From nobody Mon Nov 18 13:48:52 2024 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XsTVt5Ny2z5d7QF; Mon, 18 Nov 2024 13:48:54 +0000 (UTC) (envelope-from SRS0=r2aV=SN=klop.ws=ronald-lists@realworks.nl) Received: from smtp-relay-int.realworks.nl (smtp-relay-int.realworks.nl [194.109.157.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4XsTVt0dkzz4XVX; Mon, 18 Nov 2024 13:48:54 +0000 (UTC) (envelope-from SRS0=r2aV=SN=klop.ws=ronald-lists@realworks.nl) Authentication-Results: mx1.freebsd.org; none Date: Mon, 18 Nov 2024 14:48:52 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=klop.ws; s=rw2; t=1731937732; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=3R76PvcEAjCr9ARnBOl7XfIlFi5q7PQJlmVYtTZOb9U=; b=SF3+2JMTpL1AxjMhI9hFtoeJsnpgggU+n4BJTlqnn25nc4tlppzgMmcrnAGr4Y/QvZ431p voiiKMENStAcESJZadCC5sEppSUpGqtVklsHej1MaT7zNUMmM/W5M8hNzVyBfkJudpBXMz 7CKUvH00/4smvlGWbHyJZRQFCO2eVPNngGSbstzyUEi3VAc82+xl9DVsqnlLtomg6+/+qg HmeZEalc/njp2Ef6hSJAqXcCKlc8edHhX1rz/P1kWsqKtd/nxBHR2xiZoEwK0FPOyqrsmv rE5mlyRc1ApdwjpSocb3DjQmJAfvG10rwUfwj1Z+SCYyzIKp+pRfhPWwu8aALA== From: Ronald Klop To: Dries Michiels Cc: freebsd-ipfw@freebsd.org, FreeBSD Net , freebsd-pf@freebsd.org, Ronald Klop Message-ID: <144998054.8391.1731937732129@localhost> In-Reply-To: References: <610cbd98-0e4c-474f-b352-9786fc9e6a70@FreeBSD.org> Subject: Re: IPFW statefull firewall ruleset - some sites or applications do not work as expected List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_8390_1630709827.1731937732124" X-Mailer: Realworks (728.80) Importance: Normal X-Priority: 3 (Normal) X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:3265, ipnet:194.109.0.0/16, country:NL] X-Rspamd-Queue-Id: 4XsTVt0dkzz4XVX X-Spamd-Bar: ---- ------=_Part_8390_1630709827.1731937732124 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Hi, I just re-read the ipfw man page about one_pass =3D 0. # sysctl -d net.inet.ip.fw.one_pass net.inet.ip.fw.one_pass: Only do a single pass through ipfw when using dumm= ynet(4) I think next to dummynet, the definition also counts for netgraph and NAT r= ules, but not for every rule. So I doubt that one_pass=3D0 will do anything= after rule 10 applies. But I won't call myself a master of ipfw. So will be happy to stand correct= ed. Regards, Ronald. =20 Van: Dries Michiels Datum: maandag, 18 november 2024 13:23 Aan: Ronald Klop CC: freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org, FreeBSD Net Onderwerp: Re: IPFW statefull firewall ruleset - some sites or applications= do not work as expected >=20 > Hi, unfortunately that's not the case, as I have onepass to off, meaning = that after every rule, the packet continues to be processed by the next rul= e (so the NAT does get reached). > =20 > =20 > Op do 14 nov 2024 om 11:17 schreef Ronald Klop : >> Op 02-11-2024 om 16:30 schreef Dries Michiels: >> > Hello, >> > >> > So I have a very basic ruleset, as described in the FreeBSD handbook, = see below. I have "blurred" my open ports as seen in the ruleset below. >> > Igc0 is my WAN port and in the table "trusted_if" are like my LAN if a= nd some bridges. >> > >> > 00001 reass ip from any to any in >> > 00010 allow ip from any to any via table(trustedif) >> > 00050 deny log ip from any to any not antispoof in >> > 00100 nat 1 ip4 from any to any in recv igc0 >> > 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state = :default >> > 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :defau= lt >> > 05000 allow tcp from any to me *some open ports* in recv igc0 setup ke= ep-state :default >> > 05001 allow udp from any to me *some open ports* in recv igc0 keep-sta= te :default >> > 09998 deny log tcp from any to any >> > 09999 deny log udp from any to any >> > 10000 nat 1 ip4 from any to any out xmit igc0 >> > 65535 allow ip from any to any >> > >> > Now comes the tricky part. There are some applications that don't work= correctly with this ruleset. >> > For example, itsme (belgium application) to identify yourself with a l= ot of accounts, does not work. >> > Recently my banking website also stopped working. So now I'm wondering= how do I start to troubleshoot this issue? >> > Are there any ceavets with this ruleset when redirects are happening f= or example? I'm also wondering if Belgian PF users have the same issue?=C2= =A3 >> > >> > I'm hopeful to get to the bottom of this as its quite annoying needing= to switch wifi channels to my ISP's router which does work with these appl= ications. >> > >> > Regards >> > Dries >> > >> > >>=20 >> Hi, >>=20 >> It is a while ago that I build ipfw firewalls, but doesn't rule 10 match= all internal (from LAN) traffic, preventing outgoing (to WAN) packets to g= et to the nat rules? >>=20 >> I would suggest something like this: >>=20 >> 00001 reass ip from any to any in >> 00050 deny log ip from any to any not antispoof in >> 00100 nat 1 ip4 from any to any via igc0 >> 00300 check-state :default >> 00200 allow ip from any to any in table(trustedif) keep-state :default >> 05000 allow tcp from any to me *some open ports* in recv igc0 setup keep= -state :default >> 05001 allow udp from any to me *some open ports* in recv igc0 keep-state= :default >> 09999 deny log ip from any to any >> 65535 allow ip from any to any >>=20 >>=20 >>=20 >> Regards, >> Ronald. >> >=20 =20 ------=_Part_8390_1630709827.1731937732124 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi,

