.org (Postfix) with ESMTP id 8BA95D5A for ; Sun, 14 Apr 2013 18:49:21 +0000 (UTC) Received: by mail-ia0-f172.google.com with SMTP id k38so3782051iah.3 for ; Sun, 14 Apr 2013 11:49:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:reply-to:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=KDtZMRCzmAR6ydKNQeAy6PY2oFFK2NLTr/lt359QLhU=; b=xZLSfGpOolh4GGBxVlOaP47rnpR3ukJTQsAzc/CrkK2Zolb/BfneZVlMVXxjAOgqHz Su/3D+v9bJHkdXL9RTFRlO/znRY05XIU4FTHhTBRzsN9zztzEUma7iJ/uE2mmOPR4EiN +c+/nX+Sqj/FqilQydZgZNlb7S0Q0mMUmXMk4RhjSgRmuzsX4/aRfNs85+uIxP0BAfxw Od9Gfa+e02GN/dAogq6p/UJYNjg6vpu5SLOB1J0emriyfa8OajGtzt+KPiGBwKhOzMUb LJCGZCauBUg0i7SR6jqUoZHADnoITKkyqbiREqZN/AsxV0KMN2dkv3uhN9UeXSzUrKPY cxYQ== MIME-Version: 1.0 X-Received: by 10.50.50.40 with SMTP id z8mr3641396ign.59.1365965361169; Sun, 14 Apr 2013 11:49:21 -0700 (PDT) Received: by 10.42.189.4 with HTTP; Sun, 14 Apr 2013 11:49:20 -0700 (PDT) In-Reply-To: References: Date: Sun, 14 Apr 2013 20:49:20 +0200 Message-ID: Subject: Re: Problems with ipfw/natd and axe(4) From: Spil Oss To: Michael Sierchio Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: spil.oss@gmail.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Apr 2013 18:49:21 -0000 Hi Michael, I was aware that these deny-rules could be created more efficiently, but I wanted to stay as close as possible to the 'simple' ruleset from the base /etc/rc.firewall rules. settings for /etc/rc.firewall natd_interface=ue0 firewall_simple_iif=re0 # Inside IPv4 network interface. firewall_simple_inet=10.16.1.2.1 # Inside IPv4 network address. firewall_simple_oif=ue0 # Outside IPv4 network interface. firewall_simple_onet=172.17.2.111 # Outside IPv4 network address. #firewall_simple_iif_ipv6= Inside IPv6 network interface. #firewall_simple_inet_ipv6= Inside IPv6 network prefix. #firewall_simple_oif_ipv6= Outside IPv6 network interface. #firewall_simple_onet_ipv6= Outside IPv6 network prefix. 1. Requirements and intentions This machine is my next router/firewall and web/mail/etc-server. ue0 connected to my cable modem, re0 connected to my LAN, ath0 my access point. re0 and ath0 will later be part of bridge0. Webserver and mail-services running in separate jails using natd redirect_port, cannot initiate outbound connections. Inbound ssh, http(s), smtp, imaps, submission allowed in from internet. I'm aware that with checksum offloading the tcpdump checksum will appear incorrect. Earlier I worked with the examples from the handbook which I was told on this mailing-list are not a good starting point for a ruleset. This is why I have taken the ruleset delivered in base as my starting point. The fact is that if I reverse re0 and ue0 (configuration as well as physical connections) the ruleset behaves as expected. 2. Interaction of NAT + stateful I'm trying to understand the interaction, starting with the most default. I had tcpdump, /var/log/security, natd -v running in separate tmux windows to try and figure out what happens. 3. Gradually add complexity I had taken /etc/rc.firewall as the lowest level of complexity and intend to add the extra functions. Will bring it down to the bare minimum and try again. natd config from /etc/rc.conf natd_interface=ue0 natd_flags=" -config /etc/natd.conf" or natd -n ue0 -f /etc/natd.conf -v /etc/natd.conf same_ports yes dynamic yes # redirect http, https to web-jail # Disabled Thanks for the pointers! Kind regards, Spil. On Sat, Apr 13, 2013 at 8:01 PM, Michael Sierchio wrote: > There are some things about this ruleset that are confused. Multiple > deny rules where one will do, et. > > > 01100 deny ip from 10.16.2.1 to any in via ue0 > > 01200 deny ip from 172.17.2.111 to any in via re0 > > 01300 deny ip from any to 10.0.0.0/8 via ue0 > > 01500 deny ip from any to 192.168.0.0/16 via ue0 > > 01600 deny ip from any to 0.0.0.0/8 via ue0 > > 01700 deny ip from any to 169.254.0.0/16 via ue0 > > 01800 deny ip from any to 192.0.2.0/24 via ue0 > > 01900 deny ip from any to 224.0.0.0/4 via ue0 > > 02000 deny ip from any to 240.0.0.0/4 via ue0 > > and you need to think about inbound and outbound traffic, and a few > other things. You have keep-state rules way down the ruleset and a > divert natd in the middle. This