Date: Wed, 07 Oct 2015 08:57:42 -0500 From: Mark Felder <feld@FreeBSD.org> To: freebsd-net@freebsd.org Subject: Struggling with IPFW on CURRENT Message-ID: <1444226262.4164898.403785985.524883DA@webmail.messagingengine.com>
next in thread | raw e-mail | index | archive | help
Hi all, I've only used IPFW in the past for the most basic of tasks. I'd like to use it with in-kernel NAT protecting both v4 and v6 and add dummynet/pipe later, but I have to get the basic working first. I'm either overlooking something obvious or there's a major issue. Has there been work in CURRENT? I haven't tried on any RELEASE.... Problems I'm running into: * Inbound v4 traffic to the firewall is blocked, but inbound v6 traffic to firewall and hosts behind it are not. Both v4 and v6 should be handled by keywords: tcp, udp, ip, me. * TCP sessions seem to be killed every ~300s * "in via $pif" doesn't seem to work. ex: block icmp from internet to $pif fails to do anything. However, "block out via $pif" blocks it... * Does IPFW not track outbound traffic to allow it back through -- related/established ? I have trouble blocking inbound traffic without blocking originated/outbound traffic because the firewall blocks the return packets. * Port forwarding is failingl, probably due to the issues with the "in via" that I'm experiencing. Research says once I have the redirect_port configured I should be good to go as long as I match the traffic and skip to the NAT rule. Skip rules don't stop processing, so it should hit the next rule which is the last rule in my config -- allow from any to any. (Documentation for in-kernel NAT is nonexistent and really needs help). The rule 425 below should be working, but logs show that rule is ignored and it's being blocked at 550. Comment out 550 and it works... #!/bin/sh # http://blog.pcbsd.org/2015/01/using-trueos-as-a-ipfw-based-home-router/ # Below based on example from Kris Moore # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw add" pif="re0" # interface name of NIC attached to Internet pif6="gif0" # interface name of NIC attached to Internet IPv6 (tunnel) iif="bridge0" # interface name of NIC attached to LAN (re1, wlan0 bridged) ks="keep-state" # Laziness skip="skipto 600" # Create the NAT redirect rules ###################################### ipfw -q nat 1 config if $pif unreg_only reset \ redirect_port tcp 172.16.1.122:32400 32400 ###################################### # Allow everything through the local NIC ###################################### $cmd 00020 allow log all from any to any via $iif ###################################### # No restrictions on Loopback Interface ###################################### $cmd 00025 allow log all from any to any via lo0 ###################################### # Catch spoofing from outside ###################################### $cmd 00090 deny log ip from any to any not antispoof in ###################################### # NAT the inbound stuff ###################################### $cmd 0100 nat 1 ip from any to any in via $pif ###################################### # Allow packet through if it matches existing entry in dynamic rules ###################################### $cmd 00101 check-state ###################################### # Allow all outgoing packets ###################################### $cmd 00110 $skip tcp from any to any out via $pif setup $ks $cmd 00111 $skip udp from any to any out via $pif $ks ###################################### # Deny all inbound traffic from non-routable reserved address spaces ###################################### $cmd 00300 deny log all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 00301 deny log all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 00302 deny log all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 00303 deny log all from 127.0.0.0/8 to any in via $pif #loopback $cmd 00304 deny log all from 0.0.0.0/8 to any in via $pif #loopback $cmd 00305 deny log all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 00306 deny log all from 192.0.2.0/24 to any in via $pif #reserved for doc $cmd 00307 deny log all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd 00308 deny log all from 224.0.0.0/3 to any in via $pif #Class D & E multicast ###################################### # Deny public pings ###################################### $cmd 00310 deny log icmp from any to any in via $pif # This does not work ###################################### # Allow specific ports IN now (for services behind NAT) ###################################### $cmd 00425 $skip tcp from any to any 32400 in via $pif setup $ks ###################################### # Deny all other troublemakers $cmd 00550 deny log tcp from any to any via $pif $cmd 00551 deny log udp from any to any via $pif $cmd 00552 deny log tcp from any to any via $pif6 # Added just-in-case because v6 $cmd 00553 deny log udp from any to any via $pif6 # uses gif0, but doesn't work # Skip location for NAT $cmd 600 nat 1 ip from any to any out via $pif $cmd 610 allow log ip from any to any setup $ks -- Mark Felder ports-secteam member feld@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1444226262.4164898.403785985.524883DA>