Date: Mon, 18 Nov 2024 14:48:52 +0100 (CET) From: Ronald Klop <ronald-lists@klop.ws> To: Dries Michiels <driesm@freebsd.org> Cc: freebsd-ipfw@freebsd.org, FreeBSD Net <freebsd-net@freebsd.org>, freebsd-pf@freebsd.org, Ronald Klop <ronald@freebsd.org> Subject: Re: IPFW statefull firewall ruleset - some sites or applications do not work as expected Message-ID: <144998054.8391.1731937732129@localhost> In-Reply-To: <CACx_iRE1cF8%2Bfz_GvtSJF6iFWDkAzGgk9tr4gAER6ORUaU8O3w@mail.gmail.com> References: <CACx_iREW_UKAHgwcq0xyTj=aHwC38ZHEovjqnihGUjfPnQO=sw@mail.gmail.com> <610cbd98-0e4c-474f-b352-9786fc9e6a70@FreeBSD.org> <CACx_iRE1cF8%2Bfz_GvtSJF6iFWDkAzGgk9tr4gAER6ORUaU8O3w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
------=_Part_8390_1630709827.1731937732124
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Hi,
I just re-read the ipfw man page about one_pass =3D 0.
# sysctl -d net.inet.ip.fw.one_pass
net.inet.ip.fw.one_pass: Only do a single pass through ipfw when using dumm=
ynet(4)
I think next to dummynet, the definition also counts for netgraph and NAT r=
ules, but not for every rule. So I doubt that one_pass=3D0 will do anything=
after rule 10 applies.
But I won't call myself a master of ipfw. So will be happy to stand correct=
ed.
Regards,
Ronald.
=20
Van: Dries Michiels <driesm@freebsd.org>
Datum: maandag, 18 november 2024 13:23
Aan: Ronald Klop <ronald@freebsd.org>
CC: freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org, FreeBSD Net <freebsd-=
net@freebsd.org>
Onderwerp: Re: IPFW statefull firewall ruleset - some sites or applications=
do not work as expected
>=20
> Hi, unfortunately that's not the case, as I have onepass to off, meaning =
that after every rule, the packet continues to be processed by the next rul=
e (so the NAT does get reached).
> =20
> =20
> Op do 14 nov 2024 om 11:17 schreef Ronald Klop <ronald@freebsd.org>:
>> Op 02-11-2024 om 16:30 schreef Dries Michiels:
>> > Hello,
>> >
>> > So I have a very basic ruleset, as described in the FreeBSD handbook, =
see below. I have "blurred" my open ports as seen in the ruleset below.
>> > Igc0 is my WAN port and in the table "trusted_if" are like my LAN if a=
nd some bridges.
>> >
>> > 00001 reass ip from any to any in
>> > 00010 allow ip from any to any via table(trustedif)
>> > 00050 deny log ip from any to any not antispoof in
>> > 00100 nat 1 ip4 from any to any in recv igc0
>> > 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state =
:default
>> > 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :defau=
lt
>> > 05000 allow tcp from any to me *some open ports* in recv igc0 setup ke=
ep-state :default
>> > 05001 allow udp from any to me *some open ports* in recv igc0 keep-sta=
te :default
>> > 09998 deny log tcp from any to any
>> > 09999 deny log udp from any to any
>> > 10000 nat 1 ip4 from any to any out xmit igc0
>> > 65535 allow ip from any to any
>> >
>> > Now comes the tricky part. There are some applications that don't work=
correctly with this ruleset.
>> > For example, itsme (belgium application) to identify yourself with a l=
ot of accounts, does not work.
>> > Recently my banking website also stopped working. So now I'm wondering=
how do I start to troubleshoot this issue?
>> > Are there any ceavets with this ruleset when redirects are happening f=
or example? I'm also wondering if Belgian PF users have the same issue?=C2=
=A3
>> >
>> > I'm hopeful to get to the bottom of this as its quite annoying needing=
to switch wifi channels to my ISP's router which does work with these appl=
ications.
>> >
>> > Regards
>> > Dries
>> >
>> >
>>=20
>> Hi,
>>=20
>> It is a while ago that I build ipfw firewalls, but doesn't rule 10 match=
all internal (from LAN) traffic, preventing outgoing (to WAN) packets to g=
et to the nat rules?
>>=20
>> I would suggest something like this:
>>=20
>> 00001 reass ip from any to any in
>> 00050 deny log ip from any to any not antispoof in
>> 00100 nat 1 ip4 from any to any via igc0
>> 00300 check-state :default
>> 00200 allow ip from any to any in table(trustedif) keep-state :default
>> 05000 allow tcp from any to me *some open ports* in recv igc0 setup keep=
-state :default
>> 05001 allow udp from any to me *some open ports* in recv igc0 keep-state=
:default
>> 09999 deny log ip from any to any
>> 65535 allow ip from any to any
>>=20
>>=20
>>=20
>> Regards,
>> Ronald.
