From owner-freebsd-ipfw Thu Jan 30 9:11:10 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 840B537B401 for ; Thu, 30 Jan 2003 09:10:56 -0800 (PST) Received: from smtp.a1poweruser.com (oh-chardon6a-34.clvhoh.adelphia.net [68.169.105.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id F067D43F75 for ; Thu, 30 Jan 2003 09:10:53 -0800 (PST) (envelope-from barbish@a1poweruser.com) Received: from barbish (unknown [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id F3F8E31; Thu, 30 Jan 2003 12:18:57 -0500 (EST) Reply-To: From: "JoeB" To: "Michael Sierchio" Cc: "Nick Rogness" , "Simon L. Nielsen" , Subject: RE: Error in ipfw manpage for stateful rules? Date: Thu, 30 Jan 2003 12:10:51 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <3E394339.6080201@tenebras.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Nice little rule set, but without explanation of what each rule is suppose to be doing and at what timing do that take effect, your sample rule set does not convey any insight into how it works. What interface is the dynamic rules being built on? Internal Nic ip addresses or external Nic ip address. And this is a let everything pass example. What good is it as a real world working example when most firewall users deny all in and out except those protocol / port combinations that only allow desired functions. Your example is a very poor one. S again I state that the documentation for keep-state rules using IPFW/NATD do not contain the information to create an fully enabled keep-state firewall using the IPFW/NATD function. Here is my IPFW rules which function perfectly when I use user ppp -nat to do the NAT function out side of IPFW and when I stop using PPP -NAT and use IPFW/NATD with the same rule set including the divert natd rule 200 being uncommented it stops working. This should not be. So show my how your example can be made to be restrictive like my rules are. #################################################################### ####### # # Define IPFW firewall rules for gateway.a1poweruser.com # 2/15/2002 Joe Barbish # # User ppp tun0 dial out to ISP with dynamic IP addresses assigned. # User ppp tun1 dial in to this box with dynamic IP addresses assigned # User ppp tun2 dial in to this box with dynamic IP addresses assigned # User ppp nat used. Private Ip address used inside. # 3 win98 boxes on LAN with static IP address hard coded. # Protect the whole private network from loss of service attacks # These rules can be reloaded with out rebooting by issuing this command # sh /etc/ipfw.stdrules # # The use of 'me' in rules means IP address 127.0.0.0 localhost # # Firewall Policy Statement. # All packet traffic originating behind this firewall not requiring access # to the public internet is exempt from these firewall rules. # # Each public internet function must be explicitly allowed by a rule. # Only valid response to the packets I've sent out are allowed in. # All packets must use the IPFW advanced "dynamic" rules function. # No state-less rules or simple-stateful rules are allowed. #################################################################### ######### # Flush out the list before we begin. /sbin/ipfw -q -f flush # Set rules command prefix # The -q option on the command is for quite mode. # Do not display rules as they load. Remove during development to see. cmd="/sbin/ipfw -q add" # Set defaults # set these to your outside interface network and netmask and ip # for dynamic IP address from ISP use there range oif="tun0" odns1="208.206.15.11" # ISP's dns server 1 IP address odns2="208.206.15.12" # ISP's dns server 2 IP address oisp="208.206.15.4" # Mangobay ISP router issueing rip oip="63.70.155.25/24" # For testing dial isp from standalone pc and # access this FBSD box over the internet. # This value is the dynamic IP address range # issued by ISP. oip is in inbound section # statments to only allow inbound access from me. # /24 means 63.70.155.1 thru 63.70.155.256 # Set these to your inside interface network and ip address range iif="xl0" # Nic card iip="10.0.10.2/29" # Private IP address range on Nic card # /29 means 10.0.10.1 thru 10.0.10.08 # 10.0.10.2 Lan Nic card # 10.0.10.5 Lan Windows98 machine1 iip2="10.0.0.1/29" # Private IP address range for dial in # /29 means 10.0.0.1 thru 10.0.10.08 # 10.0.0.2 User PPP Dialin Host # 10.0.0.5 User PPP Dialin Windows98 machine1 # This is the start of the rules. # All traffic coming in from the internet or # leaving the local LAN start here # Handle Mangobay router 520 rip request $cmd 00002 deny udp from $oisp 520 to me in via $oif #*** TESTING PURPOSES ONLY *** TESTING PURPOSES ONLY *** TESTING PURPOSES