Date: Thu, 16 Jun 2005 23:57:55 +0100 From: Alex Zbyslaw <xfb52@dial.pipex.com> To: Joe <josepha48@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: SMP and networking under FreeBSD 5.3 Message-ID: <42B203F3.6080502@dial.pipex.com> In-Reply-To: <20050616165840.64703.qmail@web41009.mail.yahoo.com> References: <20050616165840.64703.qmail@web41009.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Joe wrote: >Thanks Alex, > > Below are my rules. I have removed the IP addresses and >replaced with x.x.x.x in most cases. Also some ports have been >turned to y's instead of the actual port. > > I don't want to go into the details of your firewall; all I can offer is general advice for you to apply if you wish. There are plenty resources out there from the various man pages to the handbook. Firewalls can be trickier than they look and NAT makes them significantly more complicated to fathom correctly. I don't claim to be any kind of expert and everything I know started life being written by someone else :-) Any mistakes are most likely my own! I will say that it is worth making sure you understand your own firewall. At one point you suggested that you wanted to make your firewall script start later so that you had access to your IP address. I think you are on to a loser there because there is not particular time when DHCP finally gets the IP address. If your provider is down, it might take minutes, hours or even days. You could keep polling in some way to see if you had an IP address and not running your rules script until you did, but it would seem better to just write rules which work even without the IP address. Plus, that would also not work if you ever had a second external interface (e.g. an old-fashioned modem) which needed firewalling irrespective of the status of your ethernet interface. Although a firewall often need to know the actual addresses of hosts other than itself there is, as far as I can figure out, no logical reason for it to need to know it's own IP address if you have the "me" construct. (If, like my machine, your firewall is just another computer on a small network that is allowed to do exactly the same things as any other host on that network, then it needn't even use "me". This makes life much easier because it interferes less with NAT). If you have "me" then you can always distinguish between your firewall and the rest of your network. Take the non-NAT case first: allow all from me to any out xmit ext_if allow all from any to me in recv ext_if These rules could only be triggered by packets addressed directly to your firewall. If you follow it with e.g. deny all from any to any out via ext_if deny all from any to any in via ext_if then you close off your internal network. NAT makes things more complicated, because before or after NATing (depending on the direction) packets from your network can look like they originate on your machine or are destined for it. E.g. allow all from me to any out xmit ext_if must come before the NAT rule because after NAT-ing all your internal packets are going out ext_if. whereas allow all from any to me in recv ext_if must come after the NAT rule to be sure that it is actually your firewall which is the recipient. If all you have is a small network, then there may be no reason to differentiate your firewall from any other machine. In this case, it is perfectly sufficient to write rules based on the ext_if alone. So I have rules like: # Allow connections initiated from internal network ipfw add allow tcp from any to any out xmit ext_if setup # Allow TCP through if setup succeeded ipfw add pass tcp from any to any via ext_if established The only IP addresses in my whole firewall are the limited number of hosts which can initiate some kind of connection into my network e.g. ipfw add allow tcp from x.x.x.x to any ssh setup (x.x.x.x not because I need to hide the IP but because I can't be bothered to find it in the firewall script :-)) NB that rule says any for recipient because it was written before me existed. But since my network is NATed, it would always be a packet header for my firewall and could only get elsewhere if I explicitly forwarded it. There's no mention of the interface because a prior rule has already allowed internal connections which would match. Looking at it now, I might get picky and put an interface spec in there just to be completist. It's often said that there is no security in obscurity, and while I don't always agree, I do think that if you actually have to hide the IPs in your firewall for it be secure, then it isn't secure. Since my firewall never mentions my IP address, I can publish the whole thing and even if it has flaws it won't help since you don't know where I am :-) A bit long-winded, but I hope it helps, --Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42B203F3.6080502>