won't do. > > 1. State what the requirements and intent are. I'm reluctant to dive > into the solution space for an ill-defined problem. You conclude that > the problem is with the NIC, and I think it's with your ruleset. For > example, which interfaces are external, what's the topology, do > external interfaces have public or private addresses, etc? Is this > a firewall or a standalone box? > > Note that if you do a tcpdump, the checksums will look wrong because > they're offloaded onto the NIC. That's normal. > > 2. Until you understand the interaction of NAT + stateful rules, > don't use them. > > 3. Start with a small ruleset and nat config (show us your natd > config) that is permissive, then gradually add protection. natd by > itself is stateful, and will probably provide all you need. > > - M > > On Sat, Apr 13, 2013 at 6:34 AM, Spil Oss wrote: > > Hi All, > > > > I can't use ipfw with natd with my ASIX AX88772B USB NIC > > > > ipfw ruleset (slightly modified /etc/rc.firewall simple ruleset) > > 00010 allow ip from any to me dst-port 22 recv ue0 > > 00010 allow tcp from me 22 to any xmit ue0 > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00300 deny ip from 127.0.0.0/8 to any > > 00400 deny ip from any to ::1 > > 00500 deny ip from ::1 to any > > 00600 allow ipv6-icmp from :: to ff02::/16 > > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 > > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > > 01100 deny ip from 10.16.2.1 to any in via ue0 > > 01200 deny ip from 172.17.2.111 to any in via re0 > > 01300 deny ip from any to 10.0.0.0/8 via ue0 > > 01500 deny ip from any to 192.168.0.0/16 via ue0 > > 01600 deny ip from any to 0.0.0.0/8 via ue0 > > 01700 deny ip from any to 169.254.0.0/16 via ue0 > > 01800 deny ip from any to 192.0.2.0/24 via ue0 > > 01900 deny ip from any to 224.0.0.0/4 via ue0 > > 02000 deny ip from any to 240.0.0.0/4 via ue0 > > 02100 divert 8668 ip4 from any to any via ue0 > > 02200 deny ip from 10.0.0.0/8 to any via ue0 > > 02400 deny ip from 192.168.0.0/16 to any via ue0 > > 02500 deny ip from 0.0.0.0/8 to any via ue0 > > 02600 deny ip from 169.254.0.0/16 to any via ue0 > > 02700 deny ip from 192.0.2.0/24 to any via ue0 > > 02800 deny ip from 224.0.0.0/4 to any via ue0 > > 02900 deny ip from 240.0.0.0/4 to any via ue0 > > 03000 allow tcp from any to any established > > 03100 allow ip from any to any frag > > 03200 allow tcp from any to me dst-port 22 setup > > 03300 allow tcp from any to me dst-port 25 setup > > 03400 allow tcp from any to me dst-port 465 setup > > 03500 allow tcp from any to me dst-port 587 setup > > 03600 allow tcp from any to me dst-port 80 setup > > 03700 allow tcp from any to me dst-port 443 setup > > 03800 deny log logamount 5 ip4 from any to any in via ue0 setup proto tcp > > 03900 allow tcp from any to any setup > > 04000 allow udp from me to any dst-port 53 keep-state > > 04100 allow udp from me to any dst-port 123 keep-state > > 04200 allow ip from any to any dst-port 22 recv ue0 > > 65535 deny ip from any to any > > > > If I remove rule 10 it will NOT work with ue0, the same ruleset without > > rule 10 DOES work with re0 on the same machine (re0 as external and ue0 > as > > internal NIC). > > > > If I connect from the gateway on 172.17.2.1 to the ssh server on this > > machine, I can see the ACK and SYN+ACK but there's no ACK from the client > > to the server to establish the tcp session. Only difference I could find > > was that the checksum was incorrect. > > > > Found an older PR kern/170081 about fxp having trouble with nat when > > rxcsum/txcsum was enabled, that is why I started fiddling with > > rxcsum/txcsum and found that the NIC is unusable/dead without > rxcsum/txcsum > > enabled so this was not an option. > > > > # ifconfig ue0 > > ue0: flags=8843 metric 0 mtu 1500 > > options=8000b > > ether 00:60:6e:42:5b:53 > > inet6 fe80::260:6eff:fe42:5b53%ue0 prefixlen 64 scopeid 0x7 > > inet 172.17.2.111 netmask 0xffffff00 broadcast 172.17.2.255 > > nd6 options=21 > > media: Ethernet autoselect (100baseTX ) > > status: active > > > > Any suggestions or pointers? > > > > Kind regards, > > > > Spil. > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >