Date: Thu, 2 Feb 2017 20:37:46 -0200 From: Thomas <thoms3rd@gmail.com> To: Rakor <freebsd@rakor-net.de> Cc: freebsd-ipfw@freebsd.org Subject: Re: How to use IPFW to filter routing Message-ID: <20170202223746.GA8102@host> In-Reply-To: <6B3C8792-2FEE-4FCE-952E-F13AF59E0927@rakor-net.de> References: <3C00AFCB-E2EF-4F89-8FBD-181C99DAC1FF@rakor-net.de> <20170129164035.GB10963@host> <6B3C8792-2FEE-4FCE-952E-F13AF59E0927@rakor-net.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Sun, Jan 29, 2017 at 06:52:58PM +0100, Rakor: > Hi and thanks for your reply! Hello! Sorry for not following up, I was busy and forgot. > I also tried it using recv and xmit rules. > [...] > So to me it looks like he does not know that the packet will be transmitted via igb2 at the moment it is inspected. Yeah, if via doesn't work, recv and xmit probably won't either. I can't tell at a glance why your out rule is not working =\. > > Have you tried something like this? > > > > ipfw add deny tcp 10.10.30.0/24 to 10.10.10.0/24 setup keep-state > > ipfw add deny tcp 10.10.30.0/24 to 10.10.20.0/24 setup keep-state > > ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state > > This will work. But for any new subnet I’ll have to remember to deny it for any other subnets. I think this can become unhandy very soon. > [...] > OK. So I’d like to have deny by default (as ipfw is working). Then I’d like to say exactly which traffic is allowed. So in my mind I’ll have no additional deny-rules. I’d like to say from which interface to which interface the traffic is traveling, because this respects my VLANs. OK, because there is an IP attached to the devices using the subnets would do it also (but I feel more comfortable seeing my interfaces - maybe it’s stupid). > > So the rules I’d like to write say: > "allow tcp from VLAN3 to Internet using ports 80,443 coming from igb0.3 going to igb2 and deny all the rest." Of course, our mileages will be different, but avoiding deny rules can make things more complicated. A simpler, more explicit ruleset, even if it's a little longer, is generally safer and better. Performance (if it's at all a concern to you) may also suffer, as packets traverse more rules. As far as the number of subnets becoming unhandy, that is unavoidable if you're managing them individually like that. It may help to group them into zones and write your ruleset in terms of that. Use variables in your firewall script, and tables; "skipto" also comes in handy. Finally, filtering based on interfaces is good, but it's seldom enough. At least *I* could never avoid having addresses in the rules and still manage to filter everything I needed to. Also, using only the in/out interfaces in your rules makes them much more broad, and less flexible. Hope some of the above is useful to you, as it is to me when writing my rulesets. Cheers, - Thomás
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170202223746.GA8102>