Date: Thu, 23 May 2002 15:49:06 -0400 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: "C J Michaels" <cjm2@earthling.net> Cc: "FBSDQ" <questions@FreeBSD.ORG> Subject: RE: IPNAT frontend to IPFW Message-ID: <MIEPLLIBMLEEABPDBIEGEEADCBAA.barbish@a1poweruser.com> In-Reply-To: <20020523145211.G57078-400000@cartman.lan.27in.tv>
next in thread | previous in thread | raw e-mail | index | archive | help
CHRIS Thanks for the files you sent me to review. But I have to inform you, you are mistaken about what kinds of ipfw rules you are using. You are using simple stateless rules for the major part of your rule set. The only time you use check-state/keep-state is with your dummynet config rules and those rules are only for you lan nic cards and not for your external connection to your isp where natd would come into play. SO my statement still stands "Natd does not function correctly with keep-state rules so user ppp -nat is the work around for dialup configurations' Advanced Stateful extensions were introduced in FBSD 4.0. The 4.0 update added new functions and rule types. This update omitted to modify the FBSD handbook references to explain the Advanced Stateful rule options. The rc.firewall sample is outdated and does not exclusively use advanced rules. This omission mis-leads the common user to use Stateless and Simple Stateful IPFW firewall rules which are inadequate to protect the users system in today's internet environment and leaves the user unknowingly believing they are protected when in reality they are not. The advanced rules will more than adequately protect the user from internet perpetrators if used. This is what advanced stateful keep-state rules look like. See http://www.freebsd-howto.com/HOWTO/Ipfw-Advanced-Supplement-HOWTO for more detailed info. ######## control section ############################################ # Start of IPFW advanced Stateful Filtering using "dynamic" rules. # The check-state statement behavior is to match bi-directional packet traffic # flow between source and destination using protocol/IP/port/sequence number. # The dynamic rule has a limited lifetime which is controlled by a set of # sysctl(8) variables. The lifetime is refreshed every time a matching # packet is found in the dynamic table. # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. $fwcmd add 00500 check-state # Deny any late arriving packets so they don't # get caught & logged by rules 800 or 900. $fwcmd add 00502 deny all from any to any frag # Deny ACK packets that did not match the dynamic rule table $fwcmd add 00501 deny tcp from any to any established ######## outbound section ############################################ # Interrogate packets originating from behind the firewall, private net. # Upon a rule match, it's keep-state option will create a dynamic rule. # Allow out www function $fwcmd add 00600 allow tcp from any to any 80 out via $oif setup keep-state # Allow lan winbox access to FBSD Apache13/Frontpage Server $fwcmd add 00601 allow tcp from $iip to any 80 out via $oif setup keep-state # Allow out access to my ISP's Domain name server. $fwcmd add 00610 allow tcp from any to $odns1 53 out via $oif setup keep-state $fwcmd add 00611 allow udp from any to $odns1 53 out via $oif keep-state $fwcmd add 00615 allow tcp from any to $odns2 53 out via $oif setup keep-state $fwcmd add 00616 allow udp from any to $odns2 53 out via $oif keep-state # Allow out access to internet Domain name server. $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state $fwcmd add 00619 allow udp from any to any 53 out via $oif keep-state # Allow out send & get email function $fwcmd add 00630 allow tcp from any to any 25,110 out via $oif setup keep-state # Allow out & in FBSD (make install & CVSUP) functions # Basically give user id root "GOD" priveledges. $fwcmd add 00640 allow tcp from me to any out via $oif setup keep-state uid root $fwcmd add 00641 allow tcp from any to me in via $oif setup keep-state uid root # Allow out ping $fwcmd add 00650 allow icmp from any to any out