Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 31 Jan 2003 14:37:11 -0600
From:      Redmond Militante <r-militante@northwestern.edu>
To:        JoeB <barbish@a1poweruser.com>, freebsd-questions@freebsd.org
Subject:   Re: please comment on my nat/ipfw rules (resent)
Message-ID:  <20030131203711.GI29383@darkpossum>
In-Reply-To: <MIEPLLIBMLEEABPDBIEGGEPPDEAA.barbish@a1poweruser.com>
References:  <20030131131815.GA9488@darkpossum> <MIEPLLIBMLEEABPDBIEGGEPPDEAA.barbish@a1poweruser.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--D6z0c4W1rkZNF4Vu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

hi

you've sold me :)
do you have any good online tutorials to recommend for setting up a gateway=
/firewall/natd machine using ipfilter/ipnat?

thanks
redmond

> 1. Your firewall rules are not working at all, except for the natd
> redirect option. This is caused by the kernel compile time option
> IPFIREWALL_DEFAULT_TO_ACCEPT.    This option tell your firewall that
> any packet that does not match a rule is allowed to pass on through
> the firewall. Comment out that option in your kernel options source
> and recompile your kernel to take the default of default-to-deny and
> your current rules set will stop functioning.
>=20
> 2. You are using the simplest of the rule types 'state-less'. Using
> this type of rules you have to not only have a rule to allow the
> packet out you also have to have a rule to allow the packet in. See
> rules 220 & 230 of your posted rule set to see how it should be
> done.
>=20
> 3.  There are 3 classes of rules, each class has separate packet
> interrogation abilities. Each proceeding class has greater packet
> interrogation abilities than the previous one. These are stateless,
> simple stateful, and advanced stateful. The advanced stateful rule
> class is the only class having technically advanced interrogation
> abilities capable of defending against the flood of different attack
> methods currently employed by perpetrators. Stateless and Simple
> Stateful IPFW firewall rules are inadequate to protect the users
> system in today's internet environment and leaves the user
> unknowingly believing they are protected when in reality they are
> not.
>=20
>=20
> 4. The advanced stateful rule option keep-state works as documented
> only when used in a rule set that does not use the divert rule.
> Simply stated the IPFW advanced stateful rule option keep-state does
> not function correctly when used in a IPFW firewall that also is
> using the IPFW built in NATD function. For the most complete
> keep-state protection the other FIREWALL solution (IPFILTER) that
> comes with FBSD should be used. Just checkout the IPFW list archives
> and you will see this subject discussed in detail with out any
> solution forthcoming.
>=20
>=20
> -----Original Message-----
> From: owner-freebsd-questions@FreeBSD.ORG
> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Redmond
> Militante
> Sent: Friday, January 31, 2003 8:18 AM
> To: freebsd-questions@freebsd.org
> Subject: please comment on my nat/ipfw rules (resent)
>=20
>=20
> hi all
>=20
>  i have my test machine set up as a gateway box, with ipfw/natd
> configured on it, set up to filter/redirect packets bound for a
> client on my internal network.
>=20
>  external ip of my internal client is aliased to the outside nic of
> the gateway box
>=20
>=20
>  gateway machine's kernel has been recompiled with:
>=20
>  options IPFIREWALL
>  options IPDIVERT
>  options IPFIREWALL_DEFAULT_TO_ACCEPT
>  options IPFIREWALL_VERBOSE
>=20
>=20
>=20
>  gateway's /etc/rc.conf looks like
>=20
>  defaultrouter=3D"129.x.x.1"
>  hostname=3D"hostname.com"
