From owner-freebsd-questions Sat Feb 16 18:29:21 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.mango-bay.com (mail.mango-bay.com [208.206.15.12]) by hub.freebsd.org (Postfix) with ESMTP id 23EBD37B402; Sat, 16 Feb 2002 18:29:08 -0800 (PST) Received: from barbish ([63.70.155.44]) by mail.mango-bay.com (Post.Office MTA v3.5.3 release 223 ID# 0-52377U2500L250S0V35) with SMTP id com; Sat, 16 Feb 2002 21:33:17 -0500 From: "Joe & Fhe Barbish" To: "Patrick Soltani" Cc: "Crist J. Clark" , "FBSD" , Subject: RE: IPFW check-state rules Date: Sat, 16 Feb 2002 21:29:02 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <3DBB075EEB95944492E127F2B9A96FAF0CE102@ultra-exchange.UltraDNS.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Pat Adding the 601 rule you recommended will negate the 610-695 rules that follow it that allow explicit control of what function I want to allow. The rule set I have setup only allows out just the functions I allow the lan users access to and the same thing for what functions I want to allow started coming in from the public internet. Using the advanced check-state function of IPFW I should only have to code rules to identify the functions I want to allow started and the bi-directional control of the packet flow is suppose to be handled by the dynamic rules table. This is what is happening when I use the FBSD box to ping or lynx out to the internet so we know the rules are functional when originating from the FBSD box. The problem is with requests for internet access that originate from the lan. Is there not a additional protocol called arp or some thing like that, that is used on the lan? I think this rule set needs some kind of rule to allow arp's through. Do you know what I am talking about? -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Patrick Soltani Sent: Saturday, February 16, 2002 6:28 PM To: Joe & Fhe Barbish; Crist J. Clark Cc: FBSD Subject: RE: IPFW check-state rules If everything from the ipfw machine works and it does not work for the clients that use the ipfw machine as their default gateway/nat, then I think this line should help. ${fwcmd} add 00601 allow any from me to any out via ${oif} setup keep-state where me is the 192.168.1.0/24 for example, if your internal machines use this class ip. Regards, Patrick Soltani. -----Original Message----- From: Joe & Fhe Barbish [mailto:barbish@a1poweruser.com] Sent: Saturday, February 16, 2002 8:07 AM To: Crist J. Clark Cc: FBSD Subject: RE: IPFW check-state rules Thank you for the nice explanation of why it's not working. If there is a solution buried in your explanation I did not get it. Could you be more to the point and just say what needs to be added or changed to get it to work. -----Original Message----- From: Crist J. Clark [mailto:cjc@FreeBSD.ORG] Sent: Saturday, February 16, 2002 7:37 AM To: Joe & Fhe Barbish Cc: FBSD Subject: Re: IPFW check-state rules On Fri, Feb 15, 2002 at 12:22:17PM -0500, Joe & Fhe Barbish wrote: > My FBSD box is a gateway to a small lan of 3 winboxs. > I have used a rule set based on the basic established/setup > rules for a simple Stateful Filtering firewall. > I changed my rules to use advanced Stateful Filtering based > on check-state/keep-state. The new rules work fine for every > thing originating from the FBSD gateway box, but anything > originating from the lan needing internet access does not work > and generates this error message > Failed to write packet back(permission denied). > > What am I missing? Here's what happens: 1) Machine on internal LAN sends out a SYN to some server on the Internet (192.0.2.100), 10.100.100.2:1025 -> 192.0.2.100:80 2) Packet goes in interface xl0, passes rule 110, gets routed, yada-yada. 3) Packet goes through firewall rules on way out of tun0, hits rule 10, diverted to natd(8), and rewritten as, 110.170.155.117:4240 -> 192.0.2.100:80 And natd(8) creates a state entry in its internal table for this connection. 4) Rewritten packet reinjected to firewall, passes rule 600 and creates a state entry for, 110.170.155.117:4240 <-> 192.0.2.100:80 And packet goes out onto Internet. 