Date: Thu, 15 Mar 2001 08:30:30 +0200 From: "Patrick O'Reilly" <patrick@mip.co.za> To: "Ramoncito P. Puyat" <nitronarc@iname.com>, <freebsd-ipfw@FreeBSD.ORG> Subject: RE: help with ipfw Message-ID: <NDBBIMKICMDGDMNOOCAIMEIGCEAA.patrick@mip.co.za> In-Reply-To: <5.0.2.1.2.20010315124042.009f4850@pop.info.com.ph>
next in thread | previous in thread | raw e-mail | index | archive | help
Ramon,
Here is the procedure I follow when trying to determine what needs to be
'open' for a specific set of comms to work.
This is a highly technical method which should be used by trained
professionals only!!! Do not try this at home or without professional
supervision!!! ;-) Yeah, just kidding - this is trial and error
development at its best!
In your rc.firewall, add two rules directly after the divert to natd and the
established and fragment rules something like this (X.X.X.X is the IP of the
server on the Internet that you are trying to reach):
--------
/sbin/ipfw add divert 8668 ip from any to any via ed0
/sbin/ipfw add allow tcp from any to any established
/sbin/ipfw add allow all from any to any frag
/sbin/ipfw add allow log ip from any to X.X.X.X <--- new rule
/sbin/ipfw add allow log ip from X.X.X.X to any <--- new rule
--------
Now, try the connections you need. They should work as the firewall is now
'open' for all traffic to/from the specific destination IP address. If it
still does not work then you will need to temporarily add logging to the
deny rules earlier in your rc.firewall to see which ones are stopping your
comms.
Read your /var/log/ipfw.log and learn what comms are happening. Then you
can built more specific rules to match exactly what is needed to make it
work generically. (And don't forget to remove these test rules once you are
done!)
Regards,
Patrick O'Reilly
---
"I do not feel obliged to believe that the same God who has endowed us with
sense, reason, and intellect has intended us to forego their use." --
Galileo Galilei
-----Original Message-----
From: owner-freebsd-ipfw@FreeBSD.ORG
[mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Ramoncito P. Puyat
Sent: 15 March 2001 06:41
To: freebsd-ipfw@FreeBSD.ORG
Subject: help with ipfw
greetings!
We have a small company using a cable connection for our internet.
Recently, due to some nuisance hacking we installed a freebsd box with
ipfw/natd. Everything went fine until two of our employees complained that
we were not able to use the pc-to-phone facility of MSN Messenger and the
ftp facility of ICQ. When we needed to call, we had to bring the firewall
to open-mode and only closed it up after the phone call. My security logs
points to many probe/scan attempts from the outside especially in the
137-139 port range. We tried to make the rules as per the suggestion of MSN
and ICQ but to no avail. Could someone help me out on this. I want to allow
the use of MSN and ICQ with out necessarily removing my protection. Below
is a copy of my ipfw rules.
TIA
Ramon
----- ipfw.rules -----
# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
# Flush previous rules
/sbin/ipfw -f flush
# Allow loopbacks, deny imposters
/sbin/ipfw add 100 pass all from any to any via lo0
/sbin/ipfw add 200 deny all from any to 127.0.0.0/8
# Stop spoofing
/sbin/ipfw add deny all from 192.168.0.0/16 to any in via ed0
/sbin/ipfw add deny all from not 192.168.0.0/16 to any in via rl0
# Stop RFC1918 nets on the outside interface
/sbin/ipfw add deny all from any to 10.0.0.0/8 via ed0
/sbin/ipfw add deny all from any to 172.16.0.0/12 via ed0
/sbin/ipfw add deny all from any to 192.168.0.0/16 via ed0
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
/sbin/ipfw add deny all from any to 0.0.0.0/8 via ed0
/sbin/ipfw add deny all from any to 169.254.0.0/16 via ed0
/sbin/ipfw add deny all from any to 192.0.2.0/24 via ed0
/sbin/ipfw add deny all from any to 224.0.0.0/4 via ed0
/sbin/ipfw add deny all from any to 240.0.0.0/4 via ed0
/sbin/ipfw add deny all from 0.0.0.0/8 to any via ed0
/sbin/ipfw add deny all from 169.254.0.0/16 to any via ed0
/sbin/ipfw add deny all from 192.0.2.0/24 to any via ed0
/sbin/ipfw add deny all from 224.0.0.0/4 to any via ed0
/sbin/ipfw add deny all from 240.0.0.0/4 to any via ed0
# Stop Scour
/sbin/ipfw add deny all from 209.249.159.0/24 to any via ed0
/sbin/ipfw add deny all from 216.52.208.0/24 to any via ed0
/sbin/ipfw add deny all from any to 209.249.159.0/24 via ed0
