From owner-freebsd-questions@FreeBSD.ORG Wed Oct 5 05:40:40 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D273F16A41F for ; Wed, 5 Oct 2005 05:40:40 +0000 (GMT) (envelope-from infofarmer@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4672543D46 for ; Wed, 5 Oct 2005 05:40:40 +0000 (GMT) (envelope-from infofarmer@gmail.com) Received: by zproxy.gmail.com with SMTP id z31so40282nzd for ; Tue, 04 Oct 2005 22:40:39 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=dmik83ZibLfXl3pzYwWgYAytAKo4geXZd2rVqbPsxzAlNm9XWNwFjLT0w/GrsQtSCiosi6JsijgTjSSAWBIVOfavsTRPT3PDYgARIL+UGVRJE1rctXbqnGuwURfMbyG1O1VISXbezV4bmKrbJTUHSBnzPfnFZ0Wn14iApOUcuk4= Received: by 10.36.251.12 with SMTP id y12mr179048nzh; Tue, 04 Oct 2005 22:40:39 -0700 (PDT) Received: by 10.37.20.34 with HTTP; Tue, 4 Oct 2005 22:40:39 -0700 (PDT) Message-ID: Date: Wed, 5 Oct 2005 09:40:39 +0400 From: "Andrew P." To: Foo Ji-Haw In-Reply-To: <010701c5c964$10605b30$c801a8c0@nexpc> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <010a01c5c89a$f4234c80$c801a8c0@nexpc> <004b01c5c8a0$59001f70$0c64a8c0@opteron> <013b01c5c8a2$b8f57b80$c801a8c0@nexpc> <010701c5c964$10605b30$c801a8c0@nexpc> Cc: FreeBSD Questions Subject: Re: Need help: fwd on ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Andrew P." List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 05:40:40 -0000 On 10/5/05, Foo Ji-Haw wrote: > Hello Anderson, > > I hope you can lend me your experience and generosity again in a follow-u= p > question I have with ipfw. Basically I have much help from the Handbook. > It's some small things that I get stuck with. Unfortunately I can't figur= e a > way around it. > > Below is my firewall configuration: > 00100 check-state > 00300 allow ip from any to 192.168.0.4 in via dc0 > 00400 allow ip from 192.168.0.4 to any out via dc0 > 00600 allow ip from 127.0.0.1 to 127.0.0.1 > 00700 allow icmp from 10.10.0.0/16 to 10.10.0.0/16 > 00900 allow ip from 10.10.0.0/16 to 10.10.0.0/16 dst-port 67,68,80 > 01000 allow ip from 10.10.0.0/16 to 10.10.0.0/16 dst-port 53 > 01050 allow ip from 10.10.0.0/16 to 10.10.0.0/16 > 01060 allow ip from any to any MAC any 00:90:d1:00:80:00/33 > 01100 fwd 10.10.10.10,80 tcp from 10.10.0.0/16 to any dst-port 80 in via = vr0 > 01200 allow ip from any to any > 65535 deny ip from any to any > > My box has 2 interfaces. dc0 is the trusted network, vr0 is the untrusted > network (the implementation is for a captive portal). The server's IP on = vr0 > is 10.10.10.10. > > Problem 1: > My rule (900) to allow the clients on vr0 to talk to the server's dhcpd > service works well. But I can't get them to connect to the DNS service (r= ule > 1000). I don't understand why this is so, because the same DNS service wo= rks > well for clients on dc0. DNS will work if rule 1200 is in place (of cours= e, > 1200 should not be there). > > Problem 2: > Rule 1100 is key for captive portal setup. Any web outgoing traffic from = vr0 > will be redirected to the 'login' page at 10.10.10.10:80. And it works > (fortunately!). But only with 1200 in place. Does this mean that after > processing rule 1100 the ipfw continues to process the rest of the rules? > > Problem 3: > I need to grant authenticated a client with the specified MAC address (10= 60) > full access to the Internet, thereby bypassing fwd 1100. If I replace 106= 0 > with: > 01060 allow ip from 10.10.10.100 to any > The access is ok. But I need to lock down at the MAC level (to prevent IP > spoofing). Can you advice me on the correct statement? This is the most > frustrating question I have among the 3. > > Appreciate your time on this. Thanks again! > Please, cc the mailing list unless your problem is purely between you and me. Before I start answering your questions, let me give you some advice. 1. Don't do check-state, unless you really need (and have configured) a stateful firewall 2. Use "xmit" and "recv" instead of "via" whenever possible. In your case rule 300 should contain "in recv" and the next one - "out xmit". 3. A much better way to pass loopback traffic is: "allow ip from any to any via lo0" "deny ip from any to 127.0.0.0/8" "deny ip from 127.0.0.0/8 to any" (these should usually be at the very top) 4. It's a wonder that your rule 900 somehow allows dhcp to work. It certainly shouldn't. Dhcp requires much less restrictive rules (including broadcasts and undefined source). 5. You must always keep in mind that any communication between a server and a client requires packet to go both ways, sometimes passing firewall 2 times in each direction. Your rule 1000 only allows dns queries to get through to the dns server, the corresponding answers will be blocked. I suppose that rule 1050 or 1200 solves the problem, but if you want to restrict traffic you should come up with something else. Same goes for your rule 1100: you block all the http answers. 6. Sad, but true, you can never rely on MAC- bindings security in a production network. MAC address is as easily spoofed as anything. Moreover, ipfw has not been designed for layer-2 packet inspection, so you'll stumble upon many problems and unexpected results. You'd better come up with a VPN/IPSec solution. Cheerz, Andrew P.