Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 Feb 2002 18:46:23 -0500
From:      "Joe & Fhe Barbish" <barbish@a1poweruser.com>
To:        "Drew Tomlinson" <drew@mykitchentable.net>
Cc:        "FBSDQ" <questions@FreeBSD.ORG>
Subject:   RE: Migrate from IPF to IPFW
Message-ID:  <LPBBIGIAAKKEOEJOLEGOCEGFCIAA.barbish@a1poweruser.com>
In-Reply-To: <00a501c1aa82$e1d508f0$c42a6ba5@lc.ca.gov>

next in thread | previous in thread | raw e-mail | index | archive | help
Don't know how far you have gotten, but I just completed doing the same
thing.  First thing is to remove the natd divert rule from your ipfw rules.
Natd and ipfw were never designed to work together. You still need natd or
user ppp nat to translate between public and private ip address but let that
happen before ipfw rules get control otherwise keep-state rules will keep
getting ip address mismatches. Below is my working ipfw advanced stateful
ipfw rule set for you to cut & past from.

###########################################################################
#
# Define IPFW firewall rules for gateway.xxxxxxx.com
# 2/15/2002  Joe Barbish
#
#   User ppp tun0 dial out to ISP with dynamic IP addresses assigned.
#   User ppp tun1 dial in to this box with dynamic IP addresses assigned
#   User ppp tun2 dial in to this box with dynamic IP addresses assigned
#   User ppp nat used. Private Ip address used inside.
#   3 win98 boxes on LAN with static IP address hard coded.
#   Protect the whole private network from loss of service attacks
#   These rules can be reloaded with out rebooting by issuing this command
#   sh /etc/ipfw.stdrules
#
#   The use of 'me' in rules means IP address 127.0.0.0 localhost
#
# Firewall Policy Statement.
#   All packet traffic originating behind this firewall not requiring access
#   to the public internet is exempt from these firewall rules.
#
#   Each public internet function must be explicitly allowed by a rule.
#   Only valid response to the packets I've sent out are allowed in.
#   All packets must use the IPFW advanced "dynamic" rules function.
#   No state-less rules or simple-stateful rules are allowed.
#
############################################################################
#

# Set rules command prefix
# The -q option on the command is for quite mode.
# Do not display rules as they load. Remove during development to see.
fwcmd="/sbin/ipfw -q"

# Flush out the list before we begin.
$fwcmd -f flush

# Set defaults
# set these to your outside interface network and netmask and ip
# for dynamic IP address from ISP use there range
oif="tun0"
odns1="218.216.115.11"     # ISP's dns server 1 IP address
odns2="218.216.115.12"     # ISP's dns server 2 IP address
oisp="218.216.115.4"       # ISP router issueing rip
oip="163.170.155.25/24"    # For testing dial isp from standalone pc and
                           # access this FBSD box over the internet.
                           # This value is the dynamic IP address range
                           # issued by ISP. oip is in inbound section
                           # statments to only allow inbound access from me.
                           # /24 means 63.70.155.1 thru 63.70.155.256

# Set these to your inside interface network and ip address range
iif="xl0"                  # Nic card
iip="10.0.10.2/29"         # Private IP address range on Nic card
                           # /29 means 10.0.10.1 thru 10.0.10.08
                           # 10.0.10.2  Lan Nic card
                           # 10.0.10.5  Lan Windows98 machine1
iip2="10.0.0.1/29"         # Private IP address range for dial in
                           # /29 means 10.0.0.1 thru 10.0.10.08
                           # 10.0.0.2   User PPP Dialin Host
                           # 10.0.0.5   User PPP Dialin Windows98 machine1

# This is the start of the rules.
# All traffic coming in from the internet or
# leaving the local LAN start here

# Handle router 520 rip request
$fwcmd add 00002 deny udp  from $oisp 520 to me in via $oif

#*** TESTING PURPOSES ONLY *** TESTING PURPOSES ONLY *** TESTING PURPOSES
ONLY
# The following rule if un-commented will change the behaviour of this
# FireWall rule set from closed to completely open, thus bypassing all of
the
# following rules. This single rule is placed here for TESTING PURPOSES
ONLY.
#$fwcmd add 00005 allow all from any to any