/sbin/ipfw add deny all from any to 216.52.208.0/24 via ed0
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
/sbin/ipfw add divert 8668 ip from any to any via ed0
# Allow established connections with minimal overhead
/sbin/ipfw add allow tcp from any to any established
# Allow IP fragments to pass through
/sbin/ipfw add allow all from any to any frag
### TCP RULES
# DNS - Allow queries out in the world
/sbin/ipfw add allow tcp from any to 203.172.11.21 53
/sbin/ipfw add allow tcp from any to 203.172.11.25 53
/sbin/ipfw add allow tcp from 203.172.11.21 53 to any
/sbin/ipfw add allow tcp from 203.172.11.25 53 to any
# HTTP - Allow access to our web server
/sbin/ipfw add allow tcp from any to any 80 setup
# HTTPS - Allow access to our secure server
/sbin/ipfw add allow tcp from any to any 443 setup
# POP - Allow access to our POP3 server
/sbin/ipfw add allow tcp from any to any 110 setup
# SMTP - Allow access to sendmail for incoming e-mail
/sbin/ipfw add allow tcp from any to any 25 setup
# FTP - Allow incoming data channel for outgoing connections,
# reject & log all incoming control connections
/sbin/ipfw add allow tcp from any 20 to any 1024-65535 setup
/sbin/ipfw add deny log tcp from any to any 21 in via ed0 setup
# SSH Login - Allow & Log all incoming
/sbin/ipfw add allow log tcp from any to any 22 in via ed0 setup
# IDENT - Reset incoming connections
/sbin/ipfw add reset tcp from any to any 113 in via ed0 setup
# NFS
/sbin/ipfw add deny log tcp from any to any 2049 in recv ed0
# ICQ
/sbin/ipfw add allow tcp from any 5190 to any via ed0
/sbin/ipfw add allow tcp from any to any 5190 via ed0
# MSN Messenger
/sbin/ipfw add allow tcp from any 6901 to any via ed0
/sbin/ipfw add allow tcp from any to any 6901 via ed0
/sbin/ipfw add allow tcp from any to any 7801-7825 via ed0
/sbin/ipfw add allow tcp from any 6891-6900 to any via ed0
/sbin/ipfw add allow tcp from any to any 6891-6900 via ed0
# X Servers
/sbin/ipfw add deny log tcp from any to any 6000-6010 in recv ed0
# Reject&Log all setup of incoming connections from the outside
/sbin/ipfw add deny log tcp from any to any in via ed0 setup
# Allow setup of any other TCP connection
/sbin/ipfw add allow tcp from any to any setup
### UDP RULES
# DNS - Allow queries out in the world
/sbin/ipfw add allow udp from any to 203.172.11.21 53
/sbin/ipfw add allow udp from any to 203.172.11.25 53
/sbin/ipfw add allow udp from 203.172.11.21 53 to any
/sbin/ipfw add allow udp from 203.172.11.25 53 to any
# SMB - Allow local traffic
/sbin/ipfw add allow udp from any to any 137-139 via rl0
# SYSLOG - Allow machines on inside net to log to us.
/sbin/ipfw add allow log udp from any to any 514 via rl0
# NTP - Allow queries out in the world
/sbin/ipfw add allow udp from any 123 to any 123 via ed0
/sbin/ipfw add allow udp from any 123 to any via rl0
/sbin/ipfw add allow udp from any to any 123 via rl0
# MSN Messenger
/sbin/ipfw add allow udp from any to any 6801 via ed0
/sbin/ipfw add allow udp from any to any 6901 via ed0
/sbin/ipfw add allow udp from any to any 2001-2120 via ed0
/sbin/ipfw add allow udp from any 6801 to any via ed0
/sbin/ipfw add allow udp from any 6901 to any via ed0
/sbin/ipfw add allow udp from any 2001-2120 to any via ed0
# NFS
/sbin/ipfw add deny log udp from any to any 2049 in recv ed0
# TRACEROUTE - Allow outgoing
/sbin/ipfw add allow udp from any to any 33434-33523 out via ed0
### ICMP RULES
# ICMP packets
# Allow all ICMP packets on internal interface
/sbin/ipfw add allow icmp from any to any via rl0
# Allow outgoing pings
/sbin/ipfw add allow icmp from any to any icmptypes 8 out via ed0
/sbin/ipfw add allow icmp from any to any icmptypes 0 in via ed0
# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad
Header
/sbin/ipfw add allow icmp from any to any icmptypes 3,4,11,12 via ed0
# Deny the rest of them
/sbin/ipfw add deny icmp from any to any
### MISCELLANEOUS REJECT RULES
# Reject broadcasts from outside interface
/sbin/ipfw add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ed0
# Reject&Log SMB connections on outside interface
/sbin/ipfw add 64000 deny log udp from any to any 137-139 via ed0
# Reject&Log all other connections from outside interface
/sbin/ipfw add 65000 deny log ip from any to any via ed0
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBIMKICMDGDMNOOCAIMEIGCEAA.patrick>