Date: Sun, 23 Aug 2015 16:00:15 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Hiroki Sato <hrs@freebsd.org> Cc: truckman@freebsd.org, freebsd-net@freebsd.org Subject: Re: a couple /etc/rc.firewall questions Message-ID: <20150823151421.G8515@sola.nimnet.asn.au> In-Reply-To: <20150823.084453.1715908115913144015.hrs@allbsd.org> References: <201508222103.t7ML3gAx000794@gw.catspoiler.org> <20150823.084453.1715908115913144015.hrs@allbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--0-315991574-1440309615=:8515
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Sun, 23 Aug 2015 08:44:53 +0900, Hiroki Sato wrote:
> Don Lewis <truckman@FreeBSD.org> wrote
> in <201508222103.t7ML3gAx000794@gw.catspoiler.org>:
>
> tr> The example /etc/rc.firewall has provisions to use either in-kernel NAT
> tr> or natd for the open and client firewall types, but the simple filewall
> tr> type only has code for natd. Is there any reason that in-kernel NAT
> tr> could not be used with the simple firewall type?
>
> I think there is no particular reason. Simple rule was just not updated.
I did send you and -ipfw@ a patch for that on several occasions since
Feb. 2013, though I did fail to push it into the 3-4 PRs it affected.
The attached patch addresses that, chooses kernel NAT over natd(8) if
both were enabled in rc.conf, updates some commentary and fixes an
overwordy line in 'workstation'. Just now checked it against HEAD.
> tr> After allowing connections to selected TCP ports and then denying all
> tr> other incoming TCP setup connections from ${oif}, the simple firewall
> tr> code in /etc/rc.firewall then permits all other TCP setup connections:
> tr> # Allow setup of any other TCP connection
> tr> ${fwcmd} add pass tcp from any to any setup
> tr> This is potentially undesirable since it allows unrestricted TCP
> tr> connections between "me" and the inside network. When I changed this to
> tr> ${fwcmd} add pass tcp from any to any out via ${oif} setup
> tr> I was able to open TCP connections from the firewall box to the outside,
> tr> but NATed connections from inside network to the outside were blocked.
> tr> If I run "ipfw show", it appears that the TCP setup packets are falling