>> >=20
=20
------=_Part_8390_1630709827.1731937732124
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><head></head><body>Hi,<br>
<br>
I just re-read the ipfw man page about one_pass =3D 0.<br>
<br>
# sysctl -d net.inet.ip.fw.one_pass<br>
net.inet.ip.fw.one_pass: Only do a single pass through ipfw when using dumm=
ynet(4)<br>
<br>
I think next to dummynet, the definition also counts for netgraph and NAT r=
ules, but not for every rule. So I doubt that one_pass=3D0 will do anything=
after rule 10 applies.<br>
<br>
But I won't call myself a master of ipfw. So will be happy to stand correct=
ed.<br>
<br>
Regards,<br>
Ronald.<br>
<br>
<p><strong>Van:</strong> Dries Michiels <driesm@freebsd.org><br>
<strong>Datum:</strong> maandag, 18 november 2024 13:23<br>
<strong>Aan:</strong> Ronald Klop <ronald@freebsd.org><br>
<strong>CC:</strong> freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org, Free=
BSD Net <freebsd-net@freebsd.org><br>
<strong>Onderwerp:</strong> Re: IPFW statefull firewall ruleset - some site=
s or applications do not work as expected</p>
<blockquote style=3D"padding-right: 0px; padding-left: 5px; margin-left: 5p=
x; border-left: #000000 2px solid; margin-right: 0px">
<div class=3D"MessageRFC822Viewer" id=3D"P">
<div class=3D"MultipartAlternativeViewer">
<div class=3D"TextHTMLViewer" id=3D"P.P.P">
<div>Hi, unfortunately that's not the case, as I have onepass to off, =
meaning that after every rule, the packet continues to be processed by=
the next rule (so the NAT does get reached).
<div> </div>
</div>
<div class=3D"gmail_quote">
<div class=3D"gmail_attr">Op do 14 nov 2024 om 11:17 schreef Ronald Klop &l=
t;<a href=3D"mailto:ronald@freebsd.org" onclick=3D"composeMailto('ronald@fr=
eebsd.org'); return false;">ronald@freebsd.org</a>>:</div>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex">Op 02-11-2024 om 16:30 sc=
hreef Dries Michiels:<br>
> Hello,<br>
><br>
> So I have a very basic ruleset, as described in the FreeBSD handbook, =
see below. I have "blurred" my open ports as seen in the ruleset below.<br>
> Igc0 is my WAN port and in the table "trusted_if" are like my LAN if a=
nd some bridges.<br>
><br>
> 00001 reass ip from any to any in<br>
> 00010 allow ip from any to any via table(trustedif)<br>
> 00050 deny log ip from any to any not antispoof in<br>
> 00100 nat 1 ip4 from any to any in recv igc0<br>
> 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state =
:default<br>
> 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :defau=
lt<br>
> 05000 allow tcp from any to me *some open ports* in recv igc0 setup ke=
ep-state :default<br>
> 05001 allow udp from any to me *some open ports* in recv igc0 keep-sta=
te :default<br>
> 09998 deny log tcp from any to any<br>
> 09999 deny log udp from any to any<br>
> 10000 nat 1 ip4 from any to any out xmit igc0<br>
> 65535 allow ip from any to any<br>
><br>
> Now comes the tricky part. There are some applications that don't =
;work correctly with this ruleset.<br>
> For example, itsme (belgium application) to identify yourself with a l=
ot of accounts, does not work.<br>
> Recently my banking website also stopped working. So now I'm wond=
ering how do I start to troubleshoot this issue?<br>
> Are there any ceavets with this ruleset when redirects are happen=
ing for example? I'm also wondering if Belgian PF users have the same issue=
?=C2=A3<br>
><br>
> I'm hopeful to get to the bottom of this as its quite annoying ne=
eding to switch wifi channels to my ISP's router which does work with these=
applications.<br>
><br>
> Regards<br>
> Dries<br>
><br>
><br>
<br>
Hi,<br>
<br>
It is a while ago that I build ipfw firewalls, but doesn't rule 10 match al=
l internal (from LAN) traffic, preventing outgoing (to WAN) packets to get =
to the nat rules?<br>
<br>
I would suggest something like this:<br>
<br>
00001 reass ip from any to any in<br>
00050 deny log ip from any to any not antispoof in<br>
00100 nat 1 ip4 from any to any via igc0<br>
00300 check-state :default<br>
00200 allow ip from any to any in table(trustedif) keep-state :default<br>
05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-st=
ate :default<br>
05001 allow udp from any to me *some open ports* in recv igc0 keep-state :d=
efault<br>
09999 deny log ip from any to any<br>
65535 allow ip from any to any<br>
<br>
<br>
<br>
Regards,<br>
Ronald.<br>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body></html>
------=_Part_8390_1630709827.1731937732124--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?144998054.8391.1731937732129>