From owner-svn-doc-head@FreeBSD.ORG Tue Mar 4 20:10:55 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C1862F23; Tue, 4 Mar 2014 20:10:55 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id AD40E236; Tue, 4 Mar 2014 20:10:55 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s24KAtKY088794; Tue, 4 Mar 2014 20:10:55 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s24KAtZi088793; Tue, 4 Mar 2014 20:10:55 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201403042010.s24KAtZi088793@svn.freebsd.org> From: Dru Lavigne Date: Tue, 4 Mar 2014 20:10:55 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44120 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2014 20:10:55 -0000 Author: dru Date: Tue Mar 4 20:10:55 2014 New Revision: 44120 URL: http://svnweb.freebsd.org/changeset/doc/44120 Log: Section on IPFW NAT now reads better. Unfortunately, it is outdated as of 7.x. Will need to review EXAMPLES in ipfw(8) and address PR121952. Will hold off rest of commits to this chapter until someone gets a chance to do so. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Mar 4 19:52:52 2014 (r44119) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Mar 4 20:10:55 2014 (r44120) @@ -2163,12 +2163,12 @@ pif="dc0" # interface name of NIC at To do this, the &os; machine connected to the Internet must act as a gateway. This system must have two NICs, where one is connected to the Internet - and the other is connected to the internal LAN. All the - machines connected to the LAN should be assigned - an IP addresses in the private network space, + and the other is connected to the internal LAN. Each + machine connected to the LAN should be assigned + an IP address in the private network space, as defined by RFC - 1918, and have their default gateway set to the + 1918, and have the default gateway set to the &man.natd.8; system's internal IP address. @@ -2177,7 +2177,7 @@ pif="dc0" # interface name of NIC at IPFW. If the system has a custom kernel, the kernel configuration file needs to include option IPDIVERT along with the other - IPFIREWALL options. + IPFIREWALL options described in . To enable NAT support at boot time, the following must be in @@ -2224,127 +2224,100 @@ redirect_port tcp 192.168.0.3:80 80 #!/bin/sh +ipfw -q -f flush cmd="ipfw -q add" skip="skipto 500" -pif=rl0 +pif=dc0 ks="keep-state" -good_tcpo="22,25,37,43,53,80,443,110,119" +good_tcpo="22,25,37,53,80,443,110" -ipfw -q -f flush - - The NAT rule is inserted + The inbound NAT rule is inserted after the two rules which allow all traffic on the trusted internal interface and on the loopback interface and before the check-state rule. It is important that the - rule number selected for the NAT rule, in + rule number selected for this NAT rule, in this example 100, is higher than the first two rules and lower than the check-state rule: $cmd 005 allow all from any to any via xl0 # exclude LAN traffic $cmd 010 allow all from any to any via lo0 # exclude loopback traffic - -# NAT any inbound packets -$cmd 100 divert natd ip from any to any in via $pif +$cmd 100 divert natd ip from any to any in via $pif # NAT any inbound packets # Allow the packet through if it has an existing entry in the dynamic rules table $cmd 101 check-state - The processing flow starts with the first rule from the - top of the ruleset and progresses one rule at a time until - the end is reached or the packet matches and the packet is - released out of the firewall. Take note of the location of - rule numbers 100 101, 450, 500, and 510. These rules - control the translation of the outbound and inbound packets - so that their entries in the dynamic keep-state table always - register the private LAN IP address. All the allow and deny - rules specify the direction of the packet and the interface. - All start outbound session requests will - skipto rule 500 to undergo NAT. + The outbound rules are modified to replace the + allow action with the + $skip variable, indicating that rule + processing will continue at rule 500. The + seven tcp rules have been replaced by rule + 125 as the + $good_tcpo variable contains the + seven allowed outbound ports. + + # Authorized outbound packets +$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks +$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks +$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks +$cmd 130 $skip icmp from any to any out via $pif $ks - Consider a web browser which initializes a new HTTP + The inbound rules remain the same, except for the very + last rule which removes the via $pif in + order to catch both inbound and outbound rules. The + NAT rule must follow this last outbound + rule, must have a higher number than that last rule, and the + rule number must be referenced by the + skipto action. In this ruleset, + rule number 500 diverts all + packets which match the outbound rules to &man.natd.8; for + NAT processing. The next rule allows any + packet which has undergone NAT processing + to pass. + + $cmd 499 deny log all from any to any +$cmd 500 divert natd ip from any to any out via $pif # skipto location for outbound stateful rules +$cmd 510 allow ip from any to any + + In this example, rules 100, + 101, 125, + 500, and 510 + control the address