From owner-freebsd-questions@FreeBSD.ORG  Sun Jan 16 21:00:29 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 910DA16A4D0
	for <freebsd-questions@freebsd.org>;
	Sun, 16 Jan 2005 21:00:29 +0000 (GMT)
Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es
	[62.174.254.182])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A3F4943D41
	for <freebsd-questions@freebsd.org>;
	Sun, 16 Jan 2005 21:00:28 +0000 (GMT)
	(envelope-from norgaard@locolomo.org)
Received: from [192.168.0.32] (charm.daemonsecurity.com [192.168.0.32])
	by top.daemonsecurity.com (Postfix) with ESMTP id 9B181FD01F;
	Sun, 16 Jan 2005 22:00:27 +0100 (CET)
Message-ID: <41EAD5E8.9060100@locolomo.org>
Date: Sun, 16 Jan 2005 22:00:24 +0100
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041114
X-Accept-Language: en, en-us, da, it, es
MIME-Version: 1.0
To: gabor.kovesdan@freemail.hu
References: <20050116193347.WMON10341.viefep11-int.chello.at@hyperduron>
In-Reply-To: <20050116193347.WMON10341.viefep11-int.chello.at@hyperduron>
Content-Type: text/plain; charset=ISO-8859-2; format=flowed
Content-Transfer-Encoding: 8bit
cc: freebsd-questions@freebsd.org
Subject: Re: IPF firewalling
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jan 2005 21:00:29 -0000

Kövesdán Gábor wrote:
> Thanks for your answer, I've modified my rules as You suggested, but I
> haven't made groups yet. Thus the new ruleset is:

But did you resolve the named problem?

> # I don't want to filter outgoing packets
> pass out quick all
> 
> # The incoming packets for dhcp, dns, ssh, mail, ftp, www
> pass in quick on rl0 proto udp from any to any port = 68 keep state keep
> frags
> pass in quick on rl0 proto udp from any to any port = 53 keep state keep
> frags
> pass in quick on rl0 proto tcp from any to any port = 53 flags S keep state
> keep frags
> pass in quick on rl0 proto tcp from any to any port = 22 flags S keep state
> keep frags
> pass in quick on rl0 proto tcp from any to any port = 25 flags S keep state
> keep frags
> pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state
> keep frags
> pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state
> keep frags
> pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state
> keep frags
> 
> # Some advanced stuff - will be set later
> #block return-rst in log quick on rl0 proto tcp from any to any
> #block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from any
> to any
> #block in quick on rl0 all
> 
> # Allow everything for the loopback interface
> pass in quick on lo0 all
> pass out quick on lo0 all

Now reading this - maybe you left out the default action at the top of 
the ruleset? - I only see pass rules and unless you compiled your kernel 
with default block, then default is pass, leaving your host with no 
effective firewall at all.

> I ran the ipf -Fa && ipf -f /etc/ipf.rules2 command (ipf.rules2 is this
> ruleset) via ssh, but then my connection closed, and I was unable to
> reconnect via ssh until flushing the rules and loading this ruleset:

> pass in all
> pass out all

Should suffice just to flush the rules, unless you compile your kernel 
with default block. Whatever default is, it is always a good idea for 
clarity to include a catch all rule.

Also, make sure to add "log" and start ipmon, when something falls 
through or is blocked for other reasons, you have a log entry stating 
which rule blocked so you can debug your ruleset. - I see I left it out 
in the default rules I suggested, these rules should go at top of the file:

block out log all
block in  log all

Whatever falls through your ruleset will be logged so you can analyse it.

When you flush your rulesets, the state table is not flushed, so you 
shouldn't loose your connection. Also, I recommend you reading rules 
into the inactive ruletable first. Then swap. This way you make sure 
your rules does not contain typos and you don't leave your firewall/host 
vulnerable.

# ipf -IFa && ipf -I -f <rulefile> && ipf -s && sleep 60 && ipf -s

lets you test the new ruleset 60 seconds, should you loose connection. 
If things work then

# ipf -Ifa && ipf -I -f <rulefile> && ipf -s && ipf -IFa

Cheers, Erik
-- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2