Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 31 Jan 2003 13:10:49 -0500
From:      "JoeB" <barbish@a1poweruser.com>
To:        "Redmond Militante" <r-militante@northwestern.edu>, <freebsd-questions@freebsd.org>
Subject:   RE: please comment on my nat/ipfw rules (resent)
Message-ID:  <MIEPLLIBMLEEABPDBIEGGEPPDEAA.barbish@a1poweruser.com>
In-Reply-To: <20030131131815.GA9488@darkpossum>

next in thread | previous in thread | raw e-mail | index | archive | help
1. Your firewall rules are not working at all, except for the natd
redirect option. This is caused by the kernel compile time option
IPFIREWALL_DEFAULT_TO_ACCEPT.    This option tell your firewall that
any packet that does not match a rule is allowed to pass on through
the firewall. Comment out that option in your kernel options source
and recompile your kernel to take the default of default-to-deny and
your current rules set will stop functioning.

2. You are using the simplest of the rule types 'state-less'. Using
this type of rules you have to not only have a rule to allow the
packet out you also have to have a rule to allow the packet in. See
rules 220 & 230 of your posted rule set to see how it should be
done.

3.  There are 3 classes of rules, each class has separate packet
interrogation abilities. Each proceeding class has greater packet
interrogation abilities than the previous one. These are stateless,
simple stateful, and advanced stateful. The advanced stateful rule
class is the only class having technically advanced interrogation
abilities capable of defending against the flood of different attack
methods currently employed by perpetrators. Stateless and Simple
Stateful IPFW firewall rules are inadequate to protect the users
system in today's internet environment and leaves the user
unknowingly believing they are protected when in reality they are
not.


4. The advanced stateful rule option keep-state works as documented
only when used in a rule set that does not use the divert rule.
Simply stated the IPFW advanced stateful rule option keep-state does
not function correctly when used in a IPFW firewall that also is
using the IPFW built in NATD function. For the most complete
keep-state protection the other FIREWALL solution (IPFILTER) that
comes with FBSD should be used. Just checkout the IPFW list archives
and you will see this subject discussed in detail with out any
solution forthcoming.


-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Redmond
Militante
Sent: Friday, January 31, 2003 8:18 AM
To: freebsd-questions@freebsd.org
Subject: please comment on my nat/ipfw rules (resent)


hi all

 i have my test machine set up as a gateway box, with ipfw/natd
configured on it, set up to filter/redirect packets bound for a
client on my internal network.

 external ip of my internal client is aliased to the outside nic of
the gateway box


 gateway machine's kernel has been recompiled with:

 options IPFIREWALL
 options IPDIVERT
 options IPFIREWALL_DEFAULT_TO_ACCEPT
 options IPFIREWALL_VERBOSE



 gateway's /etc/rc.conf looks like

 defaultrouter="129.x.x.1"
 hostname="hostname.com"
 ifconfig_xl0="inet 129.x.x.1 netmask 255.255.255.0"
 #aliasing internal client's ip to the outside nic of gateway box
 ifconfig_xl0_alias0="inet 129.x.1.20 netmask 255.0.0.0"
 #inside nic of gateway box
 ifconfig_xl1="inet 10.0.0.1 netmask 255.0.0.0"
 gateway_enable="YES"
 firewall_enable="YES"
 #firewall_script="/etc/rc.firewall"
 firewall_type="/etc/ipfw.rules"
 natd_enable="YES"
 #natd interface is outside nic
 natd_interface="xl0"
 #natd flags redirect any traffic bound for ip of www3 to internal
ip of www3
 natd_flags="-redirect_address 10.0.0.2 129.x.x.20"
 kern_securelevel_enable="NO"
 .........



 internal client's /etc/rc.conf looks like

 second machine's /etc/rc.conf:

 defaultrouter="10.0.0.1"
 ifconfig_xl0="inet 10.0.0.2 netmask 255.0.0.0"
 ................


 looks like this setup is working. the internal client is a basic
webserver/ftp server. i am able to ftp to it, ssh to it, view
webpages that it serves up, etc. with it hooked up to the internal
nic of the gateway box.

 i am now trying to come up with a good set of firewall rules on the
gateway box to filter out all unnecessary traffic to my internal
network. the following is my /etc/ipfw.rules on the gateway box.

 -----------------------------snip------------------------------

 # firewall_type="/etc/ipfw.rules"
 # enquirer ipfw.rules

 # NAT
 add 00100 divert 8668 ip from any to any via xl0

 # loopback
 add 00210 allow ip from any to any via lo0
 add 00220 deny ip from any to 127.0.0.0/8
 add 00230 deny ip from 127.0.0.0/8 to any

 #allow tcp in for nfs shares
 #add 00301 allow tcp from 129.x.x.x to any in via xl0
 #add 00302 allow tcp from 129.x.x.x to any in via xl0

 #allow tcp in for ftp,ssh, smtp, httpd
 add 00303 allow tcp from any to any in 21,22,25,80,10000 via xl0

 #deny rest of incoming tcp
 add 00309 deny log tcp from any to any in established

 #from man 8 ipfw: allow only outbound tcp connections i've created
 add 00310 allow tcp from any to any out via xl0


 #allow udp in for gateway for DNS
 add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0

 #allow udp in for nfs shares
 #add 00401 allow udp from 129.x.x.x to any in recv xl0
 #add 00402 allow udp from 129.x.x.x to any in recv xl0

 #allow all udp out from machine
 add 00404 allow udp from any to any out via xl0

 #allow some icmp types (codes not supported)
 ##########allow path-mtu in both directions
 add 00500 allow icmp from any to any icmptypes 3
 ##########allow source quench in and out
 add 00501 allow icmp from any to any icmptypes 4
 ##########allow me to ping out and receive response back
 add 00502 allow icmp from any to any icmptypes 8 out
 add 00503 allow icmp from any to any icmptypes 0 in
 ##########allow me to run traceroute
 add 00504 allow icmp from any to any icmptypes 11 in
 add 00600 deny log ip from any to any

 #--- end ipfw.rules ---#

 -----------------------------snip------------------------------


 any comments on how i could improve this set of ipfw rules to
better secure my internal client would be appreciated. thanks again

 redmond


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGGEPPDEAA.barbish>