From owner-freebsd-isp Tue Feb 19 8:38: 0 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mail.mango-bay.com (mail.mango-bay.com [208.206.15.12]) by hub.freebsd.org (Postfix) with ESMTP id 4AF4837B400; Tue, 19 Feb 2002 08:37:36 -0800 (PST) Received: from barbish ([63.70.155.109]) by mail.mango-bay.com (Post.Office MTA v3.5.3 release 223 ID# 0-52377U2500L250S0V35) with SMTP id com; Tue, 19 Feb 2002 11:41:47 -0500 From: "Joe & Fhe Barbish" To: "FI" , "FBSD" Subject: IPFW check-state/keep-state Date: Tue, 19 Feb 2002 11:37:27 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I had a typical ipfw rules file built from the simple stateful type in rc.firewall. I had originally been using user ppp with it's internal Nat function, but went to natd as the simple stateful type in rc.firewall showed. When I tried to go from a simple stateful [established/setup] to advanced stateful [check-state/keep-state] I kept having trouble with ip address being mismatched. I removed the natd divert rule from the ipfw rules set and deactivated nated and activated ppp -Nat in rc.conf, and the advanced stateful [check-state/keep-state] rule started to work. As I added the keep-state to the udp rules for dns it stopped working. In checking the archives I can across a post that contained a advanced stateful [check-state/keep-state]rule set. It contained the following rule combo. $fwcmd add 00500 check-state $fwcmd add 00501 deny tcp from any to any established $fwcmd add 00502 deny all from any to any frag I added rule 501 & 502 to my rule set after the 500 rule which was all ready there and everything works as exspected. My question is, why does rule 501 make things work?? Below is my full rule set for referance. ########################################################################### # # Define IPFW firewall rules for gateway.xxxxxxxx.com 2/15/2002 Joe Barbish # # User ppp tun0 dial out to ISP with dynamic IP addresses assigned. # User ppp tun1 dial in to this box with dynamic IP addresses assigned # User ppp tun2 dial in to this box with dynamic IP addresses assigned # User ppp nat used. Private Ip address used inside. # 3 win98 boxes on LAN with static IP address hard coded. # Protect the whole private network from loss of service attacks # These rules can be reloaded with out rebooting by issuing this command # sh /etc/ipfw.stdrules # # The use of 'me' in rules means IP address 127.0.0.0 localhost # # Firewall Policy Statement. # All packet traffic originating behind this firewall not requiring access # to the public internet is exempt from these firewall rules. # # Each public internet function must be explicitly allowed by a rule. # Only valid response to the packets I've sent out are allowed in. # All packets must use the IPFW advanced "dynamic" rules function. # No state-less rules or simple stateful rules are allowed. # ############################################################################ # # Set rules command prefix # The -q option on the command is for quite mode. # Do not display rules as they load. Remove during development to see. fwcmd="/sbin/ipfw -q" # Flush out the list before we begin. $fwcmd -f flush # Set defaults # set these to your outside interface network and netmask and ip # for dynamic IP address from ISP use there range oif="tun0" odns1="208.206.115.11" # ISP's dns server 1 IP address odns2="208.206.115.12" # ISP's dns server 2 IP address oisp="208.206.115.4" # ISP router issueing rip oip="63.170.150.25/24" # For testing dial isp from standalone pc and # access this FBSD box over the internet. This value is the dynamic IP address #range issued by ISP. oip is in inbound section statments to only allow access from me # set these to your inside interface network and netmask and ip iif="xl0" # Nic card iip="10.10.10.2/24" # IP address range for LAN Nic card # This is the start of the rules. # All traffic coming in from the internet or # leaving the local LAN start here # Handle router 520 rip request $fwcmd add 00002 deny udp from $oisp 520 to me in via $oif # Internal gateway housekeeping # Rules # 100 - 130 exempt everything behind the firewall from this rules set. # Rules # 150 & 160 deny any reference to the localhost default IP address. $fwcmd add 00100 allow ip from any to any via lo0 # allow all localhost $fwcmd add 00110 allow ip from any to any via xl0 # allow all local LAN $fwcmd add 00120 allow ip from any to any via tun1 # allow all dialin call 1 $fwcmd add 00130 allow ip from any to any via tun2 # allow all dialin call 2 $fwcmd add 00150 deny ip from any to 127.0.0.0/8 # deny use of localhost IP $fwcmd add 00160 deny ip from 127.0.0.0/8 to any # deny use of localhost IP ######## control section ############################################ # interrogate packets originating from behind the firewall private net. # Start of IPFW advanced Stateful Filtering using "dynamic" rules. # Upon a rule match, it's keep-state option will create a dynamic rule, # The check-state statment behaviour is to match bidirectional packet traffic # flow between source and destination using protocol/IP/port/sequance number. # The