I just re-read the ipfw man page about one_pass =3D 0.

# sysctl -d net.inet.ip.fw.one_pass
net.inet.ip.fw.one_pass: Only do a single pass through ipfw when using dumm= ynet(4)

I think next to dummynet, the definition also counts for netgraph and NAT r= ules, but not for every rule. So I doubt that one_pass=3D0 will do anything= after rule 10 applies.

But I won't call myself a master of ipfw. So will be happy to stand correct= ed.

Regards,
Ronald.

 

Van: Dries Michiels <driesm@freebsd.org>
Datum: maandag, 18 november 2024 13:23
Aan: Ronald Klop <ronald@freebsd.org>
CC: freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org, Free= BSD Net <freebsd-net@freebsd.org>
Onderwerp: Re: IPFW statefull firewall ruleset - some site= s or applications do not work as expected

Hi, unfortunately that's not the case, as I have onepass to off, = meaning that after every rule, the packet continues to be processed by= the next rule (so the NAT does get reached).
 
 
Op do 14 nov 2024 om 11:17 schreef Ronald Klop &l= t;ronald@freebsd.org>:
Op 02-11-2024 om 16:30 sc= hreef Dries Michiels:
> Hello,
>
> So I have a very basic ruleset, as described in the FreeBSD handbook, = see below. I have "blurred" my open ports as seen in the ruleset below.
> Igc0 is my WAN port and in the table "trusted_if" are like my LAN if a= nd some bridges.
>
> 00001 reass ip from any to any in
> 00010 allow ip from any to any via table(trustedif)
> 00050 deny log ip from any to any not antispoof in
> 00100 nat 1 ip4 from any to any in recv igc0
> 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state = :default
> 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :defau= lt
> 05000 allow tcp from any to me *some open ports* in recv igc0 setup ke= ep-state :default
> 05001 allow udp from any to me *some open ports* in recv igc0 keep-sta= te :default
> 09998 deny log tcp from any to any
> 09999 deny log udp from any to any
> 10000 nat 1 ip4 from any to any out xmit igc0
> 65535 allow ip from any to any
>
> Now comes the tricky part. There are some applications that don't = ;work correctly with this ruleset.
> For example, itsme (belgium application) to identify yourself with a l= ot of accounts, does not work.
> Recently my banking website also stopped working. So now I'm wond= ering how do I start to troubleshoot this issue?
> Are there any ceavets with this ruleset when redirects are happen= ing for example? I'm also wondering if Belgian PF users have the same issue= ?=C2=A3
>
> I'm hopeful to get to the bottom of this as its quite annoying ne= eding to switch wifi channels to my ISP's router which does work with these= applications.
>
> Regards
> Dries
>
>

Hi,

It is a while ago that I build ipfw firewalls, but doesn't rule 10 match al= l internal (from LAN) traffic, preventing outgoing (to WAN) packets to get = to the nat rules?

I would suggest something like this:

00001 reass ip from any to any in
00050 deny log ip from any to any not antispoof in
00100 nat 1 ip4 from any to any via igc0
00300 check-state :default
00200 allow ip from any to any in table(trustedif) keep-state :default
05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-st= ate :default
05001 allow udp from any to me *some open ports* in recv igc0 keep-state :d= efault
09999 deny log ip from any to any
65535 allow ip from any to any



Regards,
Ronald.
 

  ------=_Part_8390_1630709827.1731937732124--