# Internal gateway housekeeping
# Rules # 100 - 130 exempt everything behind the firewall from this rules
set.
# Rules # 150 & 160 deny the reference to the localhost default IP address.
$fwcmd add 00100 allow ip from any to any via lo0  # allow all localhost
$fwcmd add 00110 allow ip from any to any via xl0  # allow all local LAN
$fwcmd add 00120 allow ip from any to any via tun1 # allow all dialin call 1
$fwcmd add 00130 allow ip from any to any via tun2 # allow all dialin call 2
$fwcmd add 00150 deny  ip from any to 127.0.0.0/8  # deny use of localhost
IP
$fwcmd add 00160 deny  ip from 127.0.0.0/8 to any  # deny use of localhost
IP



########  control section  ############################################
# Start of IPFW advanced Stateful Filtering using "dynamic" rules.
# The check-state statment behaviour is to match bidirectional packet
traffic
# flow between source and destination using protocol/IP/port/sequance
number.
# The dynamic rule has a limited lifetime which is controlled by a set of
# sysctl(8) variables. The lifetime is refreshed every time a matching
# packet is found in the dynamic table.

# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.

$fwcmd add 00500 check-state

# Deny any late arriveing packets so they don't
# get caught & logged by rules 800 or 900.
$fwcmd add 00502 deny all from any to any frag

# Deny ACK packets that did not match the dynamic rule table
$fwcmd add 00501 deny tcp from any to any established


########  outbound section  ############################################
# Interrogate packets originating from behind the firewall, private net.
# Upon a rule match, it's keep-state option will create a dynamic rule.

# Allow out www function
$fwcmd add 00600 allow tcp  from any to any 80  out via $oif setup
keep-state

# Allow lan winbox access to FBSD Apache13/Frontpage Server
$fwcmd add 00601 allow tcp  from $iip to any 80  out via $oif setup
keep-state

# Allow out access to my ISP's Domain name server.
$fwcmd add 00610 allow tcp  from any to $odns1 53 out via $oif setup
keep-state
$fwcmd add 00611 allow udp  from any to $odns1 53 out via $oif keep-state
$fwcmd add 00615 allow tcp  from any to $odns2 53 out via $oif setup
keep-state
$fwcmd add 00616 allow udp  from any to $odns2 53 out via $oif keep-state

# Allow out access to internet Domain name server.
$fwcmd add 00618 allow tcp  from any to any    53 out via $oif setup
keep-state
$fwcmd add 00619 allow udp  from any to any    53 out via $oif keep-state

# For some unknown reason the keep-state function on udp to DNS IP address
# runs very slow and get hung up. These stateless rules work fast.
#${fwcmd} add 00620 allow udp from any to ${odns1} 53        # allow out
#${fwcmd} add 00621 allow udp from ${odns1} 53 to any        # allow in
#${fwcmd} add 00622 allow udp from any to ${odns2} 53        # allow out
#${fwcmd} add 00623 allow udp from ${odns2} 53 to any        # allow in
#${fwcmd} add 00624 allow udp from any to any 53             # allow out
#${fwcmd} add 00625 allow udp from any 53 to any             # allow in


# Allow out send & get email function
$fwcmd add 00630 allow tcp  from any to any 25,110  out via $oif setup
keep-state

# Allow out & in FBSD (make install & CVSUP)  functions
# Basically give user id root  "GOD"  priveledges.
$fwcmd add 00640 allow tcp  from me to any  out via $oif setup keep-state
uid root
$fwcmd add 00641 allow tcp  from any to me  in  via $oif setup keep-state
uid root


# Allow out ping
$fwcmd add 00650 allow icmp from any to any       out via $oif	   keep-state

# Allow out FTP control channel
$fwcmd add 00671 allow tcp  from any to any 21    out via $oif setup
keep-state
# Allow in FTP data channel to Lan ip range
$fwcmd add 00672 allow tcp  from any 20 to $iip 1024-49151 in via $oif setup
keep-state
# Allow in FTP data channel to Dialin users ip range
$fwcmd add 00673 allow tcp  from any 20 to $iip2 1024-49151 in via $oif
setup kee

# Allow out ssh
$fwcmd add 00680 allow tcp  from any to any 22   out via $oif setup
keep-state

# Allow out TELNET
$fwcmd add 00690 allow tcp  from any to any 23    out via $oif setup
keep-state

# Allow out Network Time Protocol (NTP) queries
$fwcmd add 00694 allow tcp  from any to any 123   out via $oif setup
keep-state
$fwcmd add 00695 allow udp  from any to any 123   out via $oif keep-state

