Date: Sun, 23 Aug 2015 22:58:46 -0700 (PDT) From: Don Lewis <truckman@FreeBSD.org> To: hrs@FreeBSD.org Cc: freebsd-net@FreeBSD.org Subject: Re: a couple /etc/rc.firewall questions Message-ID: <201508240558.t7O5wkEZ003893@gw.catspoiler.org> In-Reply-To: <20150824.132531.1687906630049554750.hrs@allbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24 Aug, Hiroki Sato wrote:
> Don Lewis <truckman@FreeBSD.org> wrote
> in <201508240052.t7O0qsFF002623@gw.catspoiler.org>:
>
> tr> > A TCP setup packet coming from a host on the internal LAN to the NAPT
> tr> > router falls into the last deny-all rule because it does not match if
> tr> > you added "out via ${oif}" to that rule. Does the following
> tr> > additional rule work for you?
> tr> >
> tr> > ${fwcmd} add pass tcp from any to any out via ${oif} setup
> tr> > ${fwcmd} add pass tcp from any to not me in via ${iif} setup
> tr>
> tr> That works for now, but won't do the correct thing when I subdivide my
> tr> internal network because it will allow unrestricted connections between
> tr> the internal subnets. What I'd really like is something like:
> tr>
> tr> ${fwcmd} add pass tcp from any to not me,${inet} setup
> tr>
> tr> but that isn't a valid rule. I ended up adding a couple of deny
> tr> rules for me and ${inet} before the wildcard pass allow rule. I had to
> tr> make sure that some other more specific rules allowing connections
> tr> between me and the inside were before the new deny rules.
>
> Hmmm, I think "table" would be useful to restrict connections between
> the internal subnets in that case like:
>
> ## allow TCP setup going to outside network:
> ${fwcmd} add pass tcp from any to any out via ${oif} setup
> ## list of all internal subnets including NAPT router itself:
> ${fwcmd} table 1 flush
> ${fwcmd} table 1 add 192.168.1.1/32 # NAPT router
> ${fwcmd} table 1 add 192.168.3.0/24
> ${fwcmd} table 1 add 192.168.4.0/24
> ...
> ## allow TCP setup from the internal subnets to outside network:
> ${fwcmd} add pass tcp from "table(1)" to not "table(1)" in via ${iif} setup
Using the interface name here does not work if the internal subnets are
connected via distinct interfaces. Fortunately this isn't necessary if
each interface has anti-spoofing rules associated with it, so something
like this should work:
${fwcmd} add pass tcp from "table(1)" to not "table(1)" setup
I realized a short while ago that we don't need all of the addresses
associated with "me" here, so only the outside address of the router
needs to be added to the table.
Rather than using a table, it would also be possible to just use address
lists:
oip=192.168.1.1/32 # router external address
inet1=192.168.3.0/24
inet2=192.168.3.0/24
inet=${inet1},${inet2}
...
${fwcmd} add pass tcp from ${oip},${inet} to not ${oip},${inet} setup
And then ${inet1}, ${inet2}, "me", etc. can be used to add more
fine-grained rules for allowing connections between subnets, and between
the subnets and the router.
Unfortunately inet6 is rather badly named for this scheme.
> ##
> ## list of internal subnets which can connect to me:
> ${fwcmd} table 2 flush
> ${fwcmd} table 2 add 192.168.3.0/24
> ...
> ## allow TCP setup from some of the internal subnets to me:
> ${fwcmd} add pass tcp from "table(2)" to me in via ${iif} setup
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508240558.t7O5wkEZ003893>