Date: Fri, 24 Oct 2003 21:34:31 +0000 From: <dan@ntlbusiness.com> To: "Crist J. Clark" <cjc@freebsd.org>, freebsd-net@freebsd.org Subject: Re: Re: IPFW rules being weird? Message-ID: <20031024213431.CCCH8170.mta02-svc.ntlworld.com@mta2-svc>
next in thread | raw e-mail | index | archive | help
Hi there.
Thank you for your reply!
This is all very confusing, hehe!
I'm not running a DNS server, the laptop which access through NAT I've set the nameservers as those of my ISP (and those listed in /etc/resolv.conf) of the FreeBSD box.
Is there anything to particulary think should not be there, apart from that:
>
> allow ip from me to any out xmit any keep-state
>
Your help is really appreciated on this.
Many thanks!
>
> From: "Crist J. Clark" <cristjc@comcast.net>
> Date: 2003/10/24 Fri PM 07:05:44 GMT
> To: Dan <dan@ntlbusiness.com>
> CC: freebsd-net@freebsd.org
> Subject: Re: IPFW rules being weird?
>
> On Fri, Oct 24, 2003 at 02:10:14AM +0100, Dan wrote:
> > Hello there.
> > Odd query for you.
> >
> > My setup is that sis0 is the ethernet which has the business cable modem
> > attached to it - which serves as a gateway. sis1 is the Ethernet which my
> > laptop connects to (wirelessly through a HE501 wireless pc card, and HE102
> > access point (both by Netgear)).
> >
> > The problem that is occuring, is that if I have the IPFW rules below,
> > everything works GREAT!
> >
> > fwcmd="/sbin/ipfw"
> > $fwcmd -f flush
> > $fwcmd add divert natd all from any to any via sis0
> > $fwcmd add allow all from any to any
> > $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14
>
> That last rule is kinda useless considering the rule before it, no?
>
> > However, the above is not "secure" as you might say.
> > The script below stops the laptop from being able to access th enet and i have
> > NO idea why!
>
> Many problems. The most basic being: use setup-established orr use
> keep-state for a given traffic flow. Mixing them will likely cause
> administrator confusion. You may have some reasons to use both in this
> ruleset, but it is very confusion as is.
>
> The question of which to use for your NATed adresses is answered by
> Big Problem Two, keep-state and natd(8) do not play well together. See
> the many, many, many threads on this here, on -ipfw, and on
> -questions. The basic issue is that the address at your end of two-way
> connections has the unNATed address when it hits the keep-state rules
> coming in from the Internet and has the NATed address when going
> out. Thus, you get two dynamic rules that do not match up. That spells
> trouble.
>
> As for what precisely is breaking here, from a quick read, I would
> expect TCP connections to work briefly, but quickly timeout. My guess
> is the reason it seems you are unable to access the 'Net at all is
> that DNS lookups are totally broken. (All non-TCP traffic is totally
> blocked, unlike TCP which will limp along a little.) On the way out,
> your rule,
>
> allow ip from me to any out xmit any keep-state
>
> Will create a dynamic rule for the UDP traffic from the NAT address to
> the DNS server. But the response will go through the rules with a
> source of the remote DNS server and destination in 192.168.0.0/24
> which will NOT match at the keep-state or any other rule until the
> default drop. Are you seeing these in the logs? Or are you running DNS
> server on the firewall (which would actually work)?
>
> > # Define the firewall command (as in /etc/rc.firewall) for easy
> > # reference. Helps to make it easier to read.
> > fwcmd="/sbin/ipfw"
> >
> > # Force a flushing of the current rules before we reload.
> > $fwcmd -f flush
> >
> > # Divert all packets through the tunnel interface.
> > $fwcmd add 50 divert natd all from any to any via sis0
> >
> > # Allow all connections that have dynamic rules built for them,
> > # but deny established connections that don't have a dynamic rule.
> > # See ipfw(8) for details.
> > $fwcmd add check-state
> > $fwcmd add pass tcp from any to any established
> >
> > # Allow all localhost connections
> > ${fwcmd} add 100 pass all from any to any via lo0
> > ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
> >
> > # Allow all connections from my network card that I initiate
> > $fwcmd add allow tcp from me to any out xmit any setup keep-state
> > $fwcmd add deny tcp from me to any
> > $fwcmd add allow ip from me to any out xmit any keep-state
> > $fwcmd add allow all from 192.168.0.0/24 to any
> >
> > # Everyone on the Internet is allowed to connect to the following
> > # services on the machine. This example specifically allows connections
> > # to sshd and a webserver.
> > $fwcmd add allow tcp from any to any established
> > $fwcmd add allow tcp from any to me 80 setup
> > $fwcmd add allow tcp from any to me 21 setup
> > $fwcmd add allow tcp from any to me 22 setup
> >
> > # This sends a RESET to all ident packets.
> > $fwcmd add reset log tcp from any to me 113 in recv any
> >
> > # Enable ICMP: remove type 8 if you don't want your host to be pingable
> > $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14
> >
> > # Deny all the rest.
> > $fwcmd add deny log ip from any to any
>
> --
> Crist J. Clark | cjclark@alum.mit.edu
> | cjclark@jhu.edu
> http://people.freebsd.org/~cjc/ | cjc@freebsd.org
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031024213431.CCCH8170.mta02-svc.ntlworld.com>