From owner-freebsd-net@FreeBSD.ORG Fri Oct 24 12:05:50 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25A9716A4B3 for ; Fri, 24 Oct 2003 12:05:50 -0700 (PDT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 422D243FA3 for ; Fri, 24 Oct 2003 12:05:49 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (rwcrmhc12) with ESMTP id <200310241905480140099ke7e>; Fri, 24 Oct 2003 19:05:48 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.8) with ESMTP id h9OJ5kJp044675; Fri, 24 Oct 2003 12:05:46 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p2/8.12.8/Submit) id h9OJ5iaR044674; Fri, 24 Oct 2003 12:05:44 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Fri, 24 Oct 2003 12:05:44 -0700 From: "Crist J. Clark" To: Dan Message-ID: <20031024190544.GA44312@blossom.cjclark.org> References: <200310240210.14992.dan@ntlbusiness.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200310240210.14992.dan@ntlbusiness.com> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-net@freebsd.org Subject: Re: IPFW rules being weird? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 19:05:50 -0000 On Fri, Oct 24, 2003 at 02:10:14AM +0100, Dan wrote: > Hello there. > Odd query for you. > > My setup is that sis0 is the ethernet which has the business cable modem > attached to it - which serves as a gateway. sis1 is the Ethernet which my > laptop connects to (wirelessly through a HE501 wireless pc card, and HE102 > access point (both by Netgear)). > > The problem that is occuring, is that if I have the IPFW rules below, > everything works GREAT! > > fwcmd="/sbin/ipfw" > $fwcmd -f flush > $fwcmd add divert natd all from any to any via sis0 > $fwcmd add allow all from any to any > $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14 That last rule is kinda useless considering the rule before it, no? > However, the above is not "secure" as you might say. > The script below stops the laptop from being able to access th enet and i have > NO idea why! Many problems. The most basic being: use setup-established orr use keep-state for a given traffic flow. Mixing them will likely cause administrator confusion. You may have some reasons to use both in this ruleset, but it is very confusion as is. The question of which to use for your NATed adresses is answered by Big Problem Two, keep-state and natd(8) do not play well together. See the many, many, many threads on this here, on -ipfw, and on -questions. The basic issue is that the address at your end of two-way connections has the unNATed address when it hits the keep-state rules coming in from the Internet and has the NATed address when going out. Thus, you get two dynamic rules that do not match up. That spells trouble. As for what precisely is breaking here, from a quick read, I would expect TCP connections to work briefly, but quickly timeout. My guess is the reason it seems you are unable to access the 'Net at all is that DNS lookups are totally broken. (All non-TCP traffic is totally blocked, unlike TCP which will limp along a little.) On the way out, your rule, allow ip from me to any out xmit any keep-state Will create a dynamic rule for the UDP traffic from the NAT address to the DNS server. But the response will go through the rules with a source of the remote DNS server and destination in 192.168.0.0/24 which will NOT match at the keep-state or any other rule until the default drop. Are you seeing these in the logs? Or are you running DNS server on the firewall (which would actually work)? > # Define the firewall command (as in /etc/rc.firewall) for easy > # reference. Helps to make it easier to read. > fwcmd="/sbin/ipfw" > > # Force a flushing of the current rules before we reload. > $fwcmd -f flush > > # Divert all packets through the tunnel interface. > $fwcmd add 50 divert natd all from any to any via sis0 > > # Allow all connections that have dynamic rules built for them, > # but deny established connections that don't have a dynamic rule. > # See ipfw(8) for details. > $fwcmd add check-state > $fwcmd add pass tcp from any to any established > > # Allow all localhost connections > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > > # Allow all connections from my network card that I initiate > $fwcmd add allow tcp from me to any out xmit any setup keep-state > $fwcmd add deny tcp from me to any > $fwcmd add allow ip from me to any out xmit any keep-state > $fwcmd add allow all from 192.168.0.0/24 to any > > # Everyone on the Internet is allowed to connect to the following > # services on the machine. This example specifically allows connections > # to sshd and a webserver. > $fwcmd add allow tcp from any to any established > $fwcmd add allow tcp from any to me 80 setup > $fwcmd add allow tcp from any to me 21 setup > $fwcmd add allow tcp from any to me 22 setup > > # This sends a RESET to all ident packets. > $fwcmd add reset log tcp from any to me 113 in recv any > > # Enable ICMP: remove type 8 if you don't want your host to be pingable > $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14 > > # Deny all the rest. > $fwcmd add deny log ip from any to any -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org