Date: Sun, 29 Jan 2017 18:52:58 +0100 From: Rakor <freebsd@rakor-net.de> To: =?utf-8?Q?Thom=C3=A1s?= <thoms3rd@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: How to use IPFW to filter routing Message-ID: <6B3C8792-2FEE-4FCE-952E-F13AF59E0927@rakor-net.de> In-Reply-To: <20170129164035.GB10963@host> References: <3C00AFCB-E2EF-4F89-8FBD-181C99DAC1FF@rakor-net.de> <20170129164035.GB10963@host>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi and thanks for your reply! > Am 29.01.2017 um 17:40 schrieb Thom=C3=A1s <thoms3rd@gmail.com>: >=20 > Sat, Jan 28, 2017 at 01:58:01PM +0100, Rakor: >> As far as I know a packet is once scanned by IPFW an then first hit = wins. So, if I set the following a packet coming from VLAN3 for port 80 = is permitted to travel all way it wants, even to VLAN2. Putting an > +other rule behind just allowing to travel out using igb2 is not = checked, because the search terminated after first hit. >> ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state >=20 > Have you tried something like this? >=20 > ipfw add deny tcp 10.10.30.0/24 to 10.10.10.0/24 setup keep-state > ipfw add deny tcp 10.10.30.0/24 to 10.10.20.0/24 setup keep-state > ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state This will work. But for any new subnet I=E2=80=99ll have to remember to = deny it for any other subnets. I think this can become unhandy very = soon. >> If I try the follwing the packets are all rejected. I think the = inspection is done before the routing, so IPFW does not know it should = be forwarded using igb2. >> ipfw add allow tcp 10.10.30.0/24 to any 80 out via igb2 setup = keep-state >=20 > IPFW can do routing table lookups as needed. Something else must be > going on here. Log rules may be of help to debug and understand your > ruleset. I also tried it using recv and xmit rules. First I tried: ipfw add allow tcp from 10.10.30.0/24 to any out recv igb0.30 = xmit igb2 setup keep-state it does not work. and later I tried this=20 ipfw add allow tcp from 10.10.30.0/24 to any out xmit igb2 setup = keep-state=20 also not working Anytime it was caught by my default rule at the end: 00150 deny log logamount 5 ip from any to any /var/log/security said: 150 Deny TCP 10.10.30.5:51145 82.193.243.115:80 in via igb0.30 So to me it looks like he does not know that the packet will be = transmitted via igb2 at the moment it is inspected. >> So I don=E2=80=99t know how to filter packets that should be routed = in a exact manner. Can you help me? >=20 > There are plenty of ways to filter packets in that setup, the "exact" > one depends on what you are trying to achieve. OK. So I=E2=80=99d like to have deny by default (as ipfw is working). = Then I=E2=80=99d like to say exactly which traffic is allowed. So in my = mind I=E2=80=99ll have no additional deny-rules. I=E2=80=99d like to say = from which interface to which interface the traffic is traveling, = because this respects my VLANs. OK, because there is an IP attached to = the devices using the subnets would do it also (but I feel more = comfortable seeing my interfaces - maybe it=E2=80=99s stupid). So the rules I=E2=80=99d like to write say: "allow tcp from VLAN3 to Internet using ports 80,443 coming from igb0.3 = going to igb2 and deny all the rest."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6B3C8792-2FEE-4FCE-952E-F13AF59E0927>