via $oif keep-state # Allow out FTP control channel & in of data channel $fwcmd add 00671 allow tcp from any to any 21 out via $oif setup keep-state # Allow in FTP data channel to Lan ip range $fwcmd add 00672 allow tcp from any 20 to $iip 1024-49151 in via $oif setup keep-state # Allow in FTP data channel to Dialin users ip range $fwcmd add 00673 allow tcp from any 20 to $iip2 1024-49151 in via $oif setup keep-state # Allow out ssh $fwcmd add 00680 allow tcp from any to any 22 out via $oif setup keep-state # Allow out TELNET $fwcmd add 00690 allow tcp from any to any 23 out via $oif setup keep-state # Allow out Network Time Protocol (NTP) queries $fwcmd add 00694 allow tcp from any to any 123 out via $oif setup keep-state $fwcmd add 00695 allow udp from any to any 123 out via $oif keep-state # Allow out Time $fwcmd add 00696 allow tcp from any to any 37 out via $oif setup keep-state $fwcmd add 00697 allow udp from any to any 37 out via $oif keep-state # Allow out ident $fwcmd add 00700 allow tcp from any to any 113 out via $oif setup keep-state $fwcmd add 00701 allow udp from any to any 113 out via $oif keep-state # Allow out IRC $fwcmd add 00710 allow tcp from any to any 194 out via $oif setup keep-state $fwcmd add 00711 allow udp from any to any 194 out via $oif keep-state # Allow out whois $fwcmd add 00712 allow tcp from any to any 43 out via $oif setup keep-state $fwcmd add 00713 allow udp from any to any 43 out via $oif keep-state # Allow out whois++ $fwcmd add 00715 allow tcp from any to any 63 out via $oif setup keep-state $fwcmd add 00716 allow udp from any to any 63 out via $oif keep-state # Allow out finger $fwcmd add 00720 allow tcp from any to any 79 out via $oif setup keep-state $fwcmd add 00721 allow udp from any to any 79 out via $oif keep-state # Allow out nntp news $fwcmd add 00725 allow tcp from any to any 119 out via $oif setup keep-state $fwcmd add 00726 allow udp from any to any 119 out via $oif keep-state # Allow out gopher $fwcmd add 00730 allow tcp from any to any 70 out via $oif setup keep-state $fwcmd add 00731 allow udp from any to any 70 out via $oif keep-state ############################################################################ ### HERE ARE YOUR RULES YOU SENT ME. ### lo0 add 01000 allow all from any to any via lo0 add 01100 deny all from any to 127.0.0.0/8 add 01200 deny all from 127.0.0.0/8 to any ### Anti-Spoofing, should be set to public network. add 02000 deny ip from 24.169.195.0/22 to any in via dc0 add 02100 deny ip from 10.0.0.0/24 to any in via ed0 ### Block private (RFC1918) nets on public interface. add 03000 deny all from any to 10.0.0.0/8 in via ed0 add 03100 deny all from any to 172.16.0.0/12 via ed0 add 03150 deny all from 172.16.0.0/12 to any via ed0 add 03200 deny all from any to 192.168.0.0/16 via ed0 add 03250 deny all from 192.168.0.0/16 to any via ed0 ### Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) on the outside interface. add 04000 deny all from any to 0.0.0.0/8 via ed0 add 04050 deny all from 0.0.0.0/8 to any via ed0 add 04100 deny all from any to 169.254.0.0/16 via ed0 add 04150 deny all from 169.254.0.0/16 to any via ed0 add 04200 deny all from any to 192.0.2.0/24 via ed0 add 04250 deny all from 192.0.2.0/24 to any via ed0 add 04300 deny all from any to 224.0.0.0/4 via ed0 add 04350 deny all from 224.0.0.0/4 to any via ed0 add 04400 deny all from any to 240.0.0.0/4 via ed0 add 04450 deny all from 240.0.0.0/4 to any via ed0 ### Allow LAN traffic to pass unmolested. add 05000 allow ip from 10.0.0.0/22 to 10.0.0.0/22 via dc0 add 05025 allow ip from 10.0.0.0/22 to 10.0.0.0/22 via ng0 add 05050 allow ip from 10.0.0.0/22 to 10.0.0.0/22 via ng1 ### Allow traffic to/from me to/from the lan to pass unmolested. add 05100 allow ip from me to me add 05200 allow ip from me to 10.0.0.0/22 via dc0 add 05225 allow ip from me to 10.0.0.0/22 via ng0 add 05250 allow ip from me to 10.0.0.0/22 via ng1 add 05300 allow ip from 10.0.0.0/22 to me via dc0 add 05325 allow ip from 10.0.0.0/22 to me via ng0 add 05350 allow ip