Date: Wed, 16 Jun 2004 17:04:49 -0500 From: "Reuben A. Popp" <gobinau@digitalcelt.net> To: freebsd-questions@freebsd.org Cc: Giorgos Keramidas <keramida@ceid.upatras.gr> Subject: Re: ipfw question Message-ID: <200406161705.05309.gobinau@digitalcelt.net> In-Reply-To: <20040616053526.GA21650@gothmog.gr> References: <200406151832.10733.gobinau@digitalcelt.net> <20040616053526.GA21650@gothmog.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Giorgos, Thanks so much for the quick response on my question :). I more or less to= ok your rules that you posted, and tacked on a few more. I belive that what I have is correct, and everyt= hing seems to be working well,=20 with a few exceptions. For instance, ftp and ssh still don't seem to make = it into the logs, although the mail, web=20 and web-ssl do with no problems. Again, following this message is my revis= ed ruleset. Thanks again, Reuben A. Popp =2D ------------------->%------------------------------------------ #!/bin/sh - # # Setup system for firewall service. # # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi # Flush the existing ruleset echo "Flushing the existing ruleset, stand by..." ipfw -f flush # Setup Loopback ipfw add pass all from any to any via lo0 ipfw add deny all from any to 127.0.0.0/8 ipfw add deny ip from 127.0.0.0/8 to any # Stop RFC1918 nets on the outside interface ipfw add deny all from 10.0.0.0/8 to any via em0 ipfw add deny all from 172.16.0.0/12 to any via em0 ipfw add deny all from 192.168.0.0/16 to any via em0 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ipfw add deny all from 0.0.0.0/8 to any via em0 ipfw add deny all from 169.254.0.0/16 to any via em0 ipfw add deny all from 192.0.2.0/24 to any via em0 ipfw add deny all from 224.0.0.0/4 to any via em0 ipfw add deny all from 240.0.0.0/4 to any via em0 # Pass all ICMP messages through. # Make sure they're rate-limited by setting `net.inet.icmp.icmplim' ipfw add allow icmp from any to any # First of all state checking. This will allow through any packet # that is marked as "legitimate" by one of the following rules. ipfw add check-state ipfw add deny tcp from any to any established # Allow DNS or NTP sessions that originate from us. ipfw add allow udp from any to any 53,123 out keep-state # Add all TCP connections that originate from us ipfw add allow tcp from any to any out setup keep-state # Pass and log all incoming ftp-data connections. ipfw add allow log tcp from any 20 to any in setup keep-state # Pass and log all incoming connections to: ftp, ssh, mail and www. ipfw add allow log tcp from any to any 21,22,25,80,443 in setup keep-state # Allow TCP through if setup succeeded ipfw add pass tcp from any to any established # Allow IP fragments to pass through ipfw add pass all from any to any frag # Allow setup of any other TCP connection ipfw add pass tcp from any to any setup # Reject & Log all setup of incoming connections from the outside ipfw add deny log tcp from any to any in via em0 setup =2D ------%<------------------------------------------------------- Thanks again, Reuben A. Popp Giorgos Keramidas (Giorgos Keramidas <keramida@ceid.upatras.gr>) translated= a message on Wednesday 16 June 2004 12:35 am into a binary format and sent= it out among the ether in the search of "Reuben A. Popp" <gobinau@digitalc= elt.net>. Upon being retranslated into ascii, it was discovered that messa= ge read:=20 > On 2004-06-15 18:31, "Reuben A. Popp" <gobinau@digitalcelt.net> wrote: > > I was tinkering around trying to get my firewall set the way I wanted > > it, but seem to be running into an issue. I know that I have logging > > set in the kernel and in rc.conf, as well as in my ruleset, but for > > some odd reason, the firewall is not logging connections to the > > services I wanted watched (ftp, ssh, web, etc). >=20 > That's because your ruleset uses the following rule: >=20 > # Allow TCP through if setup succeeded > ipfw add 1200 pass tcp from any to any established >=20 > before any of the other rules are reached. This lets every TCP packet > through without logging and you never get a chance of picking out what > to log or what to block :) >=20 > A simplified version of your ruleset could be this one. Notice that > I've removed all explicit rule numbers. IPFW does a pretty good job at > automatically numbering the rules and you don't have too many rules for > it to work. On the other hand, having hardcoded numbers means that you > might miss some "reordering" of the rules and waste hours upon hours > trying to find out why it doesn't work like it's supposed to. Not a > good possibility... Anyway, here's a ruleset very similar to yours: >=20 > # > # Part 1. Semi-standard stuff copied from rc.firewall. > # >=20 > # Flush the existing ruleset > echo "Flushing the existing ruleset, stand by..." > ipfw -f flush >=20 > # Only allow lo0 to send packets as 127.0.0.1 > ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0 > ipfw add deny all from any to 127.0.0.0/8 > ipfw add deny ip from 127.0.0.0/8 to any >=20 > # Stop RFC1918 nets on the outside interface > ipfw add deny all from 10.0.0.0/8 to any via em0 > ipfw add deny all from 172.16.0.0/12 to any via em0 > ipfw add deny all from 192.168.0.0/16 to any via em0 >=20 > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED= =2D1, > # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) > # on the outside interface > ipfw add deny all from 0.0.0.0/8 to any via $em0 > ipfw add deny all from 169.254.0.0/16 to any via $em0 > ipfw add deny all from 192.0.2.0/24 to any via $em0 > ipfw add deny all from 224.0.0.0/4 to any via $em0 > ipfw add deny all from 240.0.0.0/4 to any via $em0 >=20 > # > # Part 2. Local rules that allow and log selected TCP services. > # >=20 > # Pass all ICMP messages through. > # Make sure they're rate-limited by setting `net.inet.icmp.icmplim' > add allow icmp from any to any >=20 > # First of all state checking. This will allow through any packet > # that is marked as "legitimate" by one of the following rules. > ipfw add check state > ipfw add deny tcp from any to any established >=20 > # Allow DNS or NTP sessions that originate from us. > ipfw add allow udp from any to any 53,123 out keep-state >=20 > # Add all TCP connections that originate from us > ipfw add allow tcp from any to any out setup keep-state >=20 > # Pass and log all incoming ftp-data connections. > ipfw add allow tcp from any 20 to any in setup keep-state >=20 > # Pass and log all incoming connections to: ftp, ssh, mail and www. > ipfw add allow tcp from any to any 21,22,25,80,443 to in setup keep-s= tate >=20 > AFAIK, anything else can be blocked without stopping you from doing your > real work. >=20 > - Giorgos >=20 >=20 >=20 =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA0MQMd1N/Kyhy5tIRAkwqAJ0QEcUQMJWCQxKC6aM9GY6gcslsogCdF64z KIshVA1Ub8RROMm/LCFIUD4=3D =3D3peR =2D----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406161705.05309.gobinau>