From owner-freebsd-security  Sat Apr 27 16:30:49 2002
Delivered-To: freebsd-security@freebsd.org
Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88])
	by hub.freebsd.org (Postfix) with ESMTP id 1CF8037B417
	for <security@FreeBSD.ORG>; Sat, 27 Apr 2002 16:30:43 -0700 (PDT)
Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020427233042.QRQR12183.rwcrmhc52.attbi.com@blossom.cjclark.org>;
          Sat, 27 Apr 2002 23:30:42 +0000
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.6) id g3RNUfw46708;
	Sat, 27 Apr 2002 16:30:41 -0700 (PDT)
	(envelope-from cjc)
Date: Sat, 27 Apr 2002 16:30:41 -0700
From: "Crist J. Clark" <cjc@FreeBSD.ORG>
To: Drew Tomlinson <drew@mykitchentable.net>
Cc: security@FreeBSD.ORG
Subject: Re: Stateful IPFW Firewall Assistance
Message-ID: <20020427163041.A37618@blossom.cjclark.org>
References: <020501c1ecb4$4e21a220$6e2a6ba5@lc.ca.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <020501c1ecb4$4e21a220$6e2a6ba5@lc.ca.gov>; from drew@mykitchentable.net on Thu, Apr 25, 2002 at 04:52:47PM -0700
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Apr 25, 2002 at 04:52:47PM -0700, Drew Tomlinson wrote:
> I'm trying to fine-tune my firewall and am hoping for a little advice
> regarding stateful behavior.  I built this rule set based upon an
> example by Peter Brezny I found on the web so it may look familar.
> 
> Here's my current network setup:
> 
>                   ISP
>                    |
>                    | Public DHCP address
>                    |
>            3Com ADSL Modem/Router
> (Router performs NAT and passes packets to 10.2 by default)
>                    | (192.168.10.1)
>                    |
>                    |
>                    | (ed1 192.168.10.2)
>               FBSD Gateway
>                    | (ed0 192.168.1.2)
>                    |
>                    |
>               Internal LAN
> 
> And here are my current firewall rules:
> 
> 00100 allow ip from any to any via lo0
> 00200 deny log ip from any to 127.0.0.0/8
> 00300 deny log ip from 192.168.1.0/24 to any in recv ed1
> 00400 deny log ip from not 192.168.1.0/24 to any in recv ed0
> 00500 allow tcp from any to any established
> 00600 allow tcp from any to 192.168.1.0/24 21,22,25,80,143,389,443,993 setup

This seems odd. How can anyone ever get packets to your various nets
in the 192.168.0.0/16 range from the outside? Maybe these are masked
examples? Anyway, you probably want the above to read as,

  00500 allow tcp from 192.168.1.0/24 21,22,25,80,143,389,443,993 to any established
  00600 allow tcp from any to 192.168.1.0/24 21,22,25,80,143,389,443,993

> 00700 allow tcp from any to 192.168.10.2 21,22 setup

And this as,

  00700 allow tcp from 192.168.10.2 21,22 to any established
  00750 allow tcp from any to 192.168.10.2 21,22

This way, you get rid of that 'pass tcp from any to any established'
rule that will mess up,

> 01900 check-state
> 02000 allow ip from 192.168.10.2 to any keep-state out xmit ed1
> 02100 allow ip from 192.168.1.0/24 to any keep-state via ed0

The keep-state rules by passing packets that they have state on. Also
note that the 'check-state' rule here is completely redudant and can
be removed.

> 65500 deny log ip from any to any
> 
> In reading the ipfw man page, it tells me that "established" matches any
> packet that has the RST or ACK bit set which is normal TCP traffic.
> However this seems like it would be pretty easy to fake.  In this case,
> my rule 00500 leaves me pretty wide open?  My thought is to change rules
> 00500-00700 to use check-state and keep-state so the rules look like
> this:
> 
> 00450 check-state
> 00500 deny tcp from any to any established
> 00600 allow tcp from any to 192.168.1.0/24 21,22,25,80,143,389,443,993
> setup keep-state
> 00700 allow tcp from any to 192.168.10.2 21,22 setup keep-state
> 
> However, I don't understand how this will affect the rest of the rules,
> especially 01900-02000.  I'd appreciate any comments on this issue.

There is not a lot of reason to use 'keep-state' on incoming
connections. But you may want to put the 'check-state' rule earlier.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message