Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 7 Oct 2015 17:00:55 +0200
From:      Guido Falsi <mad@madpilot.net>
To:        Mark Felder <feld@FreeBSD.org>, freebsd-net@freebsd.org
Subject:   Re: Struggling with IPFW on CURRENT
Message-ID:  <561533A7.2010501@madpilot.net>
In-Reply-To: <1444228604.4174170.403845001.7FAB35BB@webmail.messagingengine.com>
References:  <1444226262.4164898.403785985.524883DA@webmail.messagingengine.com> <56152CCD.3010302@madpilot.net> <1444228604.4174170.403845001.7FAB35BB@webmail.messagingengine.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 10/07/15 16:36, Mark Felder wrote:

>> I suspect you should also investigate using sysctl
>> net.inet.ip.fw.one_pass=0. The ruleset below seems to require it in a
>> few places.
>>
>>>
>>> * TCP sessions seem to be killed every ~300s
>>
>> sysctl net.inet.ip.fw.dyn_ack_lifetime=<seconds>
>>
>> default is 300.
>>
> 
> These are active TCP sessions though... like IRC and SSH... But again,
> probably related to one_pass.

I misinterpreted that point. But the fact that they get killed after a
time so similar to the timeout looks suspicious :)

>>> * Does IPFW not track outbound traffic to allow it back through --
>>> related/established ? I have trouble blocking inbound traffic without
>>> blocking originated/outbound traffic because the firewall blocks the
>>> return packets.
>>
>> It does only for stateful rules, with keep-state, which you are using.
>> Which rules are failing to do that?
>>
> 
> I don't have any in the provided example, but noticed it when
> experimenting.

I see, well unstateful rules keep no information, so you need separate
rules for inbound and outbound traffic.

> 
>>>
>>> * Port forwarding is failingl, probably due to the issues with the "in
>>> via" that I'm experiencing. Research says once I have the redirect_port
>>> configured I should be good to go as long as I match the traffic and
>>> skip to the NAT rule. Skip rules don't stop processing, so it should hit
>>> the next rule which is the last rule in my config -- allow from any to
>>> any. (Documentation for in-kernel NAT is nonexistent and really needs
>>> help). The rule 425 below should be working, but logs show that rule is
>>> ignored and it's being blocked at 550. Comment out 550 and it works...
>>
>> As above, if I remember correctly this setup requires one_pass=1 to
>> work, I'm not completely sure this is your problem though. I think it's
>> worth a try.
>>
> 
> I'll give it a try. Hopefully this will be successful.
> 
>>
>> Please note that my structure is just an example, there are many other
>> ways to organize your firewall. I have a setup that uses many stateful
>> rules, but some people prefer stateless firewalling, which requires
>> rules for both inbound and outbound traffic.
> 
> Yeah, I could do stateless and require both inbound and outbound rules
> but that's tedious and I hate the idea of having to toy with my firewall
> every time I want to connect to something new/unusual.
> 

I agree, that's why I also use lots of stateful rules.

BTW ping and traceroute from natted hosts could require some special
care too work correctly. But your rules look quite permissive so maybe
those will work OOB.

-- 
Guido Falsi <mad@madpilot.net>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?561533A7.2010501>