Date: Sun, 23 Aug 2015 16:00:15 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Hiroki Sato <hrs@freebsd.org> Cc: truckman@freebsd.org, freebsd-net@freebsd.org Subject: Re: a couple /etc/rc.firewall questions Message-ID: <20150823151421.G8515@sola.nimnet.asn.au> In-Reply-To: <20150823.084453.1715908115913144015.hrs@allbsd.org> References: <201508222103.t7ML3gAx000794@gw.catspoiler.org> <20150823.084453.1715908115913144015.hrs@allbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-315991574-1440309615=:8515 Content-Type: TEXT/PLAIN; charset=US-ASCII On Sun, 23 Aug 2015 08:44:53 +0900, Hiroki Sato wrote: > Don Lewis <truckman@FreeBSD.org> wrote > in <201508222103.t7ML3gAx000794@gw.catspoiler.org>: > > tr> The example /etc/rc.firewall has provisions to use either in-kernel NAT > tr> or natd for the open and client firewall types, but the simple filewall > tr> type only has code for natd. Is there any reason that in-kernel NAT > tr> could not be used with the simple firewall type? > > I think there is no particular reason. Simple rule was just not updated. I did send you and -ipfw@ a patch for that on several occasions since Feb. 2013, though I did fail to push it into the 3-4 PRs it affected. The attached patch addresses that, chooses kernel NAT over natd(8) if both were enabled in rc.conf, updates some commentary and fixes an overwordy line in 'workstation'. Just now checked it against HEAD. > tr> After allowing connections to selected TCP ports and then denying all > tr> other incoming TCP setup connections from ${oif}, the simple firewall > tr> code in /etc/rc.firewall then permits all other TCP setup connections: > tr> # Allow setup of any other TCP connection > tr> ${fwcmd} add pass tcp from any to any setup > tr> This is potentially undesirable since it allows unrestricted TCP > tr> connections between "me" and the inside network. When I changed this to > tr> ${fwcmd} add pass tcp from any to any out via ${oif} setup > tr> I was able to open TCP connections from the firewall box to the outside, > tr> but NATed connections from inside network to the outside were blocked. > tr> If I run "ipfw show", it appears that the TCP setup packets are falling > tr> through to the final implicit deny all rule, but I don't see any obvious > tr> reason. > > A TCP setup packet coming from a host on the internal LAN to the NAPT > router falls into the last deny-all rule because it does not match if > you added "out via ${oif}" to that rule. Does the following > additional rule work for you? > > ${fwcmd} add pass tcp from any to any out via ${oif} setup That looks ok, maybe some UDP too? Adding some stateful rules is another option for dealing with inside hosts' external requests. > ${fwcmd} add pass tcp from any to not me in via ${iif} setup If you want to deny inside hosts access to host services, that'll do it. The other long-term issue with 'simple' is that it permits no ICMPv4 at all. Neither inside nor outside, no pings, no PMTU, nothing .. although curiously allows selected ICMP for ipv6. I usually add something like: ${fwcmd} add pass icmp from any to any icmptype 0,3,8,11 If you don't want to allow pings from outside your net, preceded with: ${fwcmd} add deny icmp from any to any in recv ${oif} icmptype 8 cheers, Ian > -- Hiroki --0-315991574-1440309615=:8515 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=rc.firewall.patch2 Content-Transfer-Encoding: BASE64 Content-ID: <20150823160015.Y8515@sola.nimnet.asn.au> Content-Description: Content-Disposition: attachment; filename=rc.firewall.patch2 LS0tIHJjLmZpcmV3YWxsLnIyMzg0MTYJMjAxNS0wOC0yMyAxNDo0ODoyNi4w MDAwMDAwMDAgKzEwMDANCisrKyByYy5maXJld2FsbAkyMDE0LTAzLTI2IDE1 OjQyOjI1LjAwMDAwMDAwMCArMTEwMA0KQEAgLTUyLDcgKzUyLDcgQEANCiAj ICAgZmlsZW5hbWUgICAgLSB3aWxsIGxvYWQgdGhlIHJ1bGVzIGluIHRoZSBn aXZlbiBmaWxlbmFtZSAoZnVsbCBwYXRoIHJlcXVpcmVkKQ0KICMNCiAjIEZv ciBgYGNsaWVudCcnIGFuZCBgYHNpbXBsZScnIHRoZSBlbnRyaWVzIGJlbG93 IHNob3VsZCBiZSBjdXN0b21pemVkDQotIyBhcHByb3ByaWF0ZWx5Lg0KKyMg YXBwcm9wcmlhdGVseSB3aXRoIHJjLmNvbmYgdmFyaWFibGVzLg0KIA0KICMj IyMjIyMjIyMjIw0KICMNCkBAIC0xMTIsNiArMTEyLDI5IEBADQogCSR7Zndj bWR9IGFkZCBwYXNzIGlwdjYtaWNtcCBmcm9tIGFueSB0byBhbnkgaWNtcDZ0 eXBlcyAyLDEzNSwxMzYNCiB9DQogDQorc2V0dXBfbmF0ICgpIHsNCisJbG9j YWwgaWZsYWcNCisJaWYgY2hlY2t5ZXNubyBmaXJld2FsbF9uYXRfZW5hYmxl OyB0aGVuDQorCQlpZiBbIC1uICIke2ZpcmV3YWxsX25hdF9pbnRlcmZhY2V9 IiBdOyB0aGVuDQorCQkJaWYgZWNobyAiJHtmaXJld2FsbF9uYXRfaW50ZXJm