ONLY # The following rule if un-commented will change the behaviour of this # FireWall rule set from closed to completely open, thus bypassing all of the # following rules. This single rule is placed here for TESTING PURPOSES ONLY. #$cmd 00005 allow all from any to any via xl0 #$cmd 00006 allow log logamount 200 all from any to any # Internal gateway housekeeping # Rules # 100 - 130 exempt everything behind the firewall from this rules set. # Rules # 150 & 160 deny the reference to the localhost default IP address. $cmd 00100 allow all from any to any via lo0 # allow all localhost $cmd 00110 allow all from any to any via xl0 # allow all local LAN $cmd 00120 allow all from any to any via tun1 # allow all dialin call 1 $cmd 00130 allow all from any to any via tun2 # allow all dialin call 2 $cmd 00150 deny all from any to 127.0.0.0/8 # deny use of localhost IP $cmd 00160 deny all from 127.0.0.0/8 to any # deny use of localhost IP #$cmd 00200 divert natd all from any to any via tun0 ######## control section ############################################ # Start of IPFW advanced Stateful Filtering using "dynamic" rules. # The check-state statment behaviour is to match bidirectional packet traffic # flow between source and destination using protocol/IP/port/sequance number. # The dynamic rule has a limited lifetime which is controlled by a set of # sysctl(8) variables. The lifetime is refreshed every time a matching # packet is found in the dynamic table. # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. $cmd 00500 check-state # Deny & log all fragments as bogus packets $cmd 00502 deny log all from any to any frag # Deny & log ACK packets that did not match the dynamic rule table $cmd 00501 deny log tcp from any to any established ######## outbound section ############################################ # Interrogate packets originating from behind the firewall, private net. # Upon a rule match, it's keep-state option will create a dynamic rule. # Allow out www function $cmd 00600 allow tcp from any to any 80 out via $oif setup keep-state # Allow lan winbox access to FBSD Apache13/Frontpage Server $cmd 00601 allow tcp from $iip to any 80 out via $oif setup keep-state # Allow out access to my ISP's Domain name server. $cmd 00610 allow tcp from any to $odns1 53 out via $oif setup keep-state $cmd 00611 allow udp from any to $odns1 53 out via $oif keep-state $cmd 00615 allow tcp from any to $odns2 53 out via $oif setup keep-state $cmd 00616 allow udp from any to $odns2 53 out via $oif keep-state # Allow out access to internet Domain name server. $cmd 00618 allow tcp from any to any 53 out via $oif setup keep-state $cmd 00619 allow udp from any to any 53 out via $oif keep-state # Allow out send & get email function $cmd 00630 allow tcp from any to any 25,110 out via $oif setup keep-state # Allow out & in FBSD (make install & CVSUP) functions # Basically give user id root "GOD" priveledges. $cmd 00640 allow tcp from me to any out via $oif setup keep-state uid root #$cmd 00641 allow tcp from any to me in via $oif setup keep-state uid root # Allow out & in console traceroot command $cmd 00642 allow udp from me to any 33435-33500 out via $oif keep-state $cmd 00643 allow icmp from any to me icmptype 3,11 in via $oif limit src-addr 2 # Allow out ping $cmd 00650 allow icmp from any to any out via $oif keep-state # Allow out FTP control channel & in of data channel $cmd 00671 allow tcp from any to any 21 out via $oif setup keep-state # Allow in FTP data channel to Lan ip range $cmd 00672 allow tcp from any 20 to $iip 1024-49151 in via $oif setup keep-state # Allow in FTP data channel to Dialin users ip range $cmd 00673 allow tcp from any 20 to $iip2 1024-49151 in via $oif setup keep-state # Allow out ssh #$cmd 00680 allow tcp from any to any 22 out via $oif setup keep-state # Allow out TELNET $cmd 00690 allow tcp from any to any 23 out via $oif setup keep-state # Allow out Network Time Protocol (NTP) queries #$cmd 00694 allow tcp from any to any 123 out via $oif setup keep-state #$cmd 00695 allow udp from any to any 123 out via $oif keep-state # Allow out Time $cmd 00696 allow tcp from any to any 37 out via $oif setup keep-state $cmd 00697 allow udp from any to any 37 out via $oif keep-state # Allow out ident #$cmd 00700 allow tcp from any to any 113 out via $oif setup keep-state #$cmd 00701 allow udp from any to any 113 out via $oif keep-state # Allow out IRC #$cmd 00710 allow tcp from any to any 194 out via $oif setup keep-state #$cmd 00711 allow udp from any to any 194 out via $oif keep-state # Allow out whois $cmd 00712 allow tcp from any to any 43 out via $oif setup keep-state $cmd 00713 allow udp