From owner-freebsd-questions@FreeBSD.ORG Sun Jun 4 05:50:29 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1832116A41F for ; Sun, 4 Jun 2006 05:50:29 +0000 (UTC) (envelope-from dennisolvany@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C46A43D45 for ; Sun, 4 Jun 2006 05:50:28 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: by wr-out-0506.google.com with SMTP id i20so788108wra for ; Sat, 03 Jun 2006 22:50:25 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=gRjrd2Cu3BKS5pp00zNDifesVBrl1XTK3cY0U20a4t82BEwOeqthj0RDQsAjRnxr8w+SwcglbbHxLD2xo0llz3FWs+EgbCR6s9GT4Wx8EkppQIh5Ba6jb/fRKZMUW+T6qeuzwuSURXtxJHQgvhhdr6pUOrOPT8N90NdOar9XD5Y= Received: by 10.54.127.4 with SMTP id z4mr3610400wrc; Sat, 03 Jun 2006 22:50:25 -0700 (PDT) Received: from ?195.16.87.34? ( [195.16.87.34]) by mx.gmail.com with ESMTP id 12sm1794824wrl.2006.06.03.22.50.23; Sat, 03 Jun 2006 22:50:25 -0700 (PDT) Message-ID: <4482749D.7000807@gmail.com> Date: Sun, 04 Jun 2006 00:50:21 -0500 From: Dennis Olvany User-Agent: Thunderbird 1.5 (X11/20060211) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [HOWTO] IPFW: Vector-Based Modularity X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jun 2006 05:50:29 -0000 IPFW: Vector-Based Modularity by Dennis Olvany I. Vectors II. Modules III. Examples a. Simple Firewall b. Complex Firewall IV. NAT V. Tips a. Storing Rules b. Ruleset VI. Resources A strategy for easy administration, greater efficiency and heightened security. I. Vectors A vector consists of a physical or virtual interface and a direction, ingress or egress. For this purpose the local host should be considered an interface of its own in the form of the IPFW alias, me. For example, consider a machine with the following interfaces. These two interfaces plus the local host would constitute a total of six vectors. The loopback interface should be considered part of me. fxp0-in `out ste0-in `out me-in `out II. Modules Each vector may be associated with a rule module or may be allowed to match the default rule. The IPFW ruleset begins with a series of skipto rules directing matching traffic to a rule module. The default rule is then placed before the rule modules, greatly reducing the iterations required to reach it. IPFW sets offer a method for working with groups of rules and make modules easier to discern. III. Examples a. Simple Firewall The default rule, 400, may be reached in as little as four iterations. This ruleset may be easily altered to offer services. Use dynamic rules only where absolutely needed. Also, the use of setup should be avoided. This may cause broken connections in the event that a dynamic rule times out. Setup may serve to block perfectly legitimate ingress and egress traffic. 00100 set 0 check-state 00200 set 1 skipto 10000 ip from me to any out 00300 set 2 skipto 15000 ip from any to me in 00400 set 0 deny ip from any to any 10000 set 1 count ip from any to any 10100 set 1 allow ip from any to any keep-state 15000 set 2 count ip from any to any 15100 set 2 deny ip from me to any 15200 set 2 allow icmp from any to any 15300 set 2 deny ip from any to any 65535 set 31 deny ip from any to any b. Complex Firewall This router has a total of 18 vectors, of which eight are restricted. The remaining ten match the default rule, 1000. This firewall contains 49 rules, but the default rule may be reached in as little as ten iterations. The longest possible iteration through this ruleset is a mere 18 rules. Tuning this firewall is quite simple. Rules 200-300 and 400-900 may be shuffled so the most-matched rules come first. Be mindful that the me vectors must always come first. Groups of allow rules within the modules may also be shuffled for increased performance. 00100 set 0 check-state 00200 set 2 skipto 15000 ip from any to me in 00300 set 1 skipto 10000 ip from me to any out 00400 set 8 skipto 45000 ip from any to any out via vlan5 00500 set 4 skipto 25000 ip from any to any in via vlan2 00600 set 6 skipto 35000 ip from any to any in via fxp0 00700 set 3 skipto 20000 ip from any to any in via vlan3 00800 set 7 skipto 40000 ip from any to any out via vlan3 00900 set 5 skipto 30000 ip from any to any out via fxp0 01000 set 0 allow ip from any to any 10000 set 1 count ip from any to any 10100 set 1 allow ip from any to any keep-state 15000 set 2 count ip from any to any 15100 set 2 deny ip from me to any 15200 set 2 allow udp from 195.16.84.250 to any frag 15300 set 2 allow tcp from any to any dst-port 22 via fxp0 15400 set 2 allow udp from any to any dst-port 123 15500 set 2 allow udp from any to any dst-port 514 15600 set 2 allow icmp from any to any 15700 set 2 deny ip from any to any 20000 set 3 count ip from any to any 20100 set 3 allow tcp from not 192.168.101.2 to any dst-port 80,443 20200 set 3 allow not icmp from any to { 192.168.102.2 or dst-ip 192.168.102.7 } dst-port 53 20300 set 3 allow udp from any to any dst-port 123 20400 set 3 allow icmp from any to any 20500 set 3 deny ip from any to any 25000 set 4 count ip from any to any 25100 set 4 deny tcp from any to not 192.168.102.2 dst-port 25 25200 set 4 allow ip from any to any 30000 set 5 count ip from any to any 30100 set 5 allow tcp from any to 192.168.102.2 dst-port 25,53,80,110,443,587 30200 set 5 allow udp from any to 192.168.102.2 dst-port 53 30300 set 5 allow tcp from any to 192.168.102.7 dst-port 25,53 30400 set 5 allow udp from any to 192.168.102.7 dst-port 53,123 30500 set 5 allow udp from any to 192.168.102.4 dst-port 123 30600 set 5 allow udp from any to 192.168.102.10 dst-port 1194 30700 set 5 allow icmp from any to any 30800 set 5 deny ip from any to any 35000 set 6 count ip from any to any 35100 set 6 deny tcp from not 192.168.102.7 to any dst-port 25 35200 set 6 allow ip from any to any keep-state 40000 set 7 count ip from any to any 40100 set 7 allow udp from any 123 to 192.168.101.2 40200 set 7 deny not icmp from any to 192.168.101.0/24 40300 set 7 allow ip from any to any 45000 set 8 count ip from any to any 45100 set 8 deny not icmp from any to 192.168.103.0/24 45200 set 8 allow ip from any to any 65535 set 31 deny ip from any to any IV. NAT Adding a NAT rule to the firewall is really easy. Just add it at the top of the ruleset. Following is the rule from the natd man page. Yours should look just like it, except for the interface. divert natd all from any to any via ed0 V. Tips a. Storing Rules The rules file is most easily stored as a text file. Scripts are often difficult work with and offer no great administrative advantages. The following rc.conf variables suffice to read the rules from a file. Each line of the rules file is formatted as if it were an argument to the ipfw command, so each line begins with add, enable, disable, etc. firewall_enable="yes" firewall_type="/etc/ipfw.rules" The rules may be reloaded from the shell using the following command. ipfw /etc/ipfw.rules b. Ruleset A few additional commands added to the rules file will greatly ease firewall administration. It is often easier to alter the rules file and reload the ruleset to make a change to the firewall. This can be accomplished without network interruption by adding the following commands to the beginning and end of the rules file. The zero command is optional. It only serves to reset counters in set 31, as all others have been flushed. disable firewall -f flush [ruleset] zero enable firewall VI. Resources IPFW man page: http://www.freebsd.org/cgi/man.cgi?query=ipfw FreeBSD Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html