YWNlfSIgfCBcDQorCQkJCWdyZXAgLXEgLUUgJ15bMC05XSsoXC5bMC05XSsp ezAsM30kJzsgdGhlbg0KKwkJCQlpZmxhZz0iaXAgJHtmaXJld2FsbF9uYXRf aW50ZXJmYWNlfSINCisJCQllbHNlDQorCQkJCWlmbGFnPSJpZiAke2ZpcmV3 YWxsX25hdF9pbnRlcmZhY2V9Ig0KKwkJCWZpDQorCQkJZmlyZXdhbGxfbmF0 X2ZsYWdzPSIkaWZsYWcgJHtmaXJld2FsbF9uYXRfZmxhZ3N9Ig0KKwkJCSR7 ZndjbWR9IG5hdCAxMjMgY29uZmlnIGxvZyAke2ZpcmV3YWxsX25hdF9mbGFn c30NCisJCQkke2Z3Y21kfSBhZGQgJDEgbmF0IDEyMyBpcDQgZnJvbSBhbnkg dG8gYW55IFwNCisJCQkJdmlhICR7ZmlyZXdhbGxfbmF0X2ludGVyZmFjZX0N CisJCWZpDQorCWVsaWYgY2hlY2t5ZXNubyBuYXRkX2VuYWJsZTsgdGhlbg0K KwkJaWYgWyAtbiAiJHtuYXRkX2ludGVyZmFjZX0iIF07IHRoZW4NCisJCQkk e2Z3Y21kfSBhZGQgJDEgZGl2ZXJ0IG5hdGQgaXA0IGZyb20gYW55IHRvIGFu eSBcDQorCQkJCXZpYSAke25hdGRfaW50ZXJmYWNlfQ0KKwkJZmkNCisJZmkN Cit9DQorDQogaWYgWyAtbiAiJHsxfSIgXTsgdGhlbg0KIAlmaXJld2FsbF90 eXBlPSIkezF9Ig0KIGZpDQpAQCAtMTQyLDM3ICsxNjUsMTcgQEANCiBzZXR1 cF9pcHY2X21hbmRhdG9yeQ0KIA0KICMjIyMjIyMjIyMjIw0KLSMgTmV0d29y ayBBZGRyZXNzIFRyYW5zbGF0aW9uLiAgQWxsIHBhY2tldHMgYXJlIHBhc3Nl ZCB0byBuYXRkKDgpDQotIyBiZWZvcmUgdGhleSBlbmNvdW50ZXIgeW91ciBy ZW1haW5pbmcgcnVsZXMuICBUaGUgZmlyZXdhbGwgcnVsZXMNCi0jIHdpbGwg dGhlbiBiZSBydW4gYWdhaW4gb24gZWFjaCBwYWNrZXQgYWZ0ZXIgdHJhbnNs YXRpb24gYnkgbmF0ZA0KLSMgc3RhcnRpbmcgYXQgdGhlIHJ1bGUgbnVtYmVy IGZvbGxvd2luZyB0aGUgZGl2ZXJ0IHJ1bGUuDQorIyBOZXR3b3JrIEFkZHJl c3MgVHJhbnNsYXRpb24uICBBbGwgcGFja2V0cyBhcmUgcGFzc2VkIHRvIGtl cm5lbCBuYXQNCisjIG9yIG5hdGQoOCkgYmVmb3JlIHRoZXkgZW5jb3VudGVy IHlvdXIgcmVtYWluaW5nIHJ1bGVzLiAgVGhlIGZpcmV3YWxsDQorIyBydWxl cyB3aWxsIHRoZW4gYmUgcnVuIGFnYWluIG9uIGVhY2ggcGFja2V0IGFmdGVy IE5BVCB0cmFuc2xhdGlvbg0KKyMgc3RhcnRpbmcgYXQgdGhlIHJ1bGUgbnVt YmVyIGZvbGxvd2luZyB0aGUgbmF0IG9yIGRpdmVydCBydWxlLg0KICMNCi0j IEZvciBgYHNpbXBsZScnIGZpcmV3YWxsIHR5cGUgdGhlIGRpdmVydCBydWxl IHNob3VsZCBiZSBwdXQgdG8gYQ0KLSMgZGlmZmVyZW50IHBsYWNlIHRvIG5v dCBpbnRlcmZlcmUgd2l0aCBhZGRyZXNzLWNoZWNraW5nIHJ1bGVzLg0KKyMg Rm9yIGBgc2ltcGxlJycgZmlyZXdhbGwgdHlwZSB0aGUgbmF0IG9yIGRpdmVy dCBydWxlIGlzIGluc3RhbGxlZCBpbg0KKyMgYSBkaWZmZXJlbnQgcGxhY2Ug dG8gYXZvaWQgaW50ZXJmZXJpbmcgd2l0aCBhZGRyZXNzLWNoZWNraW5nIHJ1 bGVzLg0KICMNCiBjYXNlICR7ZmlyZXdhbGxfdHlwZX0gaW4NCiBbT29dW1Bw XVtFZV1bTm5dfFtDY11bTGxdW0lpXVtFZV1bTm5dW1R0XSkNCi0JY2FzZSAk e25hdGRfZW5hYmxlfSBpbg0KLQlbWXldW0VlXVtTc10pDQotCQlpZiBbIC1u