Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 May 2002 15:49:06 -0400
From:      "Joe & Fhe Barbish" <barbish@a1poweruser.com>
To:        "C J Michaels" <cjm2@earthling.net>
Cc:        "FBSDQ" <questions@FreeBSD.ORG>
Subject:   RE: IPNAT frontend to IPFW
Message-ID:  <MIEPLLIBMLEEABPDBIEGEEADCBAA.barbish@a1poweruser.com>
In-Reply-To: <20020523145211.G57078-400000@cartman.lan.27in.tv>

next in thread | previous in thread | raw e-mail | index | archive | help
CHRIS

Thanks for the files you sent me to review. But I have to inform you, you
are mistaken about what kinds of  ipfw rules you are using. You are using
simple stateless rules for the major part of your rule set. The only time
you use check-state/keep-state is with your dummynet config rules and those
rules are only for you lan nic cards and not for your external connection to
your isp where natd would come into play.

SO my statement still stands   "Natd does not function correctly with
keep-state rules so  user ppp -nat is the work around for dialup
configurations'

Advanced Stateful extensions were introduced in FBSD 4.0. The 4.0 update
added new functions and rule types. This update omitted to modify the FBSD
handbook references to explain the Advanced Stateful rule options. The
rc.firewall sample is outdated and does not exclusively use advanced rules.
This omission mis-leads the common user to use Stateless and Simple Stateful
IPFW firewall rules which are inadequate to protect the users system in
today's internet environment and leaves the user unknowingly believing they
are protected when in reality they are not. The advanced rules will more
than adequately protect the user from internet perpetrators if used.

This is what advanced stateful keep-state rules look like.
See http://www.freebsd-howto.com/HOWTO/Ipfw-Advanced-Supplement-HOWTO for
more detailed info.

########  control section  ############################################
# Start of IPFW advanced Stateful Filtering using "dynamic" rules.
# The check-state statement behavior is to match bi-directional packet
traffic
# flow between source and destination using protocol/IP/port/sequence
number.
# The dynamic rule has a limited lifetime which is controlled by a set of
# sysctl(8) variables. The lifetime is refreshed every time a matching
# packet is found in the dynamic table.

# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.

$fwcmd add 00500 check-state

# Deny any late arriving packets so they don't
# get caught & logged by rules 800 or 900.
$fwcmd add 00502 deny all from any to any frag

# Deny ACK packets that did not match the dynamic rule table
$fwcmd add 00501 deny tcp from any to any established


########  outbound section  ############################################
# Interrogate packets originating from behind the firewall, private net.
# Upon a rule match, it's keep-state option will create a dynamic rule.

# Allow out www function
$fwcmd add 00600 allow tcp  from any to any 80  out via $oif setup
keep-state

# Allow lan winbox access to FBSD Apache13/Frontpage Server
$fwcmd add 00601 allow tcp  from $iip to any 80  out via $oif setup
keep-state

# Allow out access to my ISP's Domain name server.
$fwcmd add 00610 allow tcp  from any to $odns1 53 out via $oif setup
keep-state
$fwcmd add 00611 allow udp  from any to $odns1 53 out via $oif keep-state
$fwcmd add 00615 allow tcp  from any to $odns2 53 out via $oif setup
keep-state
$fwcmd add 00616 allow udp  from any to $odns2 53 out via $oif keep-state

# Allow out access to internet Domain name server.
$fwcmd add 00618 allow tcp  from any to any    53 out via $oif setup
keep-state
$fwcmd add 00619 allow udp  from any to any    53 out via $oif keep-state

# Allow out send & get email function
$fwcmd add 00630 allow tcp from any to any 25,110 out via $oif setup
keep-state

# Allow out & in FBSD (make install & CVSUP)  functions
# Basically give user id root  "GOD"  priveledges.
$fwcmd add 00640 allow tcp from me to any out via $oif setup keep-state uid
root
$fwcmd add 00641 allow tcp from any to me in  via $oif setup keep-state uid
root


# Allow out ping
$fwcmd add 00650 allow icmp from any to any       out via $oif	   keep-state

# Allow out FTP control channel & in of data channel
$fwcmd add 00671 allow tcp  from any to any 21    out via $oif setup
keep-state
# Allow in FTP data channel to Lan ip range
$fwcmd add 00672 allow tcp from any 20 to $iip 1024-49151 in via $oif setup
keep-state
# Allow in FTP data channel to Dialin users ip range
$fwcmd add 00673 allow tcp from any 20 to $iip2 1024-49151 in via $oif setup
keep-state