> tr> through to the final implicit deny all rule, but I don't see any obvious
> tr> reason.
>
> A TCP setup packet coming from a host on the internal LAN to the NAPT
> router falls into the last deny-all rule because it does not match if
> you added "out via ${oif}" to that rule. Does the following
> additional rule work for you?
>
> ${fwcmd} add pass tcp from any to any out via ${oif} setup
That looks ok, maybe some UDP too? Adding some stateful rules is
another option for dealing with inside hosts' external requests.
> ${fwcmd} add pass tcp from any to not me in via ${iif} setup
If you want to deny inside hosts access to host services, that'll do it.
The other long-term issue with 'simple' is that it permits no ICMPv4 at
all. Neither inside nor outside, no pings, no PMTU, nothing .. although
curiously allows selected ICMP for ipv6. I usually add something like:
${fwcmd} add pass icmp from any to any icmptype 0,3,8,11
If you don't want to allow pings from outside your net, preceded with:
${fwcmd} add deny icmp from any to any in recv ${oif} icmptype 8
cheers, Ian
> -- Hiroki
--0-315991574-1440309615=:8515
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=rc.firewall.patch2
Content-Transfer-Encoding: BASE64
Content-ID: <20150823160015.Y8515@sola.nimnet.asn.au>
Content-Description:
Content-Disposition: attachment; filename=rc.firewall.patch2
LS0tIHJjLmZpcmV3YWxsLnIyMzg0MTYJMjAxNS0wOC0yMyAxNDo0ODoyNi4w
MDAwMDAwMDAgKzEwMDANCisrKyByYy5maXJld2FsbAkyMDE0LTAzLTI2IDE1
OjQyOjI1LjAwMDAwMDAwMCArMTEwMA0KQEAgLTUyLDcgKzUyLDcgQEANCiAj
ICAgZmlsZW5hbWUgICAgLSB3aWxsIGxvYWQgdGhlIHJ1bGVzIGluIHRoZSBn
aXZlbiBmaWxlbmFtZSAoZnVsbCBwYXRoIHJlcXVpcmVkKQ0KICMNCiAjIEZv
ciBgYGNsaWVudCcnIGFuZCBgYHNpbXBsZScnIHRoZSBlbnRyaWVzIGJlbG93
IHNob3VsZCBiZSBjdXN0b21pemVkDQotIyBhcHByb3ByaWF0ZWx5Lg0KKyMg
YXBwcm9wcmlhdGVseSB3aXRoIHJjLmNvbmYgdmFyaWFibGVzLg0KIA0KICMj
IyMjIyMjIyMjIw0KICMNCkBAIC0xMTIsNiArMTEyLDI5IEBADQogCSR7Zndj
bWR9IGFkZCBwYXNzIGlwdjYtaWNtcCBmcm9tIGFueSB0byBhbnkgaWNtcDZ0
eXBlcyAyLDEzNSwxMzYNCiB9DQogDQorc2V0dXBfbmF0ICgpIHsNCisJbG9j
YWwgaWZsYWcNCisJaWYgY2hlY2t5ZXNubyBmaXJld2FsbF9uYXRfZW5hYmxl
OyB0aGVuDQorCQlpZiBbIC1uICIke2ZpcmV3YWxsX25hdF9pbnRlcmZhY2V9
