Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 19 Feb 2002 11:37:27 -0500
From:      "Joe & Fhe Barbish" <barbish@a1poweruser.com>
To:        "FI" <freebsd-isp@FreeBSD.ORG>, "FBSD" <freebsd-questions@FreeBSD.ORG>
Subject:   IPFW check-state/keep-state
Message-ID:  <LPBBIGIAAKKEOEJOLEGOMEANCIAA.barbish@a1poweruser.com>

next in thread | raw e-mail | index | archive | help
I had a typical ipfw rules file built from the simple stateful
type in rc.firewall. I had originally been using user ppp with
it's internal Nat function, but went to natd as the simple
stateful type in rc.firewall showed. When I tried to go from a
simple stateful [established/setup] to advanced stateful
[check-state/keep-state] I kept having trouble with ip address
being mismatched. I removed the natd divert rule from the ipfw
rules set and deactivated nated and activated ppp -Nat in rc.conf,
and the advanced stateful [check-state/keep-state] rule started
to work. As I added the keep-state to the udp rules for dns it
stopped working. In checking the archives I can across a post that
contained a advanced stateful [check-state/keep-state]rule set.
It contained the following rule combo.

$fwcmd add 00500 check-state
$fwcmd add 00501 deny tcp from any to any established
$fwcmd add 00502 deny all from any to any frag

I added rule  501 & 502 to my rule set after the 500 rule which was
all ready there and everything works as exspected.

My question is, why does rule 501 make things work??

Below is my full rule set for referance.




###########################################################################
#
# Define IPFW firewall rules for gateway.xxxxxxxx.com   2/15/2002 Joe
Barbish
#
#   User ppp tun0 dial out to ISP with dynamic IP addresses assigned.
#   User ppp tun1 dial in to this box with dynamic IP addresses assigned
#   User ppp tun2 dial in to this box with dynamic IP addresses assigned
#   User ppp nat used. Private Ip address used inside.
#   3 win98 boxes on LAN with static IP address hard coded.
#   Protect the whole private network from loss of service attacks
#   These rules can be reloaded with out rebooting by issuing this command
#   sh /etc/ipfw.stdrules
#
#   The use of 'me' in rules means IP address 127.0.0.0 localhost
#
# Firewall Policy Statement.
#   All packet traffic originating behind this firewall not requiring access
#   to the public internet is exempt from these firewall rules.
#
#   Each public internet function must be explicitly allowed by a rule.
#   Only valid response to the packets I've sent out are allowed in.
#   All packets must use the IPFW advanced "dynamic" rules function.
#   No state-less rules or simple stateful rules are allowed.
#
############################################################################
#

# Set rules command prefix
# The -q option on the command is for quite mode.
# Do not display rules as they load. Remove during development to see.
fwcmd="/sbin/ipfw -q"

# Flush out the list before we begin.
$fwcmd -f flush

# Set defaults
# set these to your outside interface network and netmask and ip
# for dynamic IP address from ISP use there range
oif="tun0"
odns1="208.206.115.11"      # ISP's dns server 1 IP address
odns2="208.206.115.12"      # ISP's dns server 2 IP address
oisp="208.206.115.4"        # ISP router issueing rip
oip="63.170.150.25/24"      # For testing dial isp from standalone pc and
# access this FBSD box over the internet. This value is the dynamic IP
address
#range issued by ISP. oip is in inbound section statments to only allow
access from me


# set these to your inside interface network and netmask and ip
iif="xl0"                  # Nic card
iip="10.10.10.2/24"         # IP address range for LAN Nic card

# This is the start of the rules.
# All traffic coming in from the internet or
# leaving the local LAN start here

# Handle router 520 rip request
$fwcmd add 00002 deny udp  from $oisp 520 to me in via $oif

# Internal gateway housekeeping
# Rules # 100 - 130 exempt everything behind the firewall from this rules
set.
# Rules # 150 & 160 deny any reference to the localhost default IP address.
$fwcmd add 00100 allow ip from any to any via lo0  # allow all localhost
$fwcmd add 00110 allow ip from any to any via xl0  # allow all local LAN
$fwcmd add 00120 allow ip from any to any via tun1 # allow all dialin call 1
$fwcmd add 00130 allow ip from any to any via tun2 # allow all dialin call 2
$fwcmd add 00150 deny  ip from any to 127.0.0.0/8  # deny use of localhost
IP
$fwcmd add 00160 deny  ip from 127.0.0.0/8 to any  # deny use of localhost
IP



########  control section  ############################################
# interrogate packets originating from behind the firewall private net.
# Start of IPFW advanced Stateful Filtering using "dynamic" rules.
# Upon a rule match, it's keep-state option will create a dynamic rule,
# The check-state statment behaviour is to match bidirectional packet
traffic
# flow between source and destination using protocol/IP/port/sequance
number.
# The dynamic rule has a limited lifetime which is controlled by a set of
# sysctl(8) variables. The lifetime is refreshed every time a matching
# packet is found in the dynamic table.

# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.

