From owner-freebsd-security Wed Jan 3 12: 5:19 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 12:05:12 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pooka.techfuel.com (pooka.techfuel.com [216.133.15.161]) by hub.freebsd.org (Postfix) with ESMTP id A22D737B400 for ; Wed, 3 Jan 2001 12:05:12 -0800 (PST) Received: from basilisk.techfuel.com (mail-internal.techfuel.com [172.16.1.2]) by pooka.techfuel.com (8.9.3/8.9.3) with ESMTP id MAA43255; Wed, 3 Jan 2001 12:04:50 -0800 (PST) (envelope-from kehlet@fisix.com) Received: (from root@localhost) by basilisk.techfuel.com (8.9.3/8.9.3) id MAA72548; Wed, 3 Jan 2001 12:04:50 -0800 (PST) Received: from leviathan.techfuel.com (leviathan.techfuel.com [172.16.1.26]) by basilisk.techfuel.com (8.9.3/8.9.3) with ESMTP id MAA72485; Wed, 3 Jan 2001 12:04:49 -0800 (PST) Received: (from kehlet@localhost) by leviathan.techfuel.com (8.11.1/8.11.0) id f03K4nq68486; Wed, 3 Jan 2001 12:04:49 -0800 (PST) (envelope-from kehlet@fisix.com) X-Authentication-Warning: leviathan.techfuel.com: kehlet set sender to kehlet@fisix.com using -f Date: Wed, 3 Jan 2001 12:04:49 -0800 From: Steven Kehlet To: Darren Henderson Cc: Rene de Vries , Luigi Rizzo , freebsd-security@freebsd.org Subject: Re: statefull packet filter together with natd question Message-ID: <20010103120449.A66966@leviathan.techfuel.com> References: <20010102151817.F59927@leviathan.techfuel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from darren@nighttide.net on Tue, Jan 02, 2001 at 09:09:19PM -0500 X-scanner: scanned by Inflex 0.1.4 - (http://www.spyda.co.za/inflex) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Your rules work :-), but because you're just passing any established tcp traffic you're not taking advantage of the security gain the statefulness of the firewall can give you (i.e., checking sequence numbers on established packets, etc). I see you got this from http://www.bsdtoday.com/2000/December/Features359.html. You could improve security by instead denying all established packets and putting this check after your check-state rule (as the ipfw manpage suggests). So let's say you do this. Now here's the problem I was originally bringing up: Internet-bound packets from your internal network still cause two dynamic rules to be created--one passing over the internal interface, untranslated; and the other passing over the external interface, translated--but because natd is at the top of your rules, returning packets get untranslated immediately and thus no packets ever touch the second dynamic rule. This second dynamic rule is left in a half-open state until it finally times out. Depending on how tightly you structure your rules this becomes more than just a nuisance :-). My question was: how can we arrange our rules to avoid creating this second superfluous dynamic rule? Luigi suggested adding keep-state on the natd rule itself, which I will try tonight. Thanks! :-), Steve On Tue, Jan 02, 2001 at 09:09:19PM -0500, Darren Henderson wrote: > Date: Tue, 2 Jan 2001 21:09:19 -0500 (EST) > From: Darren Henderson > To: Steven Kehlet > cc: Rene de Vries , Luigi Rizzo , > > Subject: Re: statefull packet filter together with natd question > > On Tue, 2 Jan 2001, Steven Kehlet wrote: > > > [ moved from -hackers to -security ] > > > > For whatever it's worth, I struggled with this same problem for an > > entire day before giving up and using ipfilter. It seems to me > > that there is a fundamental problem with using the ipfw stateful > > rules and natd (as I'm sure you discovered yourself): the ordering > > Perhaps I'm missing the gist of the problem (not enough details here) but > I don't haven't seen any problems with this under 4.2-Stable, (haven't > used natd with a 5-Current system yet).... Sample rule set follows. Let me > know if you (or anyone for that matter) see any problems with this. > > > #!/bin/sh > > fwcmd="/sbin/ipfw" > > oif="ppp0" > oip="a.b.c.d" > iif="dc0" > iip="10.a.b.c" > imk="10.a.b.c/8" > > $fwcmd -f flush > > # loopback has to work > $fwcmd add allow all from any to any via lo0 > > # disallow spoofing of loopback > $fwcmd add deny log all from any to 127.0.0.0/8 > > # disallow spoofing of our address > $fwcmd add deny log ip from $oip to any in via $oif > > # no private space address should cross the outside interface > $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif > $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif > $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif > $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif > $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif > $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif > > # stop draft-manning-dsua-01.txt nets on the outside interface > $fwcmd add deny log all from 0.0.0.0/8 to any in via $oif > $fwcmd add deny log all from 169.254.0.0/16 to any in via $oif > $fwcmd add deny log all from 192.0.2.0/24 to any in via $oif > $fwcmd add deny log all from 224.0.0.0/4 to any in via $oif > $fwcmd add deny log all from 240.0.0.0/4 to any in via $oif > $fwcmd add deny log all from any to 0.0.0.0/8 in via $oif > $fwcmd add deny log all from any to 169.254.0.0/16 in via $oif > $fwcmd add deny log all from any to 192.0.2.0/24 in via $oif > $fwcmd add deny log all from any to 224.0.0.0/4 in via $oif > $fwcmd add deny log all from any to 240.0.0.0/4 in via $oif > > # divert the the outside interface > $fwcmd add divert natd all from any to any via $oif > > # allow all established sessions > $fwcmd add allow tcp from any to any established > > # we want to allow some connections to originate outside > $fwcmd add allow tcp from any to $oip 21,22,25,53,80,113 setup > > # allow required ICMP > $fwcmd add allow icmp from any to any icmptypes 0,3,4,8,11,12 > > # allow udp dns queries > $fwcmd add allow udp from any to any 53 > $fwcmd add allow udp from any 53 to any > > # allow traceroute > $fwcmd add allow udp from any to $oip 33400-33499 via $oif > > # allow smb traffic > $fwcmd add allow udp from any to any 137-139 via $iif > > # dynamic rule set > $fwcmd add check-state > > # let this machine talk to anyone > $fwcmd add allow ip from $oip to any keep-state out via $oif > > # allow any traffic from the inner network to any > $fwcmd add allow ip from $imk to any keep-state via $iif > > # deny everything else > $fwcmd add 65435 deny log logamount 1000 ip from any to any > > > ______________________________________________________________________ > Darren Henderson darren@nighttide.net > > Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message