IiBdOyB0aGVuDQorCQkJaWYgZWNobyAiJHtmaXJld2FsbF9uYXRfaW50ZXJm
YWNlfSIgfCBcDQorCQkJCWdyZXAgLXEgLUUgJ15bMC05XSsoXC5bMC05XSsp
ezAsM30kJzsgdGhlbg0KKwkJCQlpZmxhZz0iaXAgJHtmaXJld2FsbF9uYXRf
aW50ZXJmYWNlfSINCisJCQllbHNlDQorCQkJCWlmbGFnPSJpZiAke2ZpcmV3
YWxsX25hdF9pbnRlcmZhY2V9Ig0KKwkJCWZpDQorCQkJZmlyZXdhbGxfbmF0
X2ZsYWdzPSIkaWZsYWcgJHtmaXJld2FsbF9uYXRfZmxhZ3N9Ig0KKwkJCSR7
ZndjbWR9IG5hdCAxMjMgY29uZmlnIGxvZyAke2ZpcmV3YWxsX25hdF9mbGFn
c30NCisJCQkke2Z3Y21kfSBhZGQgJDEgbmF0IDEyMyBpcDQgZnJvbSBhbnkg
dG8gYW55IFwNCisJCQkJdmlhICR7ZmlyZXdhbGxfbmF0X2ludGVyZmFjZX0N
CisJCWZpDQorCWVsaWYgY2hlY2t5ZXNubyBuYXRkX2VuYWJsZTsgdGhlbg0K
KwkJaWYgWyAtbiAiJHtuYXRkX2ludGVyZmFjZX0iIF07IHRoZW4NCisJCQkk
e2Z3Y21kfSBhZGQgJDEgZGl2ZXJ0IG5hdGQgaXA0IGZyb20gYW55IHRvIGFu
eSBcDQorCQkJCXZpYSAke25hdGRfaW50ZXJmYWNlfQ0KKwkJZmkNCisJZmkN
Cit9DQorDQogaWYgWyAtbiAiJHsxfSIgXTsgdGhlbg0KIAlmaXJld2FsbF90
eXBlPSIkezF9Ig0KIGZpDQpAQCAtMTQyLDM3ICsxNjUsMTcgQEANCiBzZXR1
cF9pcHY2X21hbmRhdG9yeQ0KIA0KICMjIyMjIyMjIyMjIw0KLSMgTmV0d29y
ayBBZGRyZXNzIFRyYW5zbGF0aW9uLiAgQWxsIHBhY2tldHMgYXJlIHBhc3Nl
ZCB0byBuYXRkKDgpDQotIyBiZWZvcmUgdGhleSBlbmNvdW50ZXIgeW91ciBy
ZW1haW5pbmcgcnVsZXMuICBUaGUgZmlyZXdhbGwgcnVsZXMNCi0jIHdpbGwg
dGhlbiBiZSBydW4gYWdhaW4gb24gZWFjaCBwYWNrZXQgYWZ0ZXIgdHJhbnNs
YXRpb24gYnkgbmF0ZA0KLSMgc3RhcnRpbmcgYXQgdGhlIHJ1bGUgbnVtYmVy
IGZvbGxvd2luZyB0aGUgZGl2ZXJ0IHJ1bGUuDQorIyBOZXR3b3JrIEFkZHJl
c3MgVHJhbnNsYXRpb24uICBBbGwgcGFja2V0cyBhcmUgcGFzc2VkIHRvIGtl
cm5lbCBuYXQNCisjIG9yIG5hdGQoOCkgYmVmb3JlIHRoZXkgZW5jb3VudGVy
IHlvdXIgcmVtYWluaW5nIHJ1bGVzLiAgVGhlIGZpcmV3YWxsDQorIyBydWxl
cyB3aWxsIHRoZW4gYmUgcnVuIGFnYWluIG9uIGVhY2ggcGFja2V0IGFmdGVy
IE5BVCB0cmFuc2xhdGlvbg0KKyMgc3RhcnRpbmcgYXQgdGhlIHJ1bGUgbnVt
YmVyIGZvbGxvd2luZyB0aGUgbmF0IG9yIGRpdmVydCBydWxlLg0KICMNCi0j
IEZvciBgYHNpbXBsZScnIGZpcmV3YWxsIHR5cGUgdGhlIGRpdmVydCBydWxl
IHNob3VsZCBiZSBwdXQgdG8gYQ0KLSMgZGlmZmVyZW50IHBsYWNlIHRvIG5v
dCBpbnRlcmZlcmUgd2l0aCBhZGRyZXNzLWNoZWNraW5nIHJ1bGVzLg0KKyMg
Rm9yIGBgc2ltcGxlJycgZmlyZXdhbGwgdHlwZSB0aGUgbmF0IG9yIGRpdmVy
dCBydWxlIGlzIGluc3RhbGxlZCBpbg0KKyMgYSBkaWZmZXJlbnQgcGxhY2Ug
dG8gYXZvaWQgaW50ZXJmZXJpbmcgd2l0aCBhZGRyZXNzLWNoZWNraW5nIHJ1
bGVzLg0KICMNCiBjYXNlICR7ZmlyZXdhbGxfdHlwZX0gaW4NCiBbT29dW1Bw
XVtFZV1bTm5dfFtDY11bTGxdW0lpXVtFZV1bTm5dW1R0XSkNCi0JY2FzZSAk
