Date: Sat, 2 Nov 2024 16:30:48 +0100 From: Dries Michiels <driesm@freebsd.org> To: freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org, FreeBSD Net <freebsd-net@freebsd.org> Subject: IPFW statefull firewall ruleset - some sites or applications do not work as expected Message-ID: <CACx_iREW_UKAHgwcq0xyTj=aHwC38ZHEovjqnihGUjfPnQO=sw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
--00000000000047eadd0625efba9d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello, So I have a very basic ruleset, as described in the FreeBSD handbook, see below. I have "blurred" my open ports as seen in the ruleset below. Igc0 is my WAN port and in the table "trusted_if" are like my LAN if and some bridges. 00001 reass ip from any to any in 00010 allow ip from any to any via table(trustedif) 00050 deny log ip from any to any not antispoof in 00100 nat 1 ip4 from any to any in recv igc0 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state :default 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :default 05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-state :default 05001 allow udp from any to me *some open ports* in recv igc0 keep-state :default 09998 deny log tcp from any to any 09999 deny log udp from any to any 10000 nat 1 ip4 from any to any out xmit igc0 65535 allow ip from any to any Now comes the tricky part. There are some applications that don't work correctly with this ruleset. For example, itsme (belgium application) to identify yourself with a lot of accounts, does not work. Recently my banking website also stopped working. So now I'm wondering how do I start to troubleshoot this issue? Are there any ceavets with this ruleset when redirects are happening for example? I'm also wondering if Belgian PF users have the same issue?=C2=A3 I'm hopeful to get to the bottom of this as its quite annoying needing to switch wifi channels to my ISP's router which does work with these applications. Regards Dries --00000000000047eadd0625efba9d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Hello,<div><br></div><div>So I have a very basic ruleset, = as described in the FreeBSD handbook, see below. I have "blurred"= my open ports as seen in the ruleset below.</div><div>Igc0 is my WAN port = and in the table "trusted_if" are like my LAN if and some bridges= .</div><div><br></div><div>00001 reass ip from any to any in<br>00010 allow= ip from any to any via table(trustedif)<br>00050 deny log ip from any to a= ny not antispoof in<br>00100 nat 1 ip4 from any to any in recv igc0<br>0050= 0 skipto 10000 tcp from any to any out xmit igc0 setup keep-state :default<= br>00501 skipto 10000 udp from any to any out xmit igc0 keep-state :default= <br>05000 allow tcp from any to me *some open ports* in recv igc0 setup kee= p-state :default<br>05001 allow udp from any to me *some open ports* in rec= v igc0 keep-state :default<br>09998 deny log tcp from any to any<br>09999 d= eny log udp from any to any<br>10000 nat 1 ip4 from any to any out xmit igc= 0<br>65535 allow ip from any to any</div><div><br></div><div>Now comes the = tricky part. There are some applications that don't=C2=A0work correctly= with this ruleset.</div><div>For example, itsme (belgium application) to i= dentify yourself with a lot of accounts, does not=C2=A0work.</div><div>Rece= ntly my banking=C2=A0website also stopped working. So now I'm wondering= how do I start to troubleshoot=C2=A0this issue?</div><div>Are there any ce= avets=C2=A0with this ruleset when redirects are happening for example? I= 9;m also wondering if Belgian PF users have the same issue?=C2=A3</div><div= ><br></div><div>I'm hopeful=C2=A0to get to the bottom of this as its qu= ite annoying needing to switch wifi channels to my ISP's router which d= oes work with these applications.</div><div><br></div><div>Regards</div><di= v>Dries</div><div><br></div><div><br></div></div> --00000000000047eadd0625efba9d--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACx_iREW_UKAHgwcq0xyTj=aHwC38ZHEovjqnihGUjfPnQO=sw>