From owner-freebsd-security Sun Jun 16 13:59:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by hub.freebsd.org (Postfix) with ESMTP id 21FD437B411 for ; Sun, 16 Jun 2002 13:59:05 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc01.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020616205904.NVZH1024.sccrmhc01.attbi.com@blossom.cjclark.org>; Sun, 16 Jun 2002 20:59:04 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g5GKx3G27316; Sun, 16 Jun 2002 13:59:03 -0700 (PDT) (envelope-from crist.clark@attbi.com) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Sun, 16 Jun 2002 13:59:03 -0700 From: "Crist J. Clark" To: grimm Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw-ntad-jail Message-ID: <20020616135903.B94357@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020616134201.529b01aa.grimm@planetquake.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020616134201.529b01aa.grimm@planetquake.com>; from grimm@planetquake.com on Sun, Jun 16, 2002 at 01:42:01PM -0400 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jun 16, 2002 at 01:42:01PM -0400, grimm wrote: [snip] > # > # my ipfw.rules (additional to rc.firewall defaults) > # > #make sure natd gets a hold of the packets prior to FIREWALL > add 00320 divert natd all from any to any via xl0 > # > # > # from man 8 ipfw: allow only outbound TCP connections I've created > add 00350 check-state > add 00351 deny tcp from any to any in established > add 00352 allow tcp from any to any out setup keep-state [snip] > # enable www server on dagobah (142.XX.XX.238) > add 00700 allow tcp from any to any 80 in via xl0 > add 00701 allow tcp from any to any 80 out via xl0 > # > # > # enable ssh server on dagobah (142.XX.XX.238) > add 00702 allow tcp from any to any 777 in via xl0 > add 00703 allow tcp from any to any 777 out via xl0 > # > # > # enable ssh server on darkside (142.XX.XX.238) > add 00704 allow tcp from any to any 22 in via xl0 > add 00705 allow tcp from any to any 22 out via xl0 OK, some problems here. First, ITYM to have rules like, add allow tcp from any to me 80 in via xl0 add allow tcp from me 80 to any out via xl0 No? Second, these won't work since you are blocking all TCP connections that are not using 'keep-state' with rule 351. But... > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00320 171 34652 divert 8668 ip from any to any via xl0 > 00350 0 0 check-state > 00351 0 0 deny tcp from any to any in established I don't see this rule incrementing. > 00352 78 8668 allow tcp from any to any keep-state out setup > 00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0 > 00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0 > 00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0 > 00403 2 120 allow udp from any to any out > 00600 0 0 allow icmp from any to any icmptype 3 > 00601 0 0 allow icmp from any to any icmptype 4 > 00602 0 0 allow icmp from any to any out icmptype 8 > 00603 0 0 allow icmp from any to any in icmptype 0 > 00604 0 0 allow icmp from any to any in icmptype 11 > 00700 3 144 allow tcp from any to any 80 in recv xl0 > 00701 0 0 allow tcp from any to any 80 out xmit xl0 > 00702 0 0 allow tcp from any to any 777 in recv xl0 > 00703 0 0 allow tcp from any to any 777 out xmit xl0 > 00704 0 0 allow tcp from any to any 22 in recv xl0 > 00705 0 0 allow tcp from any to any 22 out xmit xl0 > 65535 86 25238 deny ip from any to any Always a good idea to add a, 65534 deny log ip from any to any Or something like it to help debugging. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message