Date: Sun, 04 Jun 2006 00:50:21 -0500 From: Dennis Olvany <dennisolvany@gmail.com> To: freebsd-questions@freebsd.org Subject: [HOWTO] IPFW: Vector-Based Modularity Message-ID: <4482749D.7000807@gmail.com>
next in thread | raw e-mail | index | archive | help
IPFW: Vector-Based Modularity
by Dennis Olvany
I. Vectors
II. Modules
III. Examples
a. Simple Firewall
b. Complex Firewall
IV. NAT
V. Tips
a. Storing Rules
b. Ruleset
VI. Resources
A strategy for easy administration, greater efficiency and heightened
security.
I. Vectors
A vector consists of a physical or virtual interface and a direction,
ingress or egress. For this purpose the local host should be considered
an interface of its own in the form of the IPFW alias, me. For example,
consider a machine with the following interfaces. These two interfaces
plus the local host would constitute a total of six vectors. The
loopback interface should be considered part of me.
fxp0-in
`out
ste0-in
`out
me-in
`out
II. Modules
Each vector may be associated with a rule module or may be allowed to
match the default rule. The IPFW ruleset begins with a series of skipto
rules directing matching traffic to a rule module. The default rule is
then placed before the rule modules, greatly reducing the iterations
required to reach it. IPFW sets offer a method for working with groups
of rules and make modules easier to discern.
III. Examples
a. Simple Firewall
The default rule, 400, may be reached in as little as four iterations.
This ruleset may be easily altered to offer services. Use dynamic rules
only where absolutely needed. Also, the use of setup should be avoided.
This may cause broken connections in the event that a dynamic rule times
out. Setup may serve to block perfectly legitimate ingress and egress
traffic.
00100 set 0 check-state
00200 set 1 skipto 10000 ip from me to any out
00300 set 2 skipto 15000 ip from any to me in
00400 set 0 deny ip from any to any
10000 set 1 count ip from any to any
10100 set 1 allow ip from any to any keep-state
15000 set 2 count ip from any to any
15100 set 2 deny ip from me to any
15200 set 2 allow icmp from any to any
15300 set 2 deny ip from any to any
65535 set 31 deny ip from any to any
b. Complex Firewall
This router has a total of 18 vectors, of which eight are restricted.
The remaining ten match the default rule, 1000. This firewall contains
49 rules, but the default rule may be reached in as little as ten
iterations. The longest possible iteration through this ruleset is a
mere 18 rules.
Tuning this firewall is quite simple. Rules 200-300 and 400-900 may be
shuffled so the most-matched rules come first. Be mindful that the me
vectors must always come first. Groups of allow rules within the modules
may also be shuffled for increased performance.
00100 set 0 check-state
00200 set 2 skipto 15000 ip from any to me in
00300 set 1 skipto 10000 ip from me to any out
00400 set 8 skipto 45000 ip from any to any out via vlan5
00500 set 4 skipto 25000 ip from any to any in via vlan2
00600 set 6 skipto 35000 ip from any to any in via fxp0
00700 set 3 skipto 20000 ip from any to any in via vlan3
00800 set 7 skipto 40000 ip from any to any out via vlan3
00900 set 5 skipto 30000 ip from any to any out via fxp0
01000 set 0 allow ip from any to any
10000 set 1 count ip from any to any
10100 set 1 allow ip from any to any keep-state
15000 set 2 count ip from any to any
15100 set 2 deny ip from me to any
15200 set 2 allow udp from 195.16.84.250 to any frag
15300 set 2 allow tcp from any to any dst-port 22 via fxp0
15400 set 2 allow udp from any to any dst-port 123
15500 set 2 allow udp from any to any dst-port 514
15600 set 2 allow icmp from any to any
15700 set 2 deny ip from any to any
20000 set 3 count ip from any to any
20100 set 3 allow tcp from not 192.168.101.2 to any dst-port 80,443
20200 set 3 allow not icmp from any to { 192.168.102.2 or dst-ip
192.168.102.7 } dst-port 53
20300 set 3 allow udp from any to any dst-port 123
20400 set 3 allow icmp from any to any
20500 set 3 deny ip from any to any
25000 set 4 count ip from any to any
25100 set 4 deny tcp from any to not 192.168.102.2 dst-port 25
25200 set 4 allow ip from any to any
30000 set 5 count ip from any to any
30100 set 5 allow tcp from any to 192.168.102.2 dst-port
25,53,80,110,443,587
30200 set 5 allow udp from any to 192.168.102.2 dst-port 53
30300 set 5 allow tcp from any to 192.168.102.7 dst-port 25,53
30400 set 5 allow udp from any to 192.168.102.7 dst-port 53,123
30500 set 5 allow udp from any to 192.168.102.4 dst-port 123
30600 set 5 allow udp from any to 192.168.102.10 dst-port 1194
30700 set 5 allow icmp from any to any
30800 set 5 deny ip from any to any
35000 set 6 count ip from any to any
35100 set 6 deny tcp from not 192.168.102.7 to any dst-port 25
35200 set 6 allow ip from any to any keep-state
40000 set 7 count ip from any to any
40100 set 7 allow udp from any 123 to 192.168.101.2
40200 set 7 deny not icmp from any to 192.168.101.0/24
40300 set 7 allow ip from any to any
45000 set 8 count ip from any to any
45100 set 8 deny not icmp from any to 192.168.103.0/24
45200 set 8 allow ip from any to any
65535 set 31 deny ip from any to any
IV. NAT
Adding a NAT rule to the firewall is really easy. Just add it at the top
of the ruleset. Following is the rule from the natd man page. Yours
should look just like it, except for the interface.
divert natd all from any to any via ed0
V. Tips
a. Storing Rules
The rules file is most easily stored as a text file. Scripts are often
difficult work with and offer no great administrative advantages. The
following rc.conf variables suffice to read the rules from a file. Each
line of the rules file is formatted as if it were an argument to the
ipfw command, so each line begins with add, enable, disable, etc.
firewall_enable="yes"
firewall_type="/etc/ipfw.rules"
The rules may be reloaded from the shell using the following command.
ipfw /etc/ipfw.rules
b. Ruleset
A few additional commands added to the rules file will greatly ease
firewall administration. It is often easier to alter the rules file and
reload the ruleset to make a change to the firewall. This can be
accomplished without network interruption by adding the following
commands to the beginning and end of the rules file. The zero command is
optional. It only serves to reset counters in set 31, as all others have
been flushed.
disable firewall
-f flush
[ruleset]
zero
enable firewall
VI. Resources
IPFW man page: http://www.freebsd.org/cgi/man.cgi?query=ipfw
FreeBSD Handbook:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4482749D.7000807>