Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 16 Feb 2002 21:29:02 -0500
From:      "Joe & Fhe Barbish" <barbish@a1poweruser.com>
To:        "Patrick Soltani" <psoltani@ultradns.com>
Cc:        "Crist J. Clark" <cjc@FreeBSD.ORG>, "FBSD" <freebsd-questions@FreeBSD.ORG>, <cvarda@flopnet.com.br>
Subject:   RE: IPFW check-state rules
Message-ID:  <LPBBIGIAAKKEOEJOLEGOCEMJCHAA.barbish@a1poweruser.com>
In-Reply-To: <3DBB075EEB95944492E127F2B9A96FAF0CE102@ultra-exchange.UltraDNS.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Pat
Adding the 601 rule you recommended will negate the 610-695
rules that follow it that allow explicit control of what
function I want to allow. The rule set I have setup only allows
out just the functions I allow the lan users access to and the
same thing for what functions I want to allow started coming in
from the public internet. Using the advanced check-state function
of IPFW I should only have to code rules to identify the functions
I want to allow started and the bi-directional control of the packet
flow is suppose to be handled by the dynamic rules table. This is
what is happening when I use the FBSD box to ping or lynx out to the
internet so we know the rules are functional when originating from
the FBSD box.
The problem is with requests for internet access that
originate from the lan.

Is there not a additional protocol called arp or some thing like that,
that is used on the lan?

I think this rule set needs some kind of rule to allow arp's through.
Do you know what I am talking about?



-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Patrick Soltani
Sent: Saturday, February 16, 2002 6:28 PM
To: Joe & Fhe Barbish; Crist J. Clark
Cc: FBSD
Subject: RE: IPFW check-state rules

If everything from the ipfw machine works and it does not work for the
clients that use the ipfw machine as their default gateway/nat, then I think
this line should help.

${fwcmd} add 00601 allow any from me to any out via ${oif} setup keep-state
where me is the 192.168.1.0/24 for example, if your internal machines use
this class ip.

Regards,
Patrick Soltani.
-----Original Message-----
From: Joe & Fhe Barbish [mailto:barbish@a1poweruser.com]
Sent: Saturday, February 16, 2002 8:07 AM
To: Crist J. Clark
Cc: FBSD
Subject: RE: IPFW check-state rules


Thank you for the nice explanation of why it's not working.
If there is a solution buried in your explanation I did not get it.
Could you be more to the point and just say what needs to be added
or changed to get it to work.

-----Original Message-----
From: Crist J. Clark [mailto:cjc@FreeBSD.ORG]
Sent: Saturday, February 16, 2002 7:37 AM
To: Joe & Fhe Barbish
Cc: FBSD
Subject: Re: IPFW check-state rules

On Fri, Feb 15, 2002 at 12:22:17PM -0500, Joe & Fhe Barbish wrote:
> My FBSD box is a gateway to a small lan of 3 winboxs.
> I have used a rule set based on the basic established/setup
> rules for a simple Stateful Filtering firewall.
> I changed my rules to use advanced Stateful Filtering based
> on check-state/keep-state. The new rules work fine for every
> thing originating from the FBSD gateway box, but anything
> originating from the lan needing internet access does not work
> and generates this error message
> Failed to write packet back(permission denied).
>
> What am I missing?

Here's what happens:

  1) Machine on internal LAN sends out a SYN to some server on the
     Internet (192.0.2.100),

      10.100.100.2:1025 -> 192.0.2.100:80

  2) Packet goes in interface xl0, passes rule 110, gets routed,
     yada-yada.

  3) Packet goes through firewall rules on way out of tun0, hits rule
     10, diverted to natd(8), and rewritten as,

     110.170.155.117:4240 -> 192.0.2.100:80

    And natd(8) creates a state entry in its internal table for this
    connection.

  4) Rewritten packet reinjected to firewall, passes rule 600 and
     creates a state entry for,

     110.170.155.117:4240 <-> 192.0.2.100:80

     And packet goes out onto Internet.

  5) 192.0.2.100 responds and sends back the SYN-ACK,

     192.0.2.100:80 -> 110.170.155.117:4240

  6) The response comes in tun0, starts through firewall, matches rule
     10 and goes to natd(8). natd(8) has an entry for this and
     rewrites the packet to,

     192.0.2.100:80 -> 10.100.100.2:1025

  7) This packet is reinjected into the firewall and goes on... and
     falls through. It does NOT match any 'pass' rules. It hits the
     default 'deny,' and when this happens, natd(8) compains that it
     failed to write the packet back.