e25hdGRfZW5hYmxlfSBpbg0KLQlbWXldW0VlXVtTc10pDQotCQlpZiBbIC1u
ICIke25hdGRfaW50ZXJmYWNlfSIgXTsgdGhlbg0KLQkJCSR7ZndjbWR9IGFk
ZCA1MCBkaXZlcnQgbmF0ZCBpcDQgZnJvbSBhbnkgdG8gYW55IHZpYSAke25h
dGRfaW50ZXJmYWNlfQ0KLQkJZmkNCi0JCTs7DQotCWVzYWMNCi0JY2FzZSAk
e2ZpcmV3YWxsX25hdF9lbmFibGV9IGluDQotCVtZeV1bRWVdW1NzXSkNCi0J
CWlmIFsgLW4gIiR7ZmlyZXdhbGxfbmF0X2ludGVyZmFjZX0iIF07IHRoZW4N
Ci0JCQlpZiBlY2hvICIke2ZpcmV3YWxsX25hdF9pbnRlcmZhY2V9IiB8IFwN
Ci0JCQkJZ3JlcCAtcSAtRSAnXlswLTldKyhcLlswLTldKyl7MCwzfSQnOyB0
aGVuDQotCQkJCWZpcmV3YWxsX25hdF9mbGFncz0iaXAgJHtmaXJld2FsbF9u
YXRfaW50ZXJmYWNlfSAke2ZpcmV3YWxsX25hdF9mbGFnc30iDQotCQkJZWxz
ZQ0KLQkJCQlmaXJld2FsbF9uYXRfZmxhZ3M9ImlmICR7ZmlyZXdhbGxfbmF0
X2ludGVyZmFjZX0gJHtmaXJld2FsbF9uYXRfZmxhZ3N9Ig0KLQkJCWZpDQot
CQkJJHtmd2NtZH0gbmF0IDEyMyBjb25maWcgbG9nICR7ZmlyZXdhbGxfbmF0
X2ZsYWdzfQ0KLQkJCSR7ZndjbWR9IGFkZCA1MCBuYXQgMTIzIGlwNCBmcm9t
IGFueSB0byBhbnkgdmlhICR7ZmlyZXdhbGxfbmF0X2ludGVyZmFjZX0NCi0J
CWZpDQotCQk7Ow0KLQllc2FjDQorCXNldHVwX25hdCA1MA0KIGVzYWMNCiAN
CiAjIyMjIyMjIyMjIyMNCkBAIC0zMTEsMTMgKzMxNCw3IEBADQogCSMgdHJh
bnNsYXRlZCBieSBuYXRkKDgpIHdvdWxkIG1hdGNoIHRoZSBgZGVueScgcnVs
ZSBhYm92ZS4gIFNpbWlsYXJseQ0KIAkjIGFuIG91dGdvaW5nIHBhY2tldCBv
cmlnaW5hdGVkIGZyb20gaXQgYmVmb3JlIGJlaW5nIHRyYW5zbGF0ZWQgd291
bGQNCiAJIyBtYXRjaCB0aGUgYGRlbnknIHJ1bGUgYmVsb3cuDQotCWNhc2Ug
JHtuYXRkX2VuYWJsZX0gaW4NCi0JW1l5XVtFZV1bU3NdKQ0KLQkJaWYgWyAt
biAiJHtuYXRkX2ludGVyZmFjZX0iIF07IHRoZW4NCi0JCQkke2Z3Y21kfSBh
ZGQgZGl2ZXJ0IG5hdGQgaXA0IGZyb20gYW55IHRvIGFueSB2aWEgJHtuYXRk
X2ludGVyZmFjZX0NCi0JCWZpDQotCQk7Ow0KLQllc2FjDQorCXNldHVwX25h
dA0KIA0KIAkjIFN0b3AgUkZDMTkxOCBuZXRzIG9uIHRoZSBvdXRzaWRlIGlu
dGVyZmFjZQ0KIAkke2Z3Y21kfSBhZGQgZGVueSBhbGwgZnJvbSAxMC4wLjAu
MC84IHRvIGFueSB2aWEgJHtvaWZ9DQpAQCAtNTE5LDcgKzUxNiw3IEBADQog
DQogCSMgRGVueSBhbmQgKGlmIHdhbnRlZCkgbG9nIHRoZSByZXN0IHVuY29u
ZGl0aW9uYWxseS4NCiAJbG9nPSIiDQotCWlmIFsgJHtmaXJld2FsbF9sb2dk
ZW55Oi14fSA9ICJZRVMiIC1vICR7ZmlyZXdhbGxfbG9nZGVueToteH0gPSAi
eWVzIiBdIDsgdGhlbg0KKwlpZiBjaGVja3llc25vIGZpcmV3YWxsX2xvZ2Rl
bnk7IHRoZW4NCiAJICBsb2c9ImxvZyBsb2dhbW91bnQgNTAwIgkjIFRoZSBk
ZWZhdWx0IG9mIDEwMCBpcyB0b28gbG93Lg0KIAkgIHN5c2N0bCBuZXQuaW5l
dC5pcC5mdy52ZXJib3NlPTEgPi9kZXYvbnVsbA0KIAlmaQ0K
--0-315991574-1440309615=:8515--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150823151421.G8515>