From owner-freebsd-security Tue Oct 2 0:49:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 280DF37B408 for ; Tue, 2 Oct 2001 00:49:10 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.245.128.178.Dial1.SanJose1.Level3.net [209.245.128.178]) by falcon.mail.pas.earthlink.net (8.11.5/8.9.3) with ESMTP id f927n7C21559; Tue, 2 Oct 2001 00:49:07 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f927n0Q03543; Tue, 2 Oct 2001 00:49:00 -0700 (PDT) (envelope-from cjc) Date: Tue, 2 Oct 2001 00:49:00 -0700 From: "Crist J. Clark" To: Ilya Cc: security@FreeBSD.ORG Subject: Re: 2 questions about ipfw Message-ID: <20011002004900.I304@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010929223004.M70637@mh57.net> <20011001133249.D304@blossom.cjclark.org> <006001c14ad5$5e5283c0$0100a8c0@ilya> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <006001c14ad5$5e5283c0$0100a8c0@ilya>; from mail@krel.org on Mon, Oct 01, 2001 at 08:01:21PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Oct 01, 2001 at 08:01:21PM -0400, Ilya wrote: > I have a freebsd natd box with two interfaces (external ed0 and internal > fxp0). I found a dynamic ipfw example by Peter Brezny, and it seems to work > pretty good, except that nothing gets to rule number 2700. But if i move > that rule before divert the whole lan looses connection to internet. And any > place after that gets 0 hits. Any suggestions on how to make this ruleset > more efficient/secure? > > thank you > > PS thank you Peter for providing your ruleset to public > > ipfw show|more [snip] > 02100 427386 189325029 divert 8668 ip from any to any via ed0 > 02200 390818 343974531 allow tcp from any to any established > 02300 34 1808 allow tcp from any to $myexternalip 22,80,443,25 > setup > 02400 3438 192784 allow log logamount 200 icmp from any to any icmptype > 3,4,11,12 > 02500 1 58 allow udp from any 53 to $myexternalip 53 > 02600 55 3365 allow udp from any 1024-65535 to $myexternalip > 02700 0 0 check-state > 02800 177231 9731222 allow ip from $myexternalip to any keep-state out > xmit ed0 > 02900 290474 27027605 allow ip from 192.168.0.0/24 to any keep-state via > fxp0 > 65534 56 3788 deny log logamount 200 ip from any to any in recv ed0 > 65535 56 18207 allow ip from any to any First off, it is kind of pointless to be doing dynamic rules when you have rule 2200. All of the TCP stuff that would get passed at the check-state rule are getting passed at 2200. Second, rule 2700 _is_ being hit. However, when a check-state rule is hit, the keep-state "parent" rule is the one whose count is incremented. Other issues, your UDP rules leave you pretty much wide open. Your ICMP rule log limit is too low with respect to your traffic levels. And more. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message