ICIke25hdGRfaW50ZXJmYWNlfSIgXTsgdGhlbg0KLQkJCSR7ZndjbWR9IGFk ZCA1MCBkaXZlcnQgbmF0ZCBpcDQgZnJvbSBhbnkgdG8gYW55IHZpYSAke25h dGRfaW50ZXJmYWNlfQ0KLQkJZmkNCi0JCTs7DQotCWVzYWMNCi0JY2FzZSAk e2ZpcmV3YWxsX25hdF9lbmFibGV9IGluDQotCVtZeV1bRWVdW1NzXSkNCi0J CWlmIFsgLW4gIiR7ZmlyZXdhbGxfbmF0X2ludGVyZmFjZX0iIF07IHRoZW4N Ci0JCQlpZiBlY2hvICIke2ZpcmV3YWxsX25hdF9pbnRlcmZhY2V9IiB8IFwN Ci0JCQkJZ3JlcCAtcSAtRSAnXlswLTldKyhcLlswLTldKyl7MCwzfSQnOyB0 aGVuDQotCQkJCWZpcmV3YWxsX25hdF9mbGFncz0iaXAgJHtmaXJld2FsbF9u YXRfaW50ZXJmYWNlfSAke2ZpcmV3YWxsX25hdF9mbGFnc30iDQotCQkJZWxz ZQ0KLQkJCQlmaXJld2FsbF9uYXRfZmxhZ3M9ImlmICR7ZmlyZXdhbGxfbmF0 X2ludGVyZmFjZX0gJHtmaXJld2FsbF9uYXRfZmxhZ3N9Ig0KLQkJCWZpDQot CQkJJHtmd2NtZH0gbmF0IDEyMyBjb25maWcgbG9nICR7ZmlyZXdhbGxfbmF0 X2ZsYWdzfQ0KLQkJCSR7ZndjbWR9IGFkZCA1MCBuYXQgMTIzIGlwNCBmcm9t IGFueSB0byBhbnkgdmlhICR7ZmlyZXdhbGxfbmF0X2ludGVyZmFjZX0NCi0J CWZpDQotCQk7Ow0KLQllc2FjDQorCXNldHVwX25hdCA1MA0KIGVzYWMNCiAN CiAjIyMjIyMjIyMjIyMNCkBAIC0zMTEsMTMgKzMxNCw3IEBADQogCSMgdHJh bnNsYXRlZCBieSBuYXRkKDgpIHdvdWxkIG1hdGNoIHRoZSBgZGVueScgcnVs ZSBhYm92ZS4gIFNpbWlsYXJseQ0KIAkjIGFuIG91dGdvaW5nIHBhY2tldCBv cmlnaW5hdGVkIGZyb20gaXQgYmVmb3JlIGJlaW5nIHRyYW5zbGF0ZWQgd291 bGQNCiAJIyBtYXRjaCB0aGUgYGRlbnknIHJ1bGUgYmVsb3cuDQotCWNhc2Ug JHtuYXRkX2VuYWJsZX0gaW4NCi0JW1l5XVtFZV1bU3NdKQ0KLQkJaWYgWyAt biAiJHtuYXRkX2ludGVyZmFjZX0iIF07IHRoZW4NCi0JCQkke2Z3Y21kfSBh ZGQgZGl2ZXJ0IG5hdGQgaXA0IGZyb20gYW55IHRvIGFueSB2aWEgJHtuYXRk X2ludGVyZmFjZX0NCi0JCWZpDQotCQk7Ow0KLQllc2FjDQorCXNldHVwX25h dA0KIA0KIAkjIFN0b3AgUkZDMTkxOCBuZXRzIG9uIHRoZSBvdXRzaWRlIGlu dGVyZmFjZQ0KIAkke2Z3Y21kfSBhZGQgZGVueSBhbGwgZnJvbSAxMC4wLjAu MC84IHRvIGFueSB2aWEgJHtvaWZ9DQpAQCAtNTE5LDcgKzUxNiw3IEBADQog DQogCSMgRGVueSBhbmQgKGlmIHdhbnRlZCkgbG9nIHRoZSByZXN0IHVuY29u ZGl0aW9uYWxseS4NCiAJbG9nPSIiDQotCWlmIFsgJHtmaXJld2FsbF9sb2dk ZW55Oi14fSA9ICJZRVMiIC1vICR7ZmlyZXdhbGxfbG9nZGVueToteH0gPSAi eWVzIiBdIDsgdGhlbg0KKwlpZiBjaGVja3llc25vIGZpcmV3YWxsX2xvZ2Rl bnk7IHRoZW4NCiAJICBsb2c9ImxvZyBsb2dhbW91bnQgNTAwIgkjIFRoZSBk ZWZhdWx0IG9mIDEwMCBpcyB0b28gbG93Lg0KIAkgIHN5c2N0bCBuZXQuaW5l dC5pcC5mdy52ZXJib3NlPTEgPi9kZXYvbnVsbA0KIAlmaQ0K --0-315991574-1440309615=:8515--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150823151421.G8515>