From owner-freebsd-bugs Fri Oct 29 14:46:38 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from monkeys.com (i180.value.net [206.14.136.180]) by hub.freebsd.org (Postfix) with ESMTP id 480C014C37 for ; Fri, 29 Oct 1999 14:46:31 -0700 (PDT) (envelope-from rfg@monkeys.com) Received: from segfault.monkeys.com (localhost [127.0.0.1]) by monkeys.com (8.9.3/8.9.3) with ESMTP id OAA00728 for ; Fri, 29 Oct 1999 14:46:24 -0700 (PDT) To: freebsd-bugs@freebsd.org Subject: Some fixes for some non-features of the /etc/rc.firewall script From: "Ronald F. Guilmette" Date: Fri, 29 Oct 1999 14:46:24 -0700 Message-ID: <726.941233584@segfault.monkeys.com> Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well folks, like the old saying goes, ``Yesterday, I couldn't even spell `unginer', but today I are one!'' I learned essentially everything I know about both ipfw and natd in just the last 24 hours, but I'm already ready to be a critic! :-) But before I go filing any formal pr's, I guess I ought to at least run my ideas past some of the more seasoned critics that might be reading this list/newsgroup. OK, so here goes... Let me set the stage first. I am trying to use ipfw in conjunction natd. This worked pretty darn good, right out of the box, at least after I built and installed a proper kernel, and after I put the proper directives into my /etc/rc.conf file, but *only* when I had: firewall_type="open" set in the /etc/rc.local file. I tried to set that instead to firewall_type="simple" and all sorts of stuff ceased to work. So I just grunged around in the /etc/rc.firewall script and made changes until everything *did* work again. My suggested patches for /etc/rc.firewall are included below. I plan to file an official pr for these things, but first I'll get some comments from the readership here. (Some of these things may be just matters of taste.) The first patch below was needed in order to actually allow natd to be useful in conjunction with the "simple" firewall type. Without this change my NAT-supported machines on the local net could not connect out to anything in the outside world. The second patch below allows outsiders to connect to your AUTH port (113). I found that allowing this will cut down a lot on the number of pointless "Deny" log messages you will get if you don't have this, because a *lot* of things out in the real world (most notably Sendmail) _will_ try to connect to your local auth port whenever you connect out to them. The next patch allows ICMP packets and UDP packets to flow freely between other machines on the local net and the current (firewall) machine and vise versa. I don't see how allowing this could create a security threat, so it seems to me that it ought to be allowed. I was definitely annoyed when, after having first tried the "simple" firewall setup, I found that I could no longer even ping the firewall machine from other machines on my own local net. Also, I believe that this patch helped to clear up an obscure problem I was having with my X server (and with starting new xterms) when I first tried using the "simple" firewall type. The third patch below also allows ICMP to and from the firewall machine and the outside world. Some people will undoubtedly say that this introduces a security threat, but frankly, even if that's true, I can live with it. I don't see it as a big problem, and I'd rather be able to ping this (firewall) machine from the outside than not. Last but not least, I added an EXPLICIT command: ipfw add deny log ip from any to any This is intended to take the place of the implicit default "fall through" deny command that you will get anyway, with the only difference being that _this one_ asks for denied packets to be logged (and the default rule doesn't do that). I like knowing when suspicious stuff is going on, therefore I prefer to have the logging of denied packets be on in all cases. (I also added the "log" qualifier to all of the other "deny" commands in this file also, but I seem to have misplaced those patches now. Humph.) Comments? *** rc.firewall Fri Oct 29 14:10:14 1999 --- rc.firewall Fri Oct 29 14:15:35 1999 *************** *** 151,154 **** --- 151,161 ---- $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} + # Allow TCP through to internal RFC1918 nets if using natd & setup succeded + if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then + $fwcmd add pass tcp from any to 192.168.0.0:255.255.0.0 established + $fwcmd add pass tcp from any to 172.16.0.0:255.240.0.0 established + $fwcmd add pass tcp from any to 10.0.0.0:255.0.0.0 established + fi + # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} *************** *** 171,174 **** --- 178,184 ---- $fwcmd add pass tcp from any to ${oip} 80 setup + # Allow access to our AUTH + $fwcmd add pass tcp from any to ${oip} 113 setup + # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup *************** *** 177,180 **** --- 187,202 ---- $fwcmd add pass tcp from any to any setup + # Allow ICMP on the inside + $fwcmd add pass icmp from ${inet}:${imask} to ${iip} + $fwcmd add pass icmp from ${iip} to ${inet}:${imask} + + # Allow UDP on the inside + $fwcmd add pass udp from ${inet}:${imask} to ${iip} + $fwcmd add pass udp from ${iip} to ${inet}:${imask} + + # Allow all ICMP out in the world + $fwcmd add pass icmp from any to ${oip} + $fwcmd add pass icmp from ${oip} to any + # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} *************** *** 186,189 **** --- 208,212 ---- # Everything else is denied as default. + $fwcmd add deny log ip from any to any elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message