From owner-freebsd-security@FreeBSD.ORG Fri Apr 16 13:30:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E72E016A4CE for ; Fri, 16 Apr 2004 13:30:19 -0700 (PDT) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98A3643D48 for ; Fri, 16 Apr 2004 13:30:19 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-187-112.client.comcast.net[24.6.187.112]) by comcast.net (sccrmhc12) with ESMTP id <20040416203016012001dvv3e>; Fri, 16 Apr 2004 20:30:16 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id i3GKUebM009847; Fri, 16 Apr 2004 13:30:41 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id i3GKUe6D009846; Fri, 16 Apr 2004 13:30:40 -0700 (PDT) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Fri, 16 Apr 2004 13:30:40 -0700 From: "Crist J. Clark" To: Stephen Gill Message-ID: <20040416203040.GA9729@blossom.cjclark.org> References: <20040415223945.40958.qmail@web60707.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040415223945.40958.qmail@web60707.mail.yahoo.com> User-Agent: Mutt/1.4.2.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-security@freebsd.org Subject: Re: Policy routing with IPFW X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2004 20:30:20 -0000 On Thu, Apr 15, 2004 at 03:39:45PM -0700, Stephen Gill wrote: > Hi David, > > Well, that might be a half a step closer... I just tried this > combination with a 50% success rate :). Inbound connections work quite > well, but connections originating from the box itself do not work. > Any ideas as to how to make this rulebase work with policy routing for > outbound connections as well? > > I think it is interfering with the dynamic rules. ICMP appears to > work, but that is all. I would like to still use the dynamic > capabilites of stateful filtering if possible. That is a problem with your setup since 'fwd' rules match and exit. So what happens is, > # POLICY ROUTING > ${fwcmd} add 095 allow ip from ${IP1} to ${IP1-NET} > ${fwcmd} add 100 fwd ${IP1-GW} ip from ${IP1} to any Packets match here and go out. > ${fwcmd} add 110 allow ip from ${IP2} to ${IP2-NET} > ${fwcmd} add 115 fwd ${IP2-FW} ip from ${IP2} to any Or match here and go out. Which means they never reached these: > # Allow from me to anywhere > ${fwcmd} add 240 allow tcp from me to any setup keep-state > ${fwcmd} add 260 allow udp from me to any keep-state > ${fwcmd} add 280 allow icmp from me to any This also will mess with stateful connections (TCP) coming in since the responses never get seen by the dynamic rules. For incoming connections, using dynamic rules is actually bad for security in the first place, so dropping that is not a problem. For the outgoing traffic... problem. $fwcmd add fwd ${IP1-GW} tcp from me to any setup keep-state Won't work since applying a 'fwd' to the returning traffic is a bad idea (routing loop). -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org