From owner-freebsd-questions@FreeBSD.ORG Sat Jul 31 23:03:24 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74F3316A4CE for ; Sat, 31 Jul 2004 23:03:24 +0000 (GMT) Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 850A943D6D for ; Sat, 31 Jul 2004 23:03:23 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a239.otenet.gr [212.205.215.239]) i6VN3GoT012300; Sun, 1 Aug 2004 02:03:19 +0300 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.11/8.12.11) with ESMTP id i6VN2kgl001321; Sun, 1 Aug 2004 02:02:46 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.11/8.12.11/Submit) id i6VN2jjs001320; Sun, 1 Aug 2004 02:02:45 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Sun, 1 Aug 2004 02:02:45 +0300 From: Giorgos Keramidas To: Steve Bertrand Message-ID: <20040731230245.GB1048@gothmog.gr> References: <000401c47721$07faf590$6e01a8c0@sabrina> <20040731173613.GA30298@gothmog.gr> <10685.64.39.177.47.1091296278.squirrel@64.39.177.47> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <10685.64.39.177.47.1091296278.squirrel@64.39.177.47> cc: freebsd-questions@freebsd.org Subject: Re: [OT] Firewall Rule Set not allowing access to DNS servers? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2004 23:03:24 -0000 On 2004-07-31 13:51, Steve Bertrand wrote: > > There are many ways in which your ruleset might break. Two of the > > most > > important comments I wanted to make when I first saw the posts of this > > thread are: > > > > a) Why do you use static rule numbers? > > > > You'd only have to use static rule numbers if your ruleset > > had more than 65536/100 = 655 rules. This limit is > > relatively hard to hit in a SOHO installation (Small Office, > > Home Office). If you do reach such limits, there's > > definitely something weird going on with the way your ruleset > > is written ;-) > > > > Giorgos, I am interested in where I can get more information about > this. Are you suggesting that IPFW reads the ruleset and formulates a > rule number according to position in the script? (I always use custom > scripts). The description of `rule number' in the ipfw(8) manpage explains the way ipfw chooses rule numbers automatically: rule_number Each rule is associated with a rule_number in the range 1..65535, with the latter reserved for the default rule. [...] If a rule is entered without specifying a number, the kernel will assign one in such a way that the rule becomes the last one before the default rule. Automatic rule numbers are assigned by incrementing the last non-default rule number by the value of the sysctl variable net.inet.ip.fw.autoinc_step which defaults to 100. This means that the largest number of rules you can add with unique numbers is 65534. The 65535 rule is the default firewall rule, either a deny rule or an allow if the kernel was compiled with the option IPFIREWALL_DEFAULT_TO_ACCEPT enabled. The autoincrement step is the number that is automatically added to rule numbers when you don't specify one. For example, note the numbers that get assigned to the rules below: root@gothmog[01:49]/root# kldload ipfw root@gothmog[01:49]/root# ipfw -q flush root@gothmog[01:49]/root# ipfw add pass ip from 127.0.0.1 to 127.0.0.1 via lo0 00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 root@gothmog[01:49]/root# ipfw add deny ip from 127.0.0.1 to any 00200 deny ip from 127.0.0.1 to any root@gothmog[01:49]/root# ipfw add deny ip from any to 127.0.0.1 00300 deny ip from any to 127.0.0.1 root@gothmog[01:49]/root# ipfw show 00100 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 0 0 deny ip from 127.0.0.1 to any 00300 0 0 deny ip from any to 127.0.0.1 65535 0 0 deny ip from any to any root@gothmog[01:49]/root# ipfw -q flush root@gothmog[01:49]/root# kldunload ipfw root@gothmog[01:49]/root# > If this is true, how does this ``dynamic'' feature get affected when > one houses multiple rule _sets_? If you have multiple sets of rules that you load at random times, and the rulesets do not explicitly specify a starting rule number they'll be ``stacked on top of each other'' as shown below: root@gothmog[01:56]/root# ls -l ruleset* -rw-r--r-- 1 root wheel - 117 Aug 1 01:54 ruleset-lo0 -rw-r--r-- 1 root wheel - 61 Aug 1 01:55 ruleset-misc -rw-r--r-- 1 root wheel - 161 Aug 1 01:56 ruleset-tcp root@gothmog[01:56]/root# cat ruleset-lo0 add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 add deny ip from 127.0.0.1 to any add deny ip from any to 127.0.0.1 root@gothmog[01:56]/root# cat ruleset-misc add allow udp from any to any add allow icmp from any to any root@gothmog[01:56]/root# cat ruleset-tcp add check-state add deny tcp from any to any established add allow tcp from any to any out setup keep-state add allow tcp from any to any 22 in setup keep-state root@gothmog[01:56]/root# kldload ipfw root@gothmog[01:57]/root# ipfw -q flush root@gothmog[01:57]/root# ipfw show 65535 0 0 deny ip from any to any root@gothmog[01:57]/root# ipfw /root/ruleset-lo0 00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 deny ip from 127.0.0.1 to any 00300 deny ip from any to 127.0.0.1 root@gothmog[01:57]/root# ipfw /root/ruleset-misc * 00400 allow udp from any to any 00500 allow icmp from any to any root@gothmog[01:57]/root# ipfw /root/ruleset-tcp * 00600 check-state 00700 deny tcp from any to any established 00800 allow tcp from any to any out setup keep-state 00900 allow tcp from any to any dst-port 22 in setup keep-state root@gothmog[01:57]/root# ipfw show 00100 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 0 0 deny ip from 127.0.0.1 to any 00300 0 0 deny ip from any to 127.0.0.1 00400 0 0 allow udp from any to any 00500 0 0 allow icmp from any to any 00600 0 0 check-state 00700 0 0 deny tcp from any to any established 00800 0 0 allow tcp from any to any out setup keep-state 00900 0 0 allow tcp from any to any dst-port 22 in setup keep-state 65535 0 0 deny ip from any to any Note at the two lines marked with `*' and at the `ipfw show' output how each set of rules gets attached to the end of the previous ruleset by starting to number the rules with a number higher (by 100) than the last rule of the previous ruleset. If you load the rulesets in a different order, the numbers still increase by 100 but come in a different order to match the order the sets were loaded: root@gothmog[01:57]/root# ipfw -q flush root@gothmog[01:57]/root# ipfw /root/ruleset-lo0 00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 deny ip from 127.0.0.1 to any 00300 deny ip from any to 127.0.0.1 root@gothmog[01:57]/root# ipfw /root/ruleset-tcp * 00400 check-state 00500 deny tcp from any to any established 00600 allow tcp from any to any out setup keep-state 00700 allow tcp from any to any dst-port 22 in setup keep-state root@gothmog[01:57]/root# ipfw /root/ruleset-misc * 00800 allow udp from any to any 00900 allow icmp from any to any root@gothmog[01:57]/root# ipfw show 00100 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 0 0 deny ip from 127.0.0.1 to any 00300 0 0 deny ip from any to 127.0.0.1 00400 0 0 check-state 00500 0 0 deny tcp from any to any established 00600 0 0 allow tcp from any to any out setup keep-state 00700 0 0 allow tcp from any to any dst-port 22 in setup keep-state 00800 0 0 allow udp from any to any 00900 0 0 allow icmp from any to any 65535 0 0 deny ip from any to any > Can you please provide any links to information that I can gain > valuable information on this? This would certainly make ruleset > creation much easier ;o) > > Also, links to any information on how/what/why on the 16b/100 limit on > the dynamic rules, so I (we) can learn more about this? I'm not sure I understand this question :-/ Cheers - Giorgos