# Allow out ssh
$fwcmd add 00680 allow tcp  from any to any 22   out via $oif setup
keep-state

# Allow out TELNET
$fwcmd add 00690 allow tcp  from any to any 23    out via $oif setup
keep-state

# Allow out Network Time Protocol (NTP) queries
$fwcmd add 00694 allow tcp  from any to any 123   out via $oif setup
keep-state
$fwcmd add 00695 allow udp  from any to any 123   out via $oif keep-state

# Allow out Time
$fwcmd add 00696 allow tcp  from any to any 37    out via $oif setup
keep-state
$fwcmd add 00697 allow udp  from any to any 37    out via $oif keep-state

# Allow out ident
$fwcmd add 00700 allow tcp  from any to any 113   out via $oif setup
keep-state
$fwcmd add 00701 allow udp  from any to any 113   out via $oif keep-state

# Allow out IRC
$fwcmd add 00710 allow tcp  from any to any 194   out via $oif setup
keep-state
$fwcmd add 00711 allow udp  from any to any 194   out via $oif keep-state

# Allow out whois
$fwcmd add 00712 allow tcp  from any to any 43    out via $oif setup
keep-state
$fwcmd add 00713 allow udp  from any to any 43    out via $oif keep-state

# Allow out whois++
$fwcmd add 00715 allow tcp  from any to any 63    out via $oif setup
keep-state
$fwcmd add 00716 allow udp  from any to any 63    out via $oif keep-state

# Allow out finger
$fwcmd add 00720 allow tcp  from any to any 79    out via $oif setup
keep-state
$fwcmd add 00721 allow udp  from any to any 79    out via $oif keep-state

# Allow out nntp news
$fwcmd add 00725 allow tcp  from any to any 119   out via $oif setup
keep-state
$fwcmd add 00726 allow udp  from any to any 119   out via $oif keep-state

# Allow out gopher
$fwcmd add 00730 allow tcp  from any to any 70    out via $oif setup
keep-state
$fwcmd add 00731 allow udp  from any to any 70    out via $oif keep-state

############################################################################
###


HERE ARE YOUR RULES YOU SENT ME.

### lo0
add 01000 allow all from any to any via lo0
add 01100 deny all from any to 127.0.0.0/8
add 01200 deny all from 127.0.0.0/8 to any

### Anti-Spoofing, should be set to public network.
add 02000 deny ip from 24.169.195.0/22 to any in via dc0
add 02100 deny ip from 10.0.0.0/24 to any in via ed0

### Block private (RFC1918) nets on public interface.
add 03000 deny all from any to 10.0.0.0/8 in via ed0
add 03100 deny all from any to 172.16.0.0/12 via ed0
add 03150 deny all from 172.16.0.0/12 to any via ed0
add 03200 deny all from any to 192.168.0.0/16 via ed0
add 03250 deny all from 192.168.0.0/16 to any via ed0

### Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) on the
outside interface.
add 04000 deny all from any to 0.0.0.0/8 via ed0
add 04050 deny all from 0.0.0.0/8 to any via ed0
add 04100 deny all from any to 169.254.0.0/16 via ed0
add 04150 deny all from 169.254.0.0/16 to any via ed0
add 04200 deny all from any to 192.0.2.0/24 via ed0
add 04250 deny all from 192.0.2.0/24 to any via ed0
add 04300 deny all from any to 224.0.0.0/4 via ed0
add 04350 deny all from 224.0.0.0/4 to any via ed0
add 04400 deny all from any to 240.0.0.0/4 via ed0
add 04450 deny all from 240.0.0.0/4 to any via ed0

### Allow LAN traffic to pass unmolested.
add 05000 allow ip from 10.0.0.0/22 to 10.0.0.0/22 via dc0
add 05025 allow ip from 10.0.0.0/22 to 10.0.0.0/22 via ng0
add 05050 allow ip from 10.0.0.0/22 to 10.0.0.0/22 via ng1

### Allow traffic to/from me to/from the lan to pass unmolested.
add 05100 allow ip from me to me
add 05200 allow ip from me to 10.0.0.0/22 via dc0
add 05225 allow ip from me to 10.0.0.0/22 via ng0
add 05250 allow ip from me to 10.0.0.0/22 via ng1
add 05300 allow ip from 10.0.0.0/22 to me via dc0
add 05325 allow ip from 10.0.0.0/22 to me via ng0
add 05350 allow ip from 10.0.0.0/22 to me via ng1

### Transparent firewall and NATd divert.
add 06000 fwd 10.0.0.1,3128 tcp from 10.0.0.0/24 to any 80
add 06100 divert 8668 ip from any to any via ed0