$fwcmd add 00500 check-state

# Deny any late arriveing packets so they don't get caught & logged
# by rules 900 or 910.
$fwcmd add 00501 deny tcp from any to any established
$fwcmd add 00502 deny all from any to any frag


########  outbound section  ############################################

# Allow out www function
$fwcmd add 00600 allow tcp  from any to any 80  out via $oif setup
keep-state

# Allow out access to my ISP's Domain name server.
$fwcmd add 00610 allow tcp  from any to $odns1 53 out via $oif setup
keep-state
$fwcmd add 00611 allow udp  from any to $odns1 53 out via $oif keep-state
$fwcmd add 00615 allow tcp  from any to $odns2 53 out via $oif setup
keep-state
$fwcmd add 00616 allow udp  from any to $odns2 53 out via $oif keep-state

# Allow out access to internet Domain name server.
$fwcmd add 00618 allow tcp  from any to any    53 out via $oif setup
keep-state
$fwcmd add 00619 allow udp  from any to any    53 out via $oif keep-state

# Allow out send & get email function
$fwcmd add 00630 allow tcp  from any to any 25,110  out via $oif setup
keep-state

# Allow out FBSD CVSUP function
$fwcmd add 00640 allow tcp  from me to any 5999   out via $oif setup
keep-state

# Allow out ping
$fwcmd add 00650 allow icmp from any to any       out via $oif	   keep-state

# Allow out FTP control channel & in of data channel
$fwcmd add 00671 allow tcp  from any to any 21    out via $oif setup
keep-state
$fwcmd add 00672 allow tcp  from any 20 to $iip 1024-49151 in via $oif setup
keep-state

# Allow out ssh
$fwcmd add 00680 allow tcp  from any to any 22   out via $oif setup
keep-state

# Allow out TELNET
$fwcmd add 00690 allow tcp  from any to any 23    out via $oif setup
keep-state

# Allow out Network Time Protocol (NTP) queries
$fwcmd add 00694 allow tcp  from any to any 123   out via $oif setup
keep-state
$fwcmd add 00695 allow udp  from any to any 123   out via $oif keep-state

# Allow out Time
$fwcmd add 00696 allow tcp  from any to any 37    out via $oif setup
keep-state
$fwcmd add 00697 allow udp  from any to any 37    out via $oif keep-state

# Allow out ident
$fwcmd add 00700 allow tcp  from any to any 113   out via $oif setup
keep-state
$fwcmd add 00701 allow udp  from any to any 113   out via $oif keep-state

# Allow out IRC
$fwcmd add 00710 allow tcp  from any to any 194   out via $oif setup
keep-state
$fwcmd add 00711 allow udp  from any to any 194   out via $oif keep-state

# Allow out whois
$fwcmd add 00712 allow tcp  from any to any 43    out via $oif setup
keep-state
$fwcmd add 00713 allow udp  from any to any 43    out via $oif keep-state

# Allow out whois++
$fwcmd add 00715 allow tcp  from any to any 63    out via $oif setup
keep-state
$fwcmd add 00716 allow udp  from any to any 63    out via $oif keep-state

# Allow out finger
$fwcmd add 00720 allow tcp  from any to any 79    out via $oif setup
keep-state
$fwcmd add 00721 allow udp  from any to any 79    out via $oif keep-state

# Allow out nntp news
$fwcmd add 00725 allow tcp  from any to any 119   out via $oif setup
keep-state
$fwcmd add 00726 allow udp  from any to any 119   out via $oif keep-state

# Allow out gopher
$fwcmd add 00730 allow tcp  from any to any 70    out via $oif setup
keep-state
$fwcmd add 00731 allow udp  from any to any 70    out via $oif keep-state



########  inbound section  ############################################
# interrogate packets originating from in front of the firewall public net.
# place statments here to allow public requests for service.
# The $oip holds the dynamic ip address range that both this FBSD box and
the
# the standalong pc I use for testing logs into, so the result is only I can
gain
# public access from the internet to these functions.

# Allow in www
$fwcmd add 00800 allow tcp from $oip to me 80 in via $oif setup keep-state

# Allow  TCP FTP control channel in & data channel out
$fwcmd add 00810 allow tcp from $oip to me 21  in via $oif setup keep-state
$fwcmd add 00811 allow tcp from $oip 20 to any 1024-49151 out via $oif setup
keep

# Allow in ssh function
$fwcmd add 00820 allow log tcp from $oip to me 22 in via $oif setup
keep-state

# Allow in telnet login
$fwcmd add 00830 allow tcp from $oip to me 23 in via $oif setup keep-state

# This sends a RESET to all ident packets.
$fwcmd add 00840 reset tcp from any to me 113  in via $oif

# Stop & log spoofing Attack attempts.
# Examine incoming traffic for packets with both a source and destination
# IP address in your local domain as per CIAC prevention alert.
$fwcmd add 00850 deny log ip from me to me  in via $oif

# Stop & log ping echo attacks
# stop echo reply (ICMP type 0), and echo request (type 8).
$fwcmd add 00860 deny log icmp from any to me icmptype 0,8  in via $oif

# Reject & Log all setup of incoming connections from the outside
$fwcmd add 00900 deny log all from any to any      in via $oif

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$fwcmd add 00910 deny log logamount 500 ip from any to any















To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOMEANCIAA.barbish>