dynamic rule has a limited lifetime which is controlled by a set of # sysctl(8) variables. The lifetime is refreshed every time a matching # packet is found in the dynamic table. # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. $fwcmd add 00500 check-state # Deny any late arriveing packets so they don't get caught & logged # by rules 900 or 910. $fwcmd add 00501 deny tcp from any to any established $fwcmd add 00502 deny all from any to any frag ######## outbound section ############################################ # Allow out www function $fwcmd add 00600 allow tcp from any to any 80 out via $oif setup keep-state # Allow out access to my ISP's Domain name server. $fwcmd add 00610 allow tcp from any to $odns1 53 out via $oif setup keep-state $fwcmd add 00611 allow udp from any to $odns1 53 out via $oif keep-state $fwcmd add 00615 allow tcp from any to $odns2 53 out via $oif setup keep-state $fwcmd add 00616 allow udp from any to $odns2 53 out via $oif keep-state # Allow out access to internet Domain name server. $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state $fwcmd add 00619 allow udp from any to any 53 out via $oif keep-state # Allow out send & get email function $fwcmd add 00630 allow tcp from any to any 25,110 out via $oif setup keep-state # Allow out FBSD CVSUP function $fwcmd add 00640 allow tcp from me to any 5999 out via $oif setup keep-state # Allow out ping $fwcmd add 00650 allow icmp from any to any out via $oif keep-state # Allow out FTP control channel & in of data channel $fwcmd add 00671 allow tcp from any to any 21 out via $oif setup keep-state $fwcmd add 00672 allow tcp from any 20 to $iip 1024-49151 in via $oif setup keep-state # Allow out ssh $fwcmd add 00680 allow tcp from any to any 22 out via $oif setup keep-state # Allow out TELNET $fwcmd add 00690 allow tcp from any to any 23 out via $oif setup keep-state # Allow out Network Time Protocol (NTP) queries $fwcmd add 00694 allow tcp from any to any 123 out via $oif setup keep-state $fwcmd add 00695 allow udp from any to any 123 out via $oif keep-state # Allow out Time $fwcmd add 00696 allow tcp from any to any 37 out via $oif setup keep-state $fwcmd add 00697 allow udp from any to any 37 out via $oif keep-state # Allow out ident $fwcmd add 00700 allow tcp from any to any 113 out via $oif setup keep-state $fwcmd add 00701 allow udp from any to any 113 out via $oif keep-state # Allow out IRC $fwcmd add 00710 allow tcp from any to any 194 out via $oif setup keep-state $fwcmd add 00711 allow udp from any to any 194 out via $oif keep-state # Allow out whois $fwcmd add 00712 allow tcp from any to any 43 out via $oif setup keep-state $fwcmd add 00713 allow udp from any to any 43 out via $oif keep-state # Allow out whois++ $fwcmd add 00715 allow tcp from any to any 63 out via $oif setup keep-state $fwcmd add 00716 allow udp from any to any 63 out via $oif keep-state # Allow out finger $fwcmd add 00720 allow tcp from any to any 79 out via $oif setup keep-state $fwcmd add 00721 allow udp from any to any 79 out via $oif keep-state # Allow out nntp news $fwcmd add 00725 allow tcp from any to any 119 out via $oif setup keep-state $fwcmd add 00726 allow udp from any to any 119 out via $oif keep-state # Allow out gopher $fwcmd add 00730 allow tcp from any to any 70 out via $oif setup keep-state $fwcmd add 00731 allow udp from any to any 70 out via $oif keep-state ######## inbound section ############################################ # interrogate packets originating from in front of the firewall public net. # place statments here to allow public requests for service. # The $oip holds the dynamic ip address range that both this FBSD box and the # the standalong pc I use for testing logs into, so the result is only I can gain # public access from the internet to these functions. # Allow in www $fwcmd add 00800 allow tcp from $oip to me 80 in via $oif setup keep-state # Allow TCP FTP control channel in & data channel out $fwcmd add 00810 allow tcp from $oip to me 21 in via $oif setup keep-state $fwcmd add 00811 allow tcp from $oip 20 to any 1024-49151 out via $oif setup keep # Allow in ssh function $fwcmd add 00820 allow log tcp from $oip to me 22 in via $oif setup keep-state # Allow in telnet login $fwcmd add 00830 allow tcp from $oip to me 23 in via $oif setup keep-state # This sends a RESET to all ident packets. $fwcmd add 00840 reset tcp from any to me 113 in via $oif # Stop & log spoofing Attack attempts. # Examine incoming traffic for packets with both a source and destination # IP address in your local domain as per CIAC prevention alert. $fwcmd add 00850 deny log ip from me to me in via $oif # Stop & log ping echo attacks # stop echo reply (ICMP type 0), and echo request (type 8). $fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif # Reject & Log all setup of incoming connections from the outside $fwcmd add 00900 deny log all from any to any in via $oif # Everything else is denied by default # deny and log all packets that fell through to see what they are $fwcmd add 00910 deny log logamount 500 ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message