Date: Tue, 16 Apr 2002 12:54:32 -0700 (PDT) From: "Earl A. Killian" <earl@killian.com> To: freebsd-ipfw@freebsd.org Subject: question about the FreeBSD 4.5-RELEASE simple entry in rc.firewall Message-ID: <200204161954.g3GJsWc04611@gate.killian.com>
next in thread | raw e-mail | index | archive | help
At the end, for reference, I've reproduced the rules you get from 4.5-RELEASE rc.firewall with firewall_type="simple" and natd_enable="YES", and with some comments simplified. I tried this firewall, and I was not able to talk to my gateway machine from the hosts on the inside. Looking at the rules below, I see only one rule that is specific to iif, and that is just to prevent the inside from pretending to be outside. Most of the rules are via oif, or to oip and so don't apply to an inside machine talking to iip via iif. If I eliminate those rules, I'm left with: Rules that apply to inet:imask talking to iip via iif: deny all from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any deny all from ${onet}:${omask} to any in via ${iif} pass tcp from any to any established pass all from any to any frag pass tcp from any to any setup So what about icmp and udp? Do other sites really use this fw and just not ping or dns/ntp to their gateway from inside? Shouldn't the following be added after the stop-spoofing rules or something?: # Allow internal hosts complete access allow all from ${inet}:${imask} to ${iip} in recv ${iif} allow all from ${iip} to ${inet}:${imask} out xmit ${iif} I also notice there are no rules for icmp at all. Shouldn't there be a # Allow pings out in the world pass icmp from ${oip} to any keep-state down with the dns/ntp rules? For reference, rc.firewall with firewall_type="simple" and natd_enable="YES": # Localhost interface 100 pass all from any to any via lo0 200 deny all from any to 127.0.0.0/8 300 deny ip from 127.0.0.0/8 to any # Stop spoofing deny all from ${inet}:${imask} to any in via ${oif} deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface deny all from any to 10.0.0.0/8 via ${oif} deny all from any to 172.16.0.0/12 via ${oif} deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt nets on the outside interface deny all from any to 0.0.0.0/8 via ${oif} deny all from any to 169.254.0.0/16 via ${oif} deny all from any to 192.0.2.0/24 via ${oif} deny all from any to 224.0.0.0/4 via ${oif} deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. divert natd all from any to any via ${natd_interface} # Stop RFC1918 nets on the outside interface deny all from 10.0.0.0/8 to any via ${oif} deny all from 172.16.0.0/12 to any via ${oif} deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt nets on the outside interface deny all from 0.0.0.0/8 to any via ${oif} deny all from 169.254.0.0/16 to any via ${oif} deny all from 192.0.2.0/24 to any via ${oif} deny all from 224.0.0.0/4 to any via ${oif} deny all from 240.0.0.0/4 to any via ${oif} # Allow TCP through if setup succeeded pass tcp from any to any established # Allow IP fragments to pass through pass all from any to any frag # Allow setup of incoming email pass tcp from any to ${oip} 25 setup # Allow access to our DNS pass tcp from any to ${oip} 53 setup pass udp from any to ${oip} 53 pass udp from ${oip} 53 to any # Allow access to our WWW pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection pass tcp from any to any setup # Allow DNS queries out in the world pass udp from ${oip} to any 53 keep-state # Allow NTP queries out in the world pass udp from ${oip} to any 123 keep-state To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204161954.g3GJsWc04611>