From owner-freebsd-questions@FreeBSD.ORG Sun Jun 20 21:26:11 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 59C2916A4CE for ; Sun, 20 Jun 2004 21:26:11 +0000 (GMT) Received: from smtp19.wxs.nl (smtp19.wxs.nl [195.121.6.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2300D43D41 for ; Sun, 20 Jun 2004 21:26:11 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp19.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0HZM00AF9M71VW@smtp19.wxs.nl> for freebsd-questions@freebsd.org; Sun, 20 Jun 2004 23:25:50 +0200 (CEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i5KLQ9CT001842; Sun, 20 Jun 2004 23:26:09 +0200 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i5KLQ9Lh001841; Sun, 20 Jun 2004 23:26:09 +0200 Content-return: prohibited Date: Sun, 20 Jun 2004 23:26:09 +0200 From: Alex de Kruijff In-reply-to: <40CF953A.9030304@lineone.net> To: Robert Downes Message-id: <20040620212609.GD907@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <40CF953A.9030304@lineone.net> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f cc: FreeBSD Questions Subject: Re: Firewall rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Jun 2004 21:26:11 -0000 On Wed, Jun 16, 2004 at 01:32:58AM +0100, Robert Downes wrote: > JJB wrote: > > >Fundamentally his keep-state rules work and yours don't. > > > I have used his script exactly, modifying only for the differences in my > ISP's addresses. Everything works as before, and still the check-state > rule is showing zero packets and zero bytes, even though keep-state > rules have been triggered. Are you sure this is not just a quirk of IPFW? > > > The use of > >the skipto rule to control what ip address goes into the dynamic > >keep-state table, IE the lan ip or the natd public ip. The bottom > >line is native ipfw with natd and stateful rules does not work > >together at all, unless you do some gymnastics with skipto rule so > >the dynamic keep-state table always has the private lan ip address > >for matching against. > > > Yes, this is the mechanism I cannot find a clear explanation for. Can > you recommend a link to a page that defines how IPFW stumbles on NAT and > keep-state, because I've read and re-read the IPFW man page, and it does > me no good whatsoever. NAT and keep-state doesn't go to getter because NAT changes the ip address and this cause ipfw not to recornise the rules. The trick is to allow changed traffic afther its bin passed though natd. # There's no need passing these though natd 20510 check-state 20520 skipto 20600 ip from not 192.168.31.0/24 to any out 20520 skipto 20600 ip from any to not 213.10.151.186 in # Passing packets that could change though natd 20530 divert 8668 ip from any to any # Allowing changed traffic. 20550 allow ip from 213.10.151.186 to any out 20550 allow ip from any to not 213.10.151.186 in # keep-state rules here ... > > Second problem is you are > >allowing every thing out your firewall. This is very bad as it > >allows out any trojons or spy-ware from windows boxs on your lan so > >thet can report their harvested info to the person who planted them. > >Take control of your firewall and only allow out the exact services > >you know you are using. > > > No arguments there. I'm running ZoneAlarm on all Windows boxes, but it's > still better to aim for traffic to be killed on sight by the router. In this case you should write something lile: 20550 allow ip from 213.10.151.186 80 to any out 20550 allow ip from any 80 to not 213.10.151.186 in -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/