>  ifconfig_xl0=3D"inet 129.x.x.1 netmask 255.255.255.0"
>  #aliasing internal client's ip to the outside nic of gateway box
>  ifconfig_xl0_alias0=3D"inet 129.x.1.20 netmask 255.0.0.0"
>  #inside nic of gateway box
>  ifconfig_xl1=3D"inet 10.0.0.1 netmask 255.0.0.0"
>  gateway_enable=3D"YES"
>  firewall_enable=3D"YES"
>  #firewall_script=3D"/etc/rc.firewall"
>  firewall_type=3D"/etc/ipfw.rules"
>  natd_enable=3D"YES"
>  #natd interface is outside nic
>  natd_interface=3D"xl0"
>  #natd flags redirect any traffic bound for ip of www3 to internal
> ip of www3
>  natd_flags=3D"-redirect_address 10.0.0.2 129.x.x.20"
>  kern_securelevel_enable=3D"NO"
>  .........
>=20
>=20
>=20
>  internal client's /etc/rc.conf looks like
>=20
>  second machine's /etc/rc.conf:
>=20
>  defaultrouter=3D"10.0.0.1"
>  ifconfig_xl0=3D"inet 10.0.0.2 netmask 255.0.0.0"
>  ................
>=20
>=20
>  looks like this setup is working. the internal client is a basic
> webserver/ftp server. i am able to ftp to it, ssh to it, view
> webpages that it serves up, etc. with it hooked up to the internal
> nic of the gateway box.
>=20
>  i am now trying to come up with a good set of firewall rules on the
> gateway box to filter out all unnecessary traffic to my internal
> network. the following is my /etc/ipfw.rules on the gateway box.
>=20
>  -----------------------------snip------------------------------
>=20
>  # firewall_type=3D"/etc/ipfw.rules"
>  # enquirer ipfw.rules
>=20
>  # NAT
>  add 00100 divert 8668 ip from any to any via xl0
>=20
>  # loopback
>  add 00210 allow ip from any to any via lo0
>  add 00220 deny ip from any to 127.0.0.0/8
>  add 00230 deny ip from 127.0.0.0/8 to any
>=20
>  #allow tcp in for nfs shares
>  #add 00301 allow tcp from 129.x.x.x to any in via xl0
>  #add 00302 allow tcp from 129.x.x.x to any in via xl0
>=20
>  #allow tcp in for ftp,ssh, smtp, httpd
>  add 00303 allow tcp from any to any in 21,22,25,80,10000 via xl0
>=20
>  #deny rest of incoming tcp
>  add 00309 deny log tcp from any to any in established
>=20
>  #from man 8 ipfw: allow only outbound tcp connections i've created
>  add 00310 allow tcp from any to any out via xl0
>=20
>=20
>  #allow udp in for gateway for DNS
>  add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0
>=20
>  #allow udp in for nfs shares
>  #add 00401 allow udp from 129.x.x.x to any in recv xl0
>  #add 00402 allow udp from 129.x.x.x to any in recv xl0
>=20
>  #allow all udp out from machine
>  add 00404 allow udp from any to any out via xl0
>=20
>  #allow some icmp types (codes not supported)
>  ##########allow path-mtu in both directions
>  add 00500 allow icmp from any to any icmptypes 3
>  ##########allow source quench in and out
>  add 00501 allow icmp from any to any icmptypes 4
>  ##########allow me to ping out and receive response back
>  add 00502 allow icmp from any to any icmptypes 8 out
>  add 00503 allow icmp from any to any icmptypes 0 in
>  ##########allow me to run traceroute
>  add 00504 allow icmp from any to any icmptypes 11 in
>  add 00600 deny log ip from any to any
>=20
>  #--- end ipfw.rules ---#
>=20
>  -----------------------------snip------------------------------
>=20
>=20
>  any comments on how i could improve this set of ipfw rules to
> better secure my internal client would be appreciated. thanks again
>=20
>  redmond
>=20
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>=20

--D6z0c4W1rkZNF4Vu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+Ot53FNjun16SvHYRAhQ6AJ9Ch7CftEO8hQdkgTU6uNvCWYnIjQCgkXhR
zCBatENUjDs1R0AOlvkNUMA=
=lJDQ
-----END PGP SIGNATURE-----

--D6z0c4W1rkZNF4Vu--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030131203711.GI29383>