from 10.0.0.0/22 to me via ng1 ### Transparent firewall and NATd divert. add 06000 fwd 10.0.0.1,3128 tcp from 10.0.0.0/24 to any 80 add 06100 divert 8668 ip from any to any via ed0 ### Blocked traffic add 07000 deny tcp from any to me 6667 via ed0 add 07100 deny udp from any to me 53 via ed0 add 07200 deny tcp from any to any 137-139 via ed0 add 07250 deny udp from any to any 137-139 via ed0 ### Allowed traffic add 08000 queue 25 esp from any to any add 08050 queue 25 ah from any to any add 08100 queue 1 icmp from any to any add 08150 queue 25 gre from any to any add 09000 queue 1 tcp from any to me 80 add 09050 queue 1 tcp from me 80 to any add 09100 queue 100 tcp from any to any 22 add 09150 queue 100 tcp from any 22 to any add 09200 queue 10 tcp from any 25,67,80,110,143,443 to any add 09250 queue 10 tcp from any to any 25,67,80,110,143,443 add 09300 queue 10 udp from any 53,68 to any add 09350 queue 10 udp from any to any 53,68 add 10000 queue 10 tcp from me 20,21,113,587,1723 to any add 10050 queue 10 tcp from any to me 20,21,113,587,1723 add 10100 queue 10 udp from me 123,500,518 to any add 10150 queue 10 udp from any to me 123,500,518 add 10200 queue 1000 tcp from me 8080 to any via ed0 add 10250 queue 1 tcp from any to me 8080 via ed0 # Check state / Dynamic rules add 11000 check-state add 11100 deny tcp from any to any in established add 11200 queue 10 all from 10.0.0.0/24 to any keep-state via dc0 add 11300 queue 10 all from 10.0.0.0/24 to any keep-state via ng0 add 11400 queue 10 all from 10.0.0.0/24 to any keep-state via ng1 add 11500 queue 10 all from any to any out keep-state # Deny anything left. add 12000 deny log all from any to any pipe 1 config bw 0 delay 0 queue 50 plr 0 buckets 64 queue 1 config pipe 1 weight 1 queue 50 plr 0 buckets 64 mask dst-ip 0xffffffff dst-port 0x0000 src-ip 0xffffffff src-port 0x0000 proto 0xff queue 10 config pipe 1 weight 10 queue 50 plr 0 buckets 128 mask dst-ip 0xffffffff dst-port 0x0000 src-ip 0xffffffff src-port 0x0000 proto 0xff queue 25 config pipe 1 weight 25 queue 50 plr 0 buckets 128 mask dst-ip 0xffffffff dst-port 0xffff src-ip 0xffffffff src-port 0xffff proto 0xff queue 50 config pipe 1 weight 50 queue 50 plr 0 buckets 64 mask dst-ip 0xffffffff dst-port 0xffff src-ip 0xffffffff src-port 0xffff proto 0xff queue 100 config pipe 1 weight 100 queue 50 plr 0 buckets 64 mask dst-ip 0xffffffff dst-port 0xffff src-ip 0xffffffff src-port 0xffff proto 0xff pipe 1000 config bw 160Kbit/s delay 100ms queue 20 plr 0 buckets 64 queue 1000 config pipe 1000 weight 1 queue 20 plr 0 buckets 64 mask dst-ip 0xffffffff dst-port 0xff00 src-ip 0xffffffff src-port 0xff00 proto 0xff ----Original Message----- From: Christopher J. Michaels [mailto:cjm2@27in.tv] Sent: Thursday, May 23, 2002 2:55 PM To: Joe & Fhe Barbish Subject: RE: IPNAT frontend to IPFW Joe, Attached are the relevant parts of my rc.conf, firewall.conf (ruleset), and natd.conf Unfortunately, you caught me after I've started playing with dummynet queues and several other tweeks, so my firewall config isn't the most straightforward in the world. Previous to the current config, I had a much simpler one (don't have the old .conf lying around tho) which was pretty straight forward. The part of my config that I believe you'll find most useful starts w/ rule 11000. Let me know if this helps. --Chris On Thu, 23 May 2002, Joe & Fhe Barbish wrote: > Could you please show me your working files? Rc.conf and ipfw rules file. > > -----Original Message----- > From: C J Michaels [mailto:cjm2@earthling.net] > Sent: Thursday, May 23, 2002 11:02 AM > To: barbish@a1poweruser.com > Subject: Re: IPNAT frontend to IPFW > > Joe & Fhe Barbish said: > > <...snip...> > > > Natd does not function correctly with keep-state rules so > > user ppp -nat is the work around for dialup configurations. > > What gives you this impression? I'm currently using keep-state rules w/ > natd and it works perfectly fine. > <...snip...> > > -- > Chris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGEEADCBAA.barbish>