translation of the outbound and inbound packets + so that the entries in the dynamic state table always + register the private LAN + IP address. + + Consider an internal web browser which initializes a new outbound HTTP session over port 80. When the first outbound packet enters - the firewall, it does not match rule 100 because it is - headed out rather than in. It passes rule 101 because this - is the first packet, and it has not been posted to the - dynamic keep-state table yet. The packet finally matches - rule 125 as it is outbound through the NIC facing the - Internet and has a source IP address as a private LAN IP - address. On matching this rule, two actions take place. - keep-state adds this rule to the dynamic - keep-state rules table and the specified action is executed - and posted as part of the info in the dynamic table. In - this case, the action is skipto rule 500. - Rule 500 NATs the packet IP address and - sends it out to the Internet. This packet makes its way to + the firewall, it does not match rule 100 because it is + headed out rather than in. It passes rule 101 because this + is the first packet and it has not been posted to the + dynamic state table yet. The packet finally matches + rule 125 as it is outbound on an allowed port + and has a source IP address from the internal LAN. + On matching this rule, two actions take place. + First, the keep-state action adds an entry to the dynamic + state table and the specified action, skipto rule 500, is executed. + Next, the packet undergoes NAT and + is sent out to the Internet. This packet makes its way to the destination web server, where a response packet is generated and sent back. This new packet enters the top of - the ruleset. It matches rule 100 and has it destination IP - address mapped back to the corresponding LAN IP address. It + the ruleset. It matches rule 100 and has it destination IP + address mapped back to the original internal address. It then is processed by the check-state rule, is found in the table as an existing session, and is - released to the LAN. It goes to the LAN system that sent it - and a new packet is sent requesting another segment of the - data from the remote server. This time it matches the - check-state rule, its outbound entry is - found, and the associated action, - skipto 500, is executed. The packet - jumps to rule 500, gets NATed, and is - released to the Internet. - - On the inbound side, everything coming in that is part of - an existing session is automatically handled by the - check-state rule and the properly placed - divert natd rules. The ruleset only has + released to the LAN. + + On the inbound side, the ruleset has to deny bad packets and allow only authorized services. - Consider a web server running on the firewall where web - requests from the Internet should have access to the local - web site. An inbound start request packet will match rule - 100 and its IP address will be mapped to the LAN IP address - of the firewall. The packet is then matched against all the - nasty things that need to be checked and finally matches - rule 425 where two actions occur. The packet rule is posted - to the dynamic keep-state table but this time, any new - session requests originating from that source IP address are - limited to 2. This defends against DoS attacks against the - service running on the specified port number. The action is - allow, so the packet is released to the - LAN. The packet generated as a response is recognized by the - check-state as belonging to an existing - session. It is then sent to rule 500 for - NATing and released to the outbound + A packet which matches an inbound rule + is posted + to the dynamic state table and the packet is released to the + LAN. The packet generated as a response is recognized by the + check-state rule as belonging to an existing + session. It is then sent to rule 500 to undergo + NAT before being released to the outbound interface. - -# Authorized outbound packets -$cmd 120 $skip udp from any to xx.168.240.2 53 out via $pif $ks -$cmd 121 $skip udp from any to xx.168.240.5 53 out via $pif $ks -$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks -$cmd 130 $skip icmp from any to any out via $pif $ks -$cmd 135 $skip udp from any to any 123 out via $pif $ks - - -# Deny all inbound traffic from non-routable reserved address spaces -$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP -$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP -$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP -$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback -$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback -$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config -$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs -$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster -$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast - -# Authorized inbound packets -$cmd 400 allow udp from xx.70.207.54 to any 68 in $ks -$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1 - - -$cmd 450 deny log ip from any to any - -# This is skipto location for outbound stateful rules -$cmd 500 divert natd ip from any to any out via $pif -$cmd 510 allow ip from any to any - Port Redirection