From owner-freebsd-questions Thu Jun 6 17: 3:13 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smtp.a1poweruser.com (oh-chardon6a-62.clvhoh.adelphia.net [68.65.175.62]) by hub.freebsd.org (Postfix) with ESMTP id 6E68537B400 for ; Thu, 6 Jun 2002 17:02:20 -0700 (PDT) Received: from barbish (unknown [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id 6781ADB; Thu, 6 Jun 2002 20:04:55 -0400 (EDT) Reply-To: From: "Joe & Fhe Barbish" To: "Rob Ellis" Cc: "FBSDQ" Subject: RE: ipfw: 'out via fxp0' rules don't work Date: Thu, 6 Jun 2002 20:02:17 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20020606172128.GH18966@web.ca> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Rob You are not clear about what you are trying to do. Saying you have 4 interfaces that are intended to allow outbound connections leaves one guessing. Does this mean you have 4 Nic cards each connected to different isp account, or 4 Nic cards servicing private internal Lans? The keep-state option builds a entry in the dynamic rules table for automatic bi-directional packet exchange and is normally used just on the public interface. Advanced stateful rules and IPFW's built in divert natd function is very hard to get to function correctly for an LAN behind the firewall. I have stumbled into the solution to this problem after many months of testing. This solution has only been tested on FBSD version 4.5. All private LAN Nic interface devices must have an keep-state rule so they get in sync with the keep-state dynamic table rules for the DSL or Cable internet connection interface. The order of private Lan rules before the public out & in rules, both which have to come after the divert natd rule is very important. See rule 500 below. Content of /etc/ipfw.rules.conf # These rules can be reloaded with out rebooting by issuing this command # sh /etc/ipfw.rules.conf /sbin/ipfw -q -f flush # Set rules command prefix # The -q option on the command is for quite mode. # Do not display rules as they load. Remove during development to see. cmd="/sbin/ipfw -q add" # Set defaults oif="rl0" # Nic card to DSL modem public internet connection odns1="241.250.241.250" # ISP's dns server IP address $cmd 00200 divert natd all from any to any via $oif ######## control section ############################################ # Start of IPFW advanced Stateful Filtering using "dynamic" rules. # The check-state statement behavior is to match bi-directional packet traffic # flow between source and destination using protocol/IP/port/sequence number. # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. $cmd 00400 check-state # Run all private LAN xl0 packet traffic through the dynamic rules # table so the IP address are in sync with Natd. You would have one # rule like this for each Nic card you have for private lans. $cmd 00500 allow all from any to any via xl0 keep-state # Deny all fragments coming in as bogus packets $cmd 00530 deny all from any to any frag in via $oif # Deny ACK packets that did not match the dynamic rule table $cmd 00540 deny tcp from any to any established in via $oif ######## outbound section ############################################ # Interrogate packets originating from behind the firewall, private net. # Upon a rule match, it's keep-state option will create a dynamic rule. # Allow out non-secure standard http function $cmd 00600 allow tcp from any to any 80 out via $oif setup keep-state # Allow out secure www function https over TLS SSL $cmd 00601 allow tcp from any to any 443 out via $oif setup keep-state # Allow out access to my ISP's Domain name server. $cmd 00610 allow tcp from any to $odns1 53 out via $oif setup keep-state $cmd 00611 allow udp from any to $odns1 53 out via $oif keep-state # Allow out send & get email function $cmd 00630 allow tcp from any to any 25,110 out via $oif setup keep-state # Allow out FBSD (make install & CVSUP) functions # Basically give user id [ROOT] "GOD" privileges. $cmd 00640 allow tcp from me to any out via $oif setup keep-state uid root ######## inbound section ############################################ # Interrogate packets originating from in front of the firewall, public net. # Allow in www http access to my apache server $cmd 00800 allow tcp from any to any 80 in via $oif setup keep-state limit src-addr 4 # Allow TCP FTP control channel in & data channel out $cmd 00810 allow tcp from any to me 21 in via $oif setup keep-state limit src-addr 4 $cmd 00811 allow tcp from any 20 to any 1024-49151 out via $oif setup keep l imit src-addr 4 # Allow in ssh function $cmd 00820 allow log tcp from any to me 22 in via $oif setup keep-state limit src-addr 4 # Allow in Telnet $cmd 00830 allow tcp from any to me 23 in via $oif setup keep-state limit src-addr 4 This is just a sample from which you can build from. The main thing is it demonstrates how to code and organize your advanced stateful rules file. Joe -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Rob Ellis Sent: Thursday, June 06, 2002 1:21 PM To: freebsd-questions@FreeBSD.ORG Subject: ipfw: 'out via fxp0' rules don't work i have the following rules, on a box with 4 interfaces, that are intended to allow outbound connections... ipfw add allow udp from any to any out xmit fxp0 keep-state ipfw add allow tcp from any to any out xmit fxp0 setup keep-state but this doesn't work as i thought it would. for instance, 'in via xl0' packets are still being blocked. i also tried ipfw add allow udp from any to any out recv xl0 xmit fxp0 keep-state ipfw add allow tcp from any to any out recv xl0 xmit fxp0 setup keep-state which also didn't work. the packets i want to allow are indeed coming in via xl0 and out via fxp0, but the error is always like: > Jun 6 12:46:30 myname /kernel: ipfw: 22901 Deny TCP xxx.xxx.xxx.xxx:3325 yyy.yyy.yyy.yyy:80 in via xl0 a rule like ipfw add allow tcp from xxx.xxx.xxx.0/24 to any 80 setup keep-state does work, but i want to firewall off the internal networks from each other, and i didn't want to get into any more skipto rules... in short, interface-based in/out rules don't seem to work. anyone have any ideas? i am just not understanding how the interface-based rules are supposed to work? the firewall box is running 4.5-RELEASE-p4. thanks. - rob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message