Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Sep 2012 15:35:50 -0400 (EDT)
From:      Darrel <levitch@iglou.com>
To:        questions@freebsd.org
Subject:   question for ipfw2 experts
Message-ID:  <alpine.GSO.2.00.1209241528240.7618@shell1>

next in thread | raw e-mail | index | archive | help
Hello,

I have removed all references of OpenBSD Packet Filter from my
kernel and have just completed my first (excluding some experimentation
back a decade ago) configuration of ipfw2.  At the moment, FreeBSD
-current is building world and the applicable /etc/rc.conf entries
are like this:
firewall_enable="YES"
firewall_script="/etc/rc.firewall.myFile" firewall_quiet="NO"
firewall_logging="YES"
firewall_nat_enable="NO"

The kernel modifications are as follows:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options DUMMYNET

- my configuration file for ipfw2:
// BEGIN
#!/bin/sh
ipfw -q flush
// MACROS
block_tcp_in="2869,5355,commplex\\-main,loc\\-srv"
block_udp_in="1900,3544,5355,dhcp6\\-client,dhcp6\\-server,netbios\\-ns"
block_tcp_out="2869,bootpc,commplex\\-main,loc\\-srv"
block_udp_out="1900,3544,netbios\\-ns"
eif="anyIF"
cmd="ipfw -q add"
ks="keep-state"
icmp6_types="1,2,128,129,135,136"
local4="this4address"
local6="this6address"
localnet="thisNet/mask"
localnet6="prefix::/prefixlen"
tcp4_svcs""2628,ident"
tcp6_svcs="ident,ssh"
udp4_svcs="ntp,radacct,radius"
udp6_svcs="ntp,radacct,radius"
out_tcp4="49152-65535,domain,ftp,http,ident,smtp,smtps,ssh,svn"
out_udp4="33433-33636,49152-65535,domain,ntp"
out_udp6="33433-33636,49152-65535,domain,ntp"
out_tcp6="49152-65535,domain,ftp,http,ident,smtp,smtps,ssh,svn"
// TABLES
// ipfw table 1 add 192.168.2.0/24 10.23.2.1 someNet.org
// PASS EARLY, ANTISPOOF,CHECK-STATE, and FRAG REASSEMBLE
$cmd 27 check-state
$cmd 28 reass all from any to $local4 recv $eif
$cmd 29 drop ip from any to $local4 not verrevpath recv $eif
$cmd 30 drop ip from $local4 to any not versrcreach xmit $eif
$cmd 31 pass all from any to any via lo0
$cmd 32 drop all from any to 127.0.0.0/8 recv $eif
$cmd 33 drop all from 127.0.0.0/8 to any xmit $eif
$cmd 34 drop all from any to ::1 recv $eif
$cmd 35 drop all from ::1 to any xmit $eif
$cmd 36 drop tcp from any to $local4 in recv $eif frag
//
$cmd 38 pass log ipv6-icmp from :: to ff02::/16 xmit $eif
$cmd 39 pass log ipv6-icmp from fe80::/10 to fe80::/10
$cmd 40 pass log ipv6-icmp from fe80::/10 to ff02::/16
$cmd 41 pass log ipv6-icmp from any to any icmp6types $icmp6_types
$cmd 42 unreach6 admin-prohib log ipv6-icmp
// BLOCK EARLY
# rfc 1918 private address
$cmd 45 drop all from 192.168.0.0/16 to any xmit $eif
$cmd 46 drop all to 192.168.0.0/16 from any recv $eif
# rfc 1918 private address
$cmd 48  drop all from 172.16.0.0/12 to any xmit $eif
$cmd 49 drop all to 172.16.0.0/12 from any recv $eif
# rfc 1918 private address
$cmd 51  drop all from 10.0.0.0/8 to any xmit $eif
$cmd 52 drop all to 10.0.0.0/8 from any recv $eif
#dhcp auto-config
$cmd 54 drop all from 169.254.0.0/16 to $local4 recv $eif
$cmd 55 drop all to 169.254.0.0/16 from $local4 xmit $eif
#reserved for docs
$cmd 57 drop all from 192.0.2.0/24 to $local4 recv $eif
$cmd 58 drop all from $local4 to 192.0.2.0/24 xmit $eif
# sun cluster interconnect
$cmd 60 drop all from 204.152.64.0/23 to $local4 recv $eif
$cmd 61 drop all from $local4 to 204.152.64.0/23 xmit $eif
# class d and e multicast
$cmd 63 drop all from 224.0.0.0/3 to $local4 recv $eif
$cmd 64 drop all from $local4 to 224.0.0.0/3 xmit $eif
// PROTOCOLS DROPPED EARLY
$cmd 66 drop udp from any to $local4 $block_udp_in
$cmd 67 reset tcp from any to $local4 $block_tcp_in setup
// PUBLIC INTERFACE ICMP
$cmd 69 pass log icmp from $local4 to any out xmit $eif $ks
$cmd 70 pass log icmp from any to $local4 in recv $eif icmptypes \
8,3 $ks
$cmd 71 drop log icmp from any to any
// PUBLIC INTERFACE UDP
$cmd 73 pass udp from $local4 to any $out_upd4 out xmit $eif $ks
$cmd 74 pass udp from $localnet to $local4 $udp4_svcs in recv $eif
// PUBLIC INTERFACE TCP
$cmd 78 pass tcp from $local4 to any $out_tpc4 out xmit $eif setup \
$ks
$cmd 79 pass tcp from $localnet6 to $local6 $tcp6_svcs recv $eif \
setup $ks
$cmd 2000 allow ip6 from $localnet6 to $local6 ssh in recv $eif \
setup $ks
#$cmd 4 allow tcp from any to $local4 80 in recv $eif setup limit \
src-addr 3
$cmd 5000 drop log tcp from any to any
// DROP STATEMENT
$cmd 65000 drop all
// END

Advice, hints, and criticism of my setup and ruleset are welcomed.

- also:
Can someone please send an exmaple of how to properly use tables?
Can someone please expound about using IPv6 in the ruleset?

An effort for potentially constructive criticism regarding the
documentation- I noticed these points:

- file that does not exist:
/etc/rc.firewall6

Good that it does not exist, please remove it from the handbook.

- statement about internal interfaces:
"In cases where one or more than one NICs are connected to a private
LAN behind the firewall, those interfaces must have rules coded to
allow free unmolested movement of packets originating from those
LAN interfaces."

Is this a fact?  Today I am only dealing with one interface.  If I
wrote rules for both interfaces of a router would it actually not
work?

Kind regards,
Darrel



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.2.00.1209241528240.7618>