from any to any 43 out via $oif keep-state # Allow out whois++ #$cmd 00715 allow tcp from any to any 63 out via $oif setup keep-state #$cmd 00716 allow udp from any to any 63 out via $oif keep-state # Allow out finger #$cmd 00720 allow tcp from any to any 79 out via $oif setup keep-state #$cmd 00721 allow udp from any to any 79 out via $oif keep-state # Allow out nntp news #$cmd 00725 allow tcp from any to any 119 out via $oif setup keep-state #$cmd 00726 allow udp from any to any 119 out via $oif keep-state # Allow out gopher #$cmd 00730 allow tcp from any to any 70 out via $oif setup keep-state #$cmd 00731 allow udp from any to any 70 out via $oif keep-state # Allow out pcANYwhere software product # Can Only call out can not receive incomming calls because of private # IP address on Lan. #$cmd 00740 allow udp from $iip to any 22,5632 out via $oif keep-state #$cmd 00741 allow tcp from $iip to any 5631 out via $oif setup keep-state ######## inbound section ############################################ # Interrogate packets originating from in front of the firewall, public net. # Place statments here to allow public requests for service. # The ${oip} holds the dynamic ip address range that both this FBSD box and # the standalong pc I use for testing logs into, so the result is only I can # gain public access from the internet to these functions. # Allow in www $cmd 00800 allow tcp from $oip to any 80 in via $oif setup keep-state limit src-addr 4 # Allow TCP FTP control channel in & data channel out $cmd 00810 allow tcp from $oip to me 21 in via $oif setup keep-state limit src-addr 4 $cmd 00811 allow tcp from $oip 20 to any 1024-49151 out via $oif setup keep limit src-addr 4 # Allow in ssh function #$cmd 00820 allow log tcp from $oip to me 22 in via $oif setup keep-state limit src-addr 4 # Allow in Telnet $cmd 00830 allow tcp from $oip to me 23 in via $oif setup keep-state limit src-addr 4 # This sends a RESET to all ident packets. $cmd 00840 reset log tcp from any to me 113 in via $oif limit src-addr 4 # Stop & log external redirect requests. $cmd 00845 deny log icmp from any to any icmptype 5 in via $oif # Stop & log spoofing Attack attempts. # Examine incoming traffic for packets with both a source and destination # IP address in my local domain as per CIAC prevention alert. $cmd 00850 deny log ip from me to me in via $oif # Stop & log ping echo attacks # stop echo reply (ICMP type 0), and echo request (type 8). $cmd 00860 deny log icmp from any to me icmptype 0,8 in via $oif # Reject & Log all setup of tcp incoming connections from the outside $cmd 00900 deny log tcp from any to any setup in via $oif # Reject & Log all netbios Name service $cmd 00910 deny log tcp from any to any 137 in via $oif $cmd 00911 deny log udp from any to any 137 in via $oif #delta force game (not working yet) $cmd 00912 allow udp from $iip to any 3568,3569 out via $oif keep-state $cmd 00913 allow udp from 65.214.130.47 1436 to $iip in via $oif keep-state $cmd 00914 allow tcp from 208.231.90.229 80 to $iip in via $oif keep-state $cmd 00915 allow tcp from $iip to 208.231.90.229 80 out via $oif keep-state # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 00950 deny log all from any to any -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Michael Sierchio Sent: Thursday, January 30, 2003 10:23 AM To: barbish@a1poweruser.com Cc: Nick Rogness; Simon L. Nielsen; freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? JoeB wrote: > That is not the only thing wrong with the example. > IPFW with NATD does not function with keep-state rules. Oh, but it does. It just requires the right set of rules. This is oft-discussed, and is not a design defect but a consequence of using two different types of stateful mechanism. I myself use stateful rules and natd -- some of the ruleset is quite non-intuitive. > Just read the IPFW-list archives back through 1/2002 and you will > get a very clear picture of the problem. I believe that, if you go further back in the archives, you'll see I was laboring under the same misunderstanding. Here's an example: pub_hosts=outside IP addr list / public net prv_net= rfc1918 addrs / private net oif= outside if iif= inside if $fw add 02100 set 0 divert natd ip from any to any via $oif $fw add 02200 set 0 check-state $fw add 02400 set 0 allow ip from $pub_hosts to any out xmit $oif $fw add 02450 set 0 deny tcp from any to any established $fw add 03300 set 0 allow tcp from $prv_net to any in via $iif keep-state setup $fw add 03400 set 0 allow udp from $prv_net to any keep-state $fw add 03500 set 0 allow icmp from $prv_net to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message