From owner-freebsd-questions@FreeBSD.ORG Fri Nov 2 22:00:09 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A910116A418 for ; Fri, 2 Nov 2007 22:00:09 +0000 (UTC) (envelope-from deeptech71@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.freebsd.org (Postfix) with ESMTP id EF9C413C4B5 for ; Fri, 2 Nov 2007 22:00:08 +0000 (UTC) (envelope-from deeptech71@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so751492nfb for ; Fri, 02 Nov 2007 14:59:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; bh=THktDj5RjMbspERsDm8b9NZQiWToEqeIErjaL1zygDY=; b=o00T8t09j13t+h69oAmsC8bfGNZhoMee0Laphwab9t/xSVTCXYDXpk5vygGUQ5aheYD8X89+Fb3jAlfbpWo/Z9Qnd60bEu+beLrOfY8waAaU8Ro7K7uG7Q9QAqEiSb7rVjb7wZt+/dFbXA3P2vcbYuzs9UwWrHrc24RXygk+GLA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=d+6+3LuorG/s/aUvKv6oPDiWTjD8qSn+X0MOq/GIgGvsZKw/NszmJQpyVlSC7biEMEmIetQikz9bzvpWC7jGtvBTUWBkRmw9x+oUvR3Ay+zJj85brx4pzcPqIcPHGALjB102aa/o6KeqnIMSQmfQIPDgIcYC0hd1p9T2fYchHR4= Received: by 10.86.50.8 with SMTP id x8mr1141876fgx.1194040786666; Fri, 02 Nov 2007 14:59:46 -0700 (PDT) Received: from ?192.168.123.1? ( [78.92.51.129]) by mx.google.com with ESMTPS id a37sm6428496fkc.2007.11.02.14.59.43 (version=SSLv3 cipher=RC4-MD5); Fri, 02 Nov 2007 14:59:45 -0700 (PDT) Message-ID: <472B9DA8.6000800@gmail.com> Date: Fri, 02 Nov 2007 22:59:04 +0100 From: deeptech71@gmail.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071009 SeaMonkey/1.1.5 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <472AF4FF.9000803@gmail.com> <20071102141525.19a05fc7@gumby.homeunix.com.> <472B6552.9060602@gmail.com> In-Reply-To: <472B6552.9060602@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: IPFW Rules and Games X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Nov 2007 22:00:09 -0000 Hi, Jack, let's see. Jack Barnett wrote: > > Lots of people play games here and basically a pain to keep trying to > get these stupid things to work with individual rules for each. > > I'm running FreeBSD 6.x with IPFW/natd > > I get a dynamic IP from my ISP and the internal nic is 192.168.17.1 > Everything inside the network is 192.168.17.xxx > > The setup is this: > 192.168.17.x <--> 192.168.17.1 <[FreeBSD]> Dynamic IP <--> {Random Game > Server on the Internets} > [Internet Network(GAME)] <--> [FreeBSD] <--> {Internets} > > There are a bunch of games that send out TCP/UDP packets (and who knows > what else) on different ports to different destinations and then > receive data back on "random" ports. Basically, anything on any > protocol from the internal network should be able to establish and setup > connections out AND be allowed to receive data back from whomever they > connected out to; but "random" hosts trying to connect in should be > blocked. Back on "random" ports? That's not how it should be. Your client must send a request (ping or connect) to a server, using the game's client port as the local port, and the server port as the remote port. The reply should come back the same way, reversed. for example, a client sends a connect request: 192.168.17.7:28000 > 87.15.13.165 natd converts the packet to: 49.74.121.3:28000 > 87.15.13.165:29000 (49.74.121.3 is your public IP) and adds a dynamic rule (inside natd, not ipfw), that packet coming from 87.15.13.165, port 29000 to 49.74.121.3 port 28000 should be routed to 192.168.17.7, port 28000. So: the server replies: 87.15.13.165:29000 > 49.74.121.3:28000 natd converts the packet to: 87.15.13.165:29000 > 192.168.17.7:28000 Any unknown packets will be blocked by natd. These are the "unauthorized random hosts". So basically the ruleset should be simple: ipfw -f flush # allow lo0 stuff # block some spoofs/attacks # if you are hosting gameservers from 192.168.17.3 or whatever, # you should (manually) open server ports, in other words, add # routes to 192.168.17.3 to specific server ports ipfw add divert natd all from any to any via $outside_interface allow all from any to any # block some more spoofs/attacks :) # define services (like you did with http) Correct me if I'm wrong. What games do reply back on random ports? > > I added this for a temporary fix: > ${fwcmd} add pass all from any to any > > I don't think that is the right answer; That allows to much in? > > I've tried these per the docs: > > ${fwcmd} add allow all from any to any out via {$iip} setup > ${fwcmd} add allow all from any to any out via {$iip} established > ${fwcmd} add allow all from any to any in via {$iip} established > > and also a bunch of others; but none of them worked. > > Here is my full config: > # simple > [Ss][Ii][Mm][Pp][Ll][Ee]) > ############ > # This is a prototype setup for a simple firewall. Configure this > # machine as a DNS and NTP server, and point all the machines > # on the inside at this machine for those services. > ############ > > # set these to your outside interface network and netmask and ip > oif="xl0" > onet=`ifconfig xl0 | grep "inet " | awk '{print $6}'` I'm not sure about this. Isn't the sixth word the broadcast address (ending with .255)? > omask="0xfffffe00" 0xfffffe00 wtf? > oip=`ifconfig xl0 | grep "inet " | awk '{print $2}'` > > # set these to your inside interface network and netmask and ip > iif="dc1" > inet="192.168.17.0" > imask="0xffffff00" > iip="192.168.17.1" What