What happened in step (7)? Note that when the packet we got in step
(6) comes down to the (gratuitous) 'check-state' rule 500, it does NOT
match the state we generated in step (4).

> Below is my rule set, please review.
>
> oif="tun0"
> odns1="208.226.115.111"      # ISP's dns server 1 IP address
> odns2="208.226.115.112"      # ISP's dns server 2 IP address
> oip="110.170.155.117/24"     # For testing from standalone pc
>
> iif="xl0"                    # Nic card
> iip="10.100.100.1/24"        # IP address range for LAN Nic card
>
>
> ${fwcmd} add 00010 divert natd all from any to any via ${oif}
>
>
> # Internal gateway housekeeping
> ${fwcmd} add 00100 allow ip from any to any via lo0  # allow all localhost
> ${fwcmd} add 00110 allow ip from any to any via xl0  # allow all local LAN
> ${fwcmd} add 00120 allow ip from any to any via tun1 # allow all dialin
call
> 1
> ${fwcmd} add 00130 allow ip from any to any via tun2 # allow all dialin
call
> 2
> ${fwcmd} add 00150 deny  ip from any to 127.0.0.0/8  # deny use of
localhost
> IP
> ${fwcmd} add 00155 deny  ip from 127.0.0.0/8 to any  # deny use of
localhost
> IP
>
>
>
> ########  outbound section  ############################################
>
> ${fwcmd} add 00500 check-state
>
>
> # Allow out www function
> ${fwcmd} add 00600 allow tcp  from ${iip} to any 80      out via ${oif}
> setup keep-state
>
> # Allow out access to my ISP's Domain name server.
> ${fwcmd} add 00610 allow tcp  from me to ${odns1} 53 out via ${oif} setup
> keep-state
> ${fwcmd} add 00611 allow udp  from me to ${odns1} 53 out via ${oif}
> keep-state
> ${fwcmd} add 00615 allow tcp  from me to ${odns2} 53 out via ${oif} setup
> keep-state
> ${fwcmd} add 00616 allow udp  from me to ${odns2} 53 out via ${oif}
> keep-state
>
> # Allow out access to internet Domain name server.
> ${fwcmd} add 00618 allow tcp  from me to any      53 out via ${oif} setup
> keep-state
> ${fwcmd} add 00619 allow udp  from me to any      53 out via ${oif}
> keep-state
>
> # Allow out email function
> ${fwcmd} add 00630 allow tcp  from me to any 25,110  out via ${oif} setup
> keep-state
>
> # Allow out FBSD CVSUP function
> ${fwcmd} add 00640 allow tcp  from me to any 5999        out via ${oif}
> setup keep-state
>
> # Allow out ping
> ${fwcmd} add 00650 allow icmp from me to any         out via ${oif}
> keep-state
>
> # Allow out FTP
> ${fwcmd} add 00670 allow tcp  from me to any 21      out via ${oif} setup
> keep-state
>
> # Allow out TELNET
> ${fwcmd} add 00690 allow tcp  from me to any 23      out via ${oif} setup
> keep-state
>
> # Allow out Network Time Protocol (NTP) queries
> ${fwcmd} add 00695 allow udp  from me to any 123     out via ${oif}
> keep-state
>
>
> ########  inbound section  ############################################
>
> # Allow in & Log TCP FTP login from public internet
> ${fwcmd} add 00700 allow log tcp from ${oip} to me 21 in via ${oif} setup
> keep-state
>
> # Allow in ssh function
> ${fwcmd} add 00710 allow log tcp from ${oip} to me 22 in via ${oif} setup
> keep-state
>
> # Allow in & Log TCP telnet login
> ${fwcmd} add 00720 allow tcp from ${oip} to me 23 in via ${oif} setup
> keep-state
>
> # Allow in www
> ${fwcmd} add 00730 allow tcp from ${oip} to me 80 in via ${oif} setup
> keep-state
>
> # This sends a RESET to all ident packets.
> ${fwcmd} add 00740 reset     tcp from any    to me 113   in via ${oif}
>
> # Stop & log spoofing Attack attempts.
> # Examine incoming traffic for packets with both a source and destination
> # IP address in your local domain as per CIAC prevention alert.
> ${fwcmd} add 00745 deny log ip from me to me  in via ${oif}
>
> # Reject & Log all setup of incoming connections from the outside
> ${fwcmd} add 00800 deny log all from any to any      in via ${oif}
>
> # Everything else is denied by default
> # deny and log all packets that fell through to see what they are
> ${fwcmd} add 05000 deny log logamount 500 ip from any to any

--
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOCEMJCHAA.barbish>