Date: Sat, 02 Apr 2005 23:35:37 +0200 From: =?ISO-8859-1?Q?Erik_N=F8rgaard?= <norgaard@locolomo.org> To: Angelin Lalev <lalev@sv-bg.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipfilter problems Message-ID: <424F1029.6080600@locolomo.org> In-Reply-To: <424E8FE9.1090904@sv-bg.com> References: <424E8FE9.1090904@sv-bg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Angelin Lalev wrote:
> Two days ago I've switched the firewall on my FreeBSD 5.3 RELEASE
> router from ipfw to ipfilter. The firewalls are not my speciality
> and ipfilter looked simplier way to do NAT with firewall, because
> it separates NAT rules from filtering rules.
>
> The router has two interfaces rl0 (192.168.0.254/24) and rl1
> (82.137.64.106/29, 192.168.5.1/24, 10.1.6.2/24).
> The ipfilter is compiled in kernel:
> ======================
> options IPFILTER
> options IPFILTER_LOG
> options IPFILTER_DEFAULT_BLOCK
>
> /etc/ipnat.conf
> ============
> map rl1 192.168.0.1/27 -> 82.137.64.106/32
>
> /etc/ipf.rules
> ============
> pass in quick on lo0
> pass out quick on lo0
> pass out quick on rl0 all
> pass in quick on rl0 all
> pass in quick on rl1 proto tcp from 192.168.5.1/24 to 192.168.5.1 port =
> 80 flags S keep state
> pass in quick on rl1 proto tcp from 192.168.5.1/24 to 192.168.5.1 port =
> 3128 flags S keep state
> # local counter-strike server. No NAT.
> pass in quick on rl1 from 192.168.5.1/24 to 192.168.0.50 keep state
> block in quick on rl1 from 192.168.5.1/24 to any
> pass out quick on rl1 all keep state
>
> The problem
> ========
> On 192.168.0.0/24 network I have 6 machines. The router itself is an old
> 166 MHz Pentium box, but load averages are not bigger than 10%. When one
> of the machins makes dns lookup (the dns server is on outside -
> 62.73.78.2) it fails with timeout in about 9 of 10 times.
> ipfstat -t shows that a rule is created - something like this:
> Source IP Dest IP ST PR
> pkts. bytes 192.168.0.4,1029 62.73.78.2,53 0/0 udp
> 165 9992
> Any help will be appreciated.
Well, the short answer is: there is no keep state in the line
pass in quick on rl0 all
the dns reply you get back times out because your default rule is block
and there is nowhere in the "in" rules for rl1 that allows the reply back.
Some recomendations:
1) I have a bit of dificulty understanding your network setup - why do
you have two private networks on your external interface? May scetch in
a diagram.
2) Having default block can be done by adding the rules
block in all
block out all
in the op of the ruleset rather than compile in the kernel. It makes
it explicit. It also means that you can connect if no rules are
pressent - this is usefull for installing while the machine is behind
a gateway.
Anyway, with your pass in all rules, you have almost effectively
disabled the default block anyway.
2) For your security, in all pass rules, state "from" and "to" even if
it is "any" it makes it more explicit. Split on protocols for
security and control.
3) At least when setting up your firewall, use "log" in all block rules
and enable ipmon, then you can see where your packets are blocked.
4) Use groups to structure your rules, and group them accordingly
visually. It makes them easier to manage and for large rulesets
optimises the firewall.
5) Always keep state! Doing so, all "out" rules only apply to the
gateway itself, it makes the ruleset shorter and firewall faster.
6) You probably want to enable the ftp-proxy in your nat-rule and define
which port-ranges are used for nat'ed connections.
and a lot more you'll learn along the way :-)
Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?424F1029.6080600>