### Blocked traffic
add 07000 deny tcp from any to me 6667 via ed0
add 07100 deny udp from any to me 53 via ed0
add 07200 deny tcp from any to any 137-139 via ed0
add 07250 deny udp from any to any 137-139 via ed0

### Allowed traffic
add 08000 queue 25 esp from any to any
add 08050 queue 25 ah from any to any
add 08100 queue 1 icmp from any to any
add 08150 queue 25 gre from any to any

add 09000 queue 1 tcp from any to me 80
add 09050 queue 1 tcp from me 80 to any
add 09100 queue 100 tcp from any to any 22
add 09150 queue 100 tcp from any 22 to any

add 09200 queue 10 tcp from any 25,67,80,110,143,443 to any
add 09250 queue 10 tcp from any to any 25,67,80,110,143,443
add 09300 queue 10 udp from any 53,68 to any
add 09350 queue 10 udp from any to any 53,68

add 10000 queue 10 tcp from me 20,21,113,587,1723 to any
add 10050 queue 10 tcp from any to me 20,21,113,587,1723
add 10100 queue 10 udp from me 123,500,518 to any
add 10150 queue 10 udp from any to me 123,500,518

add 10200 queue 1000 tcp from me 8080 to any via ed0
add 10250 queue 1 tcp from any to me 8080 via ed0

# Check state / Dynamic rules
add 11000 check-state
add 11100 deny tcp from any to any in established
add 11200 queue 10 all from 10.0.0.0/24 to any keep-state via dc0
add 11300 queue 10 all from 10.0.0.0/24 to any keep-state via ng0
add 11400 queue 10 all from 10.0.0.0/24 to any keep-state via ng1
add 11500 queue 10 all from any to any out keep-state

# Deny anything left.
add 12000 deny log all from any to any

pipe 1 config bw 0 delay 0 queue 50 plr 0 buckets 64
queue 1 config pipe 1 weight 1 queue 50 plr 0 buckets 64 mask dst-ip
0xffffffff dst-port 0x0000 src-ip 0xffffffff src-port 0x0000 proto 0xff
queue 10 config pipe 1 weight 10 queue 50 plr 0 buckets 128 mask dst-ip
0xffffffff dst-port 0x0000 src-ip 0xffffffff src-port 0x0000 proto 0xff
queue 25 config pipe 1 weight 25 queue 50 plr 0 buckets 128 mask dst-ip
0xffffffff dst-port 0xffff src-ip 0xffffffff src-port 0xffff proto 0xff
queue 50 config pipe 1 weight 50 queue 50 plr 0 buckets 64 mask dst-ip
0xffffffff dst-port 0xffff src-ip 0xffffffff src-port 0xffff proto 0xff
queue 100 config pipe 1 weight 100 queue 50 plr 0 buckets 64 mask dst-ip
0xffffffff dst-port 0xffff src-ip 0xffffffff src-port 0xffff proto 0xff

pipe 1000 config bw 160Kbit/s delay 100ms queue 20 plr 0 buckets 64
queue 1000 config pipe 1000 weight 1 queue 20 plr 0 buckets 64 mask dst-ip
0xffffffff dst-port 0xff00 src-ip 0xffffffff src-port 0xff00 proto 0xff


----Original Message-----
From: Christopher J. Michaels [mailto:cjm2@27in.tv]
Sent: Thursday, May 23, 2002 2:55 PM
To: Joe & Fhe Barbish
Subject: RE: IPNAT frontend to IPFW

Joe,

Attached are the relevant parts of my rc.conf, firewall.conf (ruleset),
and natd.conf

Unfortunately, you caught me after I've started playing with dummynet
queues and several other tweeks, so my firewall config isn't the most
straightforward in the world.

Previous to the current config, I had a much simpler one (don't have the
old .conf lying around tho) which was pretty straight forward.

The part of my config that I believe you'll find most useful starts w/
rule 11000.

Let me know if this helps.
--Chris

On Thu, 23 May 2002, Joe & Fhe Barbish wrote:

> Could you please show me your working files? Rc.conf and ipfw rules file.
>
> -----Original Message-----
> From: C J Michaels [mailto:cjm2@earthling.net]
> Sent: Thursday, May 23, 2002 11:02 AM
> To: barbish@a1poweruser.com
> Subject: Re: IPNAT frontend to IPFW
>
> Joe & Fhe Barbish said:
>
> <...snip...>
>
> > Natd does not function correctly with keep-state rules so
> > user ppp -nat is the work around for dialup configurations.
>
> What gives you this impression?  I'm currently using keep-state rules w/
> natd and it works perfectly fine.
> <...snip...>
>
> --
> Chris
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGEEADCBAA.barbish>