Date: Wed, 16 Jun 2004 17:04:49 -0500 From: "Reuben A. Popp" <gobinau@digitalcelt.net> To: freebsd-questions@freebsd.org Cc: Giorgos Keramidas <keramida@ceid.upatras.gr> Subject: Re: ipfw question Message-ID: <200406161705.05309.gobinau@digitalcelt.net> In-Reply-To: <20040616053526.GA21650@gothmog.gr> References: <200406151832.10733.gobinau@digitalcelt.net> <20040616053526.GA21650@gothmog.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Giorgos,
Thanks so much for the quick response on my question :). I more or less to=
ok your rules that you posted,
and tacked on a few more. I belive that what I have is correct, and everyt=
hing seems to be working well,=20
with a few exceptions. For instance, ftp and ssh still don't seem to make =
it into the logs, although the mail, web=20
and web-ssl do with no problems. Again, following this message is my revis=
ed ruleset.
Thanks again,
Reuben A. Popp
=2D ------------------->%------------------------------------------
#!/bin/sh -
#
# Setup system for firewall service.
#
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
# Flush the existing ruleset
echo "Flushing the existing ruleset, stand by..."
ipfw -f flush
# Setup Loopback
ipfw add pass all from any to any via lo0
ipfw add deny all from any to 127.0.0.0/8
ipfw add deny ip from 127.0.0.0/8 to any
# Stop RFC1918 nets on the outside interface
ipfw add deny all from 10.0.0.0/8 to any via em0
ipfw add deny all from 172.16.0.0/12 to any via em0
ipfw add deny all from 192.168.0.0/16 to any via em0
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
ipfw add deny all from 0.0.0.0/8 to any via em0
ipfw add deny all from 169.254.0.0/16 to any via em0
ipfw add deny all from 192.0.2.0/24 to any via em0
ipfw add deny all from 224.0.0.0/4 to any via em0
ipfw add deny all from 240.0.0.0/4 to any via em0
# Pass all ICMP messages through.
# Make sure they're rate-limited by setting `net.inet.icmp.icmplim'
ipfw add allow icmp from any to any
# First of all state checking. This will allow through any packet
# that is marked as "legitimate" by one of the following rules.
ipfw add check-state
ipfw add deny tcp from any to any established
# Allow DNS or NTP sessions that originate from us.
ipfw add allow udp from any to any 53,123 out keep-state
# Add all TCP connections that originate from us
ipfw add allow tcp from any to any out setup keep-state
# Pass and log all incoming ftp-data connections.
ipfw add allow log tcp from any 20 to any in setup keep-state
# Pass and log all incoming connections to: ftp, ssh, mail and www.
ipfw add allow log tcp from any to any 21,22,25,80,443 in setup keep-state
# Allow TCP through if setup succeeded
ipfw add pass tcp from any to any established
# Allow IP fragments to pass through
ipfw add pass all from any to any frag
# Allow setup of any other TCP connection
ipfw add pass tcp from any to any setup
# Reject & Log all setup of incoming connections from the outside
ipfw add deny log tcp from any to any in via em0 setup
=2D ------%<-------------------------------------------------------
Thanks again,
Reuben A. Popp
Giorgos Keramidas (Giorgos Keramidas <keramida@ceid.upatras.gr>) translated=
a message on Wednesday 16 June 2004 12:35 am into a binary format and sent=
it out among the ether in the search of "Reuben A. Popp" <gobinau@digitalc=
elt.net>. Upon being retranslated into ascii, it was discovered that messa=
ge read:=20
> On 2004-06-15 18:31, "Reuben A. Popp" <gobinau@digitalcelt.net> wrote:
> > I was tinkering around trying to get my firewall set the way I wanted
> > it, but seem to be running into an issue. I know that I have logging
> > set in the kernel and in rc.conf, as well as in my ruleset, but for
> > some odd reason, the firewall is not logging connections to the
> > services I wanted watched (ftp, ssh, web, etc).
>=20
> That's because your ruleset uses the following rule:
>=20
> # Allow TCP through if setup succeeded
> ipfw add 1200 pass tcp from any to any established
>=20
> before any of the other rules are reached. This lets every TCP packet
> through without logging and you never get a chance of picking out what
> to log or what to block :)
>=20
> A simplified version of your ruleset could be this one. Notice that
> I've removed all explicit rule numbers. IPFW does a pretty good job at
> automatically numbering the rules and you don't have too many rules for
> it to work. On the other hand, having hardcoded numbers means that you
> might miss some "reordering" of the rules and waste hours upon hours
> trying to find out why it doesn't work like it's supposed to. Not a
> good possibility... Anyway, here's a ruleset very similar to yours:
>=20
> #
> # Part 1. Semi-standard stuff copied from rc.firewall.
> #
>=20
> # Flush the existing ruleset
> echo "Flushing the existing ruleset, stand by..."
> ipfw -f flush
>=20
> # Only allow lo0 to send packets as 127.0.0.1
> ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0
> ipfw add deny all from any to 127.0.0.0/8
> ipfw add deny ip from 127.0.0.0/8 to any
>=20
> # Stop RFC1918 nets on the outside interface
> ipfw add deny all from 10.0.0.0/8 to any via em0
> ipfw add deny all from 172.16.0.0/12 to any via em0
> ipfw add deny all from 192.168.0.0/16 to any via em0
>=20
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED=
=2D1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
> # on the outside interface
> ipfw add deny all from 0.0.0.0/8 to any via $em0
> ipfw add deny all from 169.254.0.0/16 to any via $em0
> ipfw add deny all from 192.0.2.0/24 to any via $em0
> ipfw add deny all from 224.0.0.0/4 to any via $em0
> ipfw add deny all from 240.0.0.0/4 to any via $em0
>=20
> #
> # Part 2. Local rules that allow and log selected TCP services.
> #
>=20
> # Pass all ICMP messages through.
> # Make sure they're rate-limited by setting `net.inet.icmp.icmplim'
> add allow icmp from any to any
>=20
> # First of all state checking. This will allow through any packet
> # that is marked as "legitimate" by one of the following rules.
> ipfw add check state
> ipfw add deny tcp from any to any established
>=20
> # Allow DNS or NTP sessions that originate from us.
> ipfw add allow udp from any to any 53,123 out keep-state
>=20
> # Add all TCP connections that originate from us
> ipfw add allow tcp from any to any out setup keep-state
>=20
> # Pass and log all incoming ftp-data connections.
> ipfw add allow tcp from any 20 to any in setup keep-state
>=20
> # Pass and log all incoming connections to: ftp, ssh, mail and www.
> ipfw add allow tcp from any to any 21,22,25,80,443 to in setup keep-s=
tate
>=20
> AFAIK, anything else can be blocked without stopping you from doing your
> real work.
>=20
> - Giorgos
>=20
>=20
>=20
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFA0MQMd1N/Kyhy5tIRAkwqAJ0QEcUQMJWCQxKC6aM9GY6gcslsogCdF64z
KIshVA1Ub8RROMm/LCFIUD4=3D
=3D3peR
=2D----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406161705.05309.gobinau>