5) 192.0.2.100 responds and sends back the SYN-ACK, 192.0.2.100:80 -> 110.170.155.117:4240 6) The response comes in tun0, starts through firewall, matches rule 10 and goes to natd(8). natd(8) has an entry for this and rewrites the packet to, 192.0.2.100:80 -> 10.100.100.2:1025 7) This packet is reinjected into the firewall and goes on... and falls through. It does NOT match any 'pass' rules. It hits the default 'deny,' and when this happens, natd(8) compains that it failed to write the packet back. What happened in step (7)? Note that when the packet we got in step (6) comes down to the (gratuitous) 'check-state' rule 500, it does NOT match the state we generated in step (4). > Below is my rule set, please review. > > oif="tun0" > odns1="208.226.115.111" # ISP's dns server 1 IP address > odns2="208.226.115.112" # ISP's dns server 2 IP address > oip="110.170.155.117/24" # For testing from standalone pc > > iif="xl0" # Nic card > iip="10.100.100.1/24" # IP address range for LAN Nic card > > > ${fwcmd} add 00010 divert natd all from any to any via ${oif} > > > # Internal gateway housekeeping > ${fwcmd} add 00100 allow ip from any to any via lo0 # allow all localhost > ${fwcmd} add 00110 allow ip from any to any via xl0 # allow all local LAN > ${fwcmd} add 00120 allow ip from any to any via tun1 # allow all dialin call > 1 > ${fwcmd} add 00130 allow ip from any to any via tun2 # allow all dialin call > 2 > ${fwcmd} add 00150 deny ip from any to 127.0.0.0/8 # deny use of localhost > IP > ${fwcmd} add 00155 deny ip from 127.0.0.0/8 to any # deny use of localhost > IP > > > > ######## outbound section ############################################ > > ${fwcmd} add 00500 check-state > > > # Allow out www function > ${fwcmd} add 00600 allow tcp from ${iip} to any 80 out via ${oif} > setup keep-state > > # Allow out access to my ISP's Domain name server. > ${fwcmd} add 00610 allow tcp from me to ${odns1} 53 out via ${oif} setup > keep-state > ${fwcmd} add 00611 allow udp from me to ${odns1} 53 out via ${oif} > keep-state > ${fwcmd} add 00615 allow tcp from me to ${odns2} 53 out via ${oif} setup > keep-state > ${fwcmd} add 00616 allow udp from me to ${odns2} 53 out via ${oif} > keep-state > > # Allow out access to internet Domain name server. > ${fwcmd} add 00618 allow tcp from me to any 53 out via ${oif} setup > keep-state > ${fwcmd} add 00619 allow udp from me to any 53 out via ${oif} > keep-state > > # Allow out email function > ${fwcmd} add 00630 allow tcp from me to any 25,110 out via ${oif} setup > keep-state > > # Allow out FBSD CVSUP function > ${fwcmd} add 00640 allow tcp from me to any 5999 out via ${oif} > setup keep-state > > # Allow out ping > ${fwcmd} add 00650 allow icmp from me to any out via ${oif} > keep-state > > # Allow out FTP > ${fwcmd} add 00670 allow tcp from me to any 21 out via ${oif} setup > keep-state > > # Allow out TELNET > ${fwcmd} add 00690 allow tcp from me to any 23 out via ${oif} setup > keep-state > > # Allow out Network Time Protocol (NTP) queries > ${fwcmd} add 00695 allow udp from me to any 123 out via ${oif} > keep-state > > > ######## inbound section ############################################ > > # Allow in & Log TCP FTP login from public internet > ${fwcmd} add 00700 allow log tcp from ${oip} to me 21 in via ${oif} setup > keep-state > > # Allow in ssh function > ${fwcmd} add 00710 allow log tcp from ${oip} to me 22 in via ${oif} setup > keep-state > > # Allow in & Log TCP telnet login > ${fwcmd} add 00720 allow tcp from ${oip} to me 23 in via ${oif} setup > keep-state > > # Allow in www > ${fwcmd} add 00730 allow tcp from ${oip} to me 80 in via ${oif} setup > keep-state > > # This sends a RESET to all ident packets. > ${fwcmd} add 00740 reset tcp from any to me 113 in via ${oif} > > # Stop & log spoofing Attack attempts. > # Examine incoming traffic for packets with both a source and destination > # IP address in your local domain as per CIAC prevention alert. > ${fwcmd} add 00745 deny log ip from me to me in via ${oif} > > # Reject & Log all setup of incoming connections from the outside > ${fwcmd} add 00800 deny log all from any to any in via ${oif} > > # Everything else is denied by default > # deny and log all packets that fell through to see what they are > ${fwcmd} add 05000 deny log logamount 500 ip from any to any -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message