kind of internet connection do you have? > > setup_loopback > > # Stop spoofing > ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} > ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} > ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes > RESERVED-1, > # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and > class E) > # on the outside interface > ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} > ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} > ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} > ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} > ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} > > # Network Address Translation. This rule is placed here > deliberately > # so that it does not interfere with the surrounding > address-checking > # rules. If for example one of your internal LAN machines had > its IP > # address set to 192.0.2.1 then an incoming packet for it after > being > # translated by natd(8) would match the `deny' rule above. > Similarly > # an outgoing packet originated from it before being translated > would > # match the `deny' rule below. > case ${natd_enable} in > [Yy][Ee][Ss]) > if [ -n "${natd_interface}" ]; then > ${fwcmd} add divert natd all from any to any via > ${natd_interface} > fi > ;; > esac > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} > ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} > ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} > > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes > RESERVED-1, > # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and > class E) > # on the outside interface > ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} > ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} > ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} > ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} > ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} > > # Allow internal traffic > ${fwcmd} add allow all from any to any via ${iif} > # Allow all local traffic > ${fwcmd} add allow all from ${inet}:${imask} to ${inet}:${imask} > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag > > # Allow setup of incoming email > #${fwcmd} add pass tcp from any to ${oip} 25 setup > #${fwcmd} add pass tcp from any to ${iip} 25 setup > ${fwcmd} add pass tcp from any to any 25 setup > > # Allow access to our DNS > ${fwcmd} add pass tcp from any to ${iip} 53 setup > ${fwcmd} add pass udp from any to ${iip} 53 > ${fwcmd} add pass udp from ${iip} 53 to any > > #${fwcmd} add pass tcp from {$inet}:{$imask} to ${oip} 53 setup > #${fwcmd} add pass udp from {$inet}:{$imask} to ${oip} 53 > #${fwcmd} add pass udp from ${oip} 53 to {$inet}:{$imask} > > # SMB - Samba > #${fwcmd} add pass tcp from any to ${iip} 137 > #${fwcmd} add pass udp from any to ${iip} 137 > #${fwcmd} add pass tcp from any to ${iip} 138 > #${fwcmd} add pass udp from any to ${iip} 138 > #${fwcmd} add pass udp from any to ${iip} 791 > > # Allow access to our WWW > #${fwcmd} add pass tcp from any to ${oip} 80 setup > ${fwcmd} add pass tcp from any to any 80 setup > > ${fwcmd} add pass tcp from any to ${iip} 888 setup > > # Allow access to our SSH > #${fwcmd} add pass tcp from any to ${oip} 22 setup > ${fwcmd} add pass tcp from any to any 22 setup > > # Reject&Log all setup of incoming connections from the outside > ${fwcmd} add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > ${fwcmd} add pass tcp from any to any setup > > # Allow DNS queries out in the world > #${fwcmd} add pass udp from ${oip} to any 53 keep-state > ${fwcmd} add pass udp from any to any 53 keep-state > > # Allow NTP queries out in the world > #${fwcmd} add pass udp from ${oip} to any 123 keep-state > ${fwcmd} add pass udp from any to any 123 keep-state > > # NWN/NWN2 Client > > #http://nwn2forums.bioware.com/forums/viewtopic.html?topic=507894&forum=116&sp=30 > > > #http://nwn.bioware.com/forums/viewtopic.html?topic=387975&forum=56&sp=135 > > #add 123 allow udp from any to 1.2.3.4 > 5120-5300,6500,6667,27900,28900 > > #UDP 5120 - Outbound and Inbound packets > #UDP 2485 - Outbound and Inbound packets > > #TCP 2486 - Outbound and Inbound packets > #TCP 2487 - Outbound and Inbound packets > #TCP 2488 - Outbound and Inbound packets > > #UDP 2489 - Outbound and Inbound packets > #TCP 28910 - Server port > #UDP 5121 - Server port > #UDP 5122 - Server port > #UDP 27900 - Server port > #UDP 50643 - Server port > #UDP 6121 - Server port > > # not working. > #add allow all from any to any > 2485-2490,5210-5230,6121-6500,27900,27900-28910,50643 > #add pass all from any to any > 2485-2490,5210-5230,6121-6500,27900,27900-28910,50643 > #add allow all from any to any 5120-5300,6500,6667,27900,28900 > > #allow outbound setup connections > # not working. #${fwcmd} add allow tcp from any to any > out via {$iip} setup > #allow in and outbound established connections > #${fwcmd} add allow tcp from any to any out via {$iip} established > #${fwcmd} add allow tcp from any to any in via {$iip} established > > ${fwcmd} add pass all from any to any > > # Everything else is denied by default, unless the > # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel > # config file. > ;; >