# Allow out Time
$fwcmd add 00696 allow tcp  from any to any 37    out via $oif setup
keep-state
$fwcmd add 00697 allow udp  from any to any 37    out via $oif keep-state

# Allow out ident
$fwcmd add 00700 allow tcp  from any to any 113   out via $oif setup
keep-state
$fwcmd add 00701 allow udp  from any to any 113   out via $oif keep-state

# Allow out IRC
$fwcmd add 00710 allow tcp  from any to any 194   out via $oif setup
keep-state
$fwcmd add 00711 allow udp  from any to any 194   out via $oif keep-state

# Allow out whois
$fwcmd add 00712 allow tcp  from any to any 43    out via $oif setup
keep-state
$fwcmd add 00713 allow udp  from any to any 43    out via $oif keep-state

# Allow out whois++
$fwcmd add 00715 allow tcp  from any to any 63    out via $oif setup
keep-state
$fwcmd add 00716 allow udp  from any to any 63    out via $oif keep-state

# Allow out finger
$fwcmd add 00720 allow tcp  from any to any 79    out via $oif setup
keep-state
$fwcmd add 00721 allow udp  from any to any 79    out via $oif keep-state

# Allow out nntp news
$fwcmd add 00725 allow tcp  from any to any 119   out via $oif setup
keep-state
$fwcmd add 00726 allow udp  from any to any 119   out via $oif keep-state

# Allow out gopher
$fwcmd add 00730 allow tcp  from any to any 70    out via $oif setup
keep-state
$fwcmd add 00731 allow udp  from any to any 70    out via $oif keep-state



########  inbound section  ############################################
# Interrogate packets originating from in front of the firewall, public net.
# Place statments here to allow public requests for service.
# The ${oip} holds the dynamic ip address range that both this FBSD box and
# the standalong pc I use for testing logs into, so the result is only I can
# gain public access from the internet to these functions.

# Allow in www
$fwcmd add 00800 allow tcp from $oip to any 80 in via $oif setup keep-state

# Allow  TCP FTP control channel in & data channel out
$fwcmd add 00810 allow tcp from $oip to me 21  in via $oif setup keep-state
$fwcmd add 00811 allow tcp from $oip 20 to any 1024-49151 out via $oif setup
keep

# Allow in ssh function
$fwcmd add 00820 allow log tcp from $oip to me 22 in via $oif setup
keep-state

# Allow in Telnet
$fwcmd add 00830 allow tcp from $oip to me 23 in via $oif setup keep-state

# This sends a RESET to all ident packets.
$fwcmd add 00840 reset tcp from any to me 113  in via $oif

# Stop & log spoofing Attack attempts.
# Examine incoming traffic for packets with both a source and destination
# IP address in my local domain as per CIAC prevention alert.
$fwcmd add 00850 deny log ip from me to me  in via $oif

# Stop & log ping echo attacks
# stop echo reply (ICMP type 0), and echo request (type 8).
$fwcmd add 00860 deny log icmp from any to me icmptype 0,8  in via $oif

# Reject & Log all setup of incoming connections from the outside
$fwcmd add 00900 deny log all from any to any      in via $oif

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$fwcmd add 00910 deny log logamount 500 ip from any to any














-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Drew Tomlinson
Sent: Thursday, January 31, 2002 1:13 PM
To: Mario Doria; questions@freebsd.org
Subject: Re: Migrate from IPF to IPFW


----- Original Message -----
From: "Mario Doria" <mariodoria@yahoo.com>
To: <questions@freebsd.org>
Sent: Thursday, January 31, 2002 10:04 AM
Subject: Migrate from IPF to IPFW


> Hello,
>
> I'm planning to migrate a machine from IPF to IPFW, but before I make
any
> changes (the machine is in production), I want to test the IPFW
ruleset.
> Please, can someone provide me examples of an IPFW stateful ruleset?.
Here's
> what I have so far:

I found this file to be very helpful in setting up mine.

http://www.bsdtoday.com/2000/December/rc.firewall.current

HTH,

Drew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOCEGFCIAA.barbish>