From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 18 20:52:12 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77C4616A4CE for ; Fri, 18 Jun 2004 20:52:12 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC2D943D1D for ; Fri, 18 Jun 2004 20:52:11 +0000 (GMT) (envelope-from nullentropy@lineone.net) Received: from [192.168.1.102] (orbital.gotadsl.co.uk [81.6.215.230]) by smtp.nildram.co.uk (Postfix) with ESMTP id 37B3224F49C; Fri, 18 Jun 2004 21:51:38 +0100 (BST) Message-ID: <40D355DA.3040707@lineone.net> Date: Fri, 18 Jun 2004 21:51:38 +0100 From: Robert Downes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en, fr, en-us MIME-Version: 1.0 To: "freebsd-ipfw@freebsd.org" References: <200406182122.2239016.6@btsoftware.com> In-Reply-To: <200406182122.2239016.6@btsoftware.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Blocked outbound traffic - what is it? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 20:52:12 -0000 Martin wrote: >- Is rl0 your outside interface ? > > Yes. >- Do you have Natd on the outside interface or reversed on the inside interface ? > > natd on rl0. >- Do you have multiple outside interfaces ? > > No, only rl0 talks to the ADSL 'modem' (which has my FreeBSD router in the DMZ to avoid double-NAT translation). >- 192.168.1.102 is this system on your internal network ? > > Yes, a Windows machine. >- Do you have a local DNS (or hosts file) running where you mapped away spying hosts ? > > I have BIND running, but I'm not sure what you mean by 'mapped away sping hosts'. >- "out" means outgoing, but "via rl0" does not mean "out thru rl0". It could means > more or less "a packet having to do something with rl0, either in or out". > > The rules in my set actually all say 'in recv' and 'out xmit' but for some reason the security log file converts all of those to 'via'. I can't explain why. >- Do you have rules in your FW, causing to bypass natd ? > > I don't think so (except localhost). See my ruleset below (posted due to great demand). >- Do you have static natd routing ? > > Uhmmm... not sure. I'm using IPFW and natd and using the 'divert natd' lines in the ruleset. >- Do you do IP/port forwarding on specific ports ? > > Do you mean am I using keep-state rules to allow packets to certain ports [yes], or do you mean am I using the divert action to certain ports [no]? >Please post your rules. > > Here they are. They are almost exactly the same as the ruleset posted by someone to this list a few days ago, just with some lines commented out, all 'via' replaced with 'recv' or 'xmit', and a few additional deny rules to stop Microsoft-vulnerability probing on ports 135 and 445 (which I was getting a huge number of). ################ Start of IPFW rules file ############################### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" skip="skipto 800" pif="rl0" # public interface name of Nic card # facing the public internet ################################################################# # No restrictions on Inside Lan Interface for private network # Not needed unless you have Lan. # Change xl0 to your Lan Nic card interface name ################################################################# $cmd 005 allow all from any to any via vr0 ################################################################# # No restrictions on Loopback Interface ################################################################# $cmd 010 allow all from any to any via lo0 $cmd 014 divert natd ip from any to any in recv $pif ################################################################# # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. ################################################################# $cmd 015 check-state ################################################################# # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public internet. ################################################################# # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to xxx.xxx.xxx.xxx 53 out xmit $pif setup keep-state $cmd 021 $skip udp from any to xxx.xxx.xxx.xxx 53 out xmit $pif keep-state $cmd 022 $skip tcp from any to xxx.xxx.xxx.xxx 53 out xmit $pif setup keep-state $cmd 023 $skip udp from any to xxx.xxx.xxx.xxx 53 out xmit $pif keep-state # Bob: allow outbound requests to nameservers, and replies $cmd 025 $skip udp from 192.168.0.100 to any 53 out xmit $pif keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. #$cmd 030 $skip udp from any to xx.70.207.54 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out xmit $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out xmit $pif setup keep-state # Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out xmit $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out xmit $pif setup keep-state # Allow out FBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out xmit $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out xmit $pif # Allow out Time $cmd 090 $skip tcp from any to any 37 out xmit $pif setup keep-state # Allow out nntp news (IE: news groups) $cmd 100 $skip tcp from any to any 119 out xmit $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22 out xmit $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from any to any 43 out xmit $pif setup keep-state # Allow ntp time server $cmd 130 $skip udp from any to any 123 out xmit $pif keep-state ################################################################# # Interface facing Public internet (Inbound Section) # Interrogate packets originating from the public internet # destine for this gateway server or the private network. ################################################################# # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in recv $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in recv $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in recv $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in recv $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in recv $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in recv $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in recv $pif #reserved for doc's $cmd 307 deny all from 204.152.64.0/23 to any in recv $pif #Sun cluster interconnect $cmd 308 deny all from 224.0.0.0/3 to any in recv $pif #Class D & E multicast # Deny ident $cmd 315 deny tcp from any to any 113 in recv $pif # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd 320 deny all from any to any 137 in recv $pif $cmd 321 deny tcp from any to any 138 in recv $pif $cmd 322 deny tcp from any to any 139 in recv $pif $cmd 323 deny tcp from any to any 81 in recv $pif # Bob: also block 135 and 445 because of similar MS-vulnerability attacks $cmd 324 deny tcp from any to any 135 in recv $pif $cmd 325 deny tcp from any to any 445 in recv $pif # Deny any late arriving packets $cmd 330 deny all from any to any frag in recv $pif # Deny ACK packets that did not match the dynamic rule table $cmd 332 deny tcp from any to any established in recv $pif # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. # Only necessary for cable or DSL configurations. # This rule is not needed for 'user ppp' type connection to # the public internet. This is the same IP address you captured # and used in the outbound section. #$cmd 360 allow udp from xx.70.207.54 to any 68 in via $pif keep-state # Allow in standard www function because I have apache server #$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from public Internet #$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet # labeled non-secure because ID & PW are passed over public # internet as clear text. # Delete this sample group if you do not have telnet server enabled. #$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from public Internet #$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in icmp responces $cmd 390 allow icmp from any to any icmptypes 0,3,11,12 in recv $pif # Reject & Log all unauthorized incoming connections from the public internet $cmd 400 deny log all from any to any in recv $pif # Reject & Log all unauthorized out going connections to the public internet $cmd 450 deny log all from any to any out xmit $pif # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out xmit $pif $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any ################ End of IPFW rules file ############################### -- Bob