Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 3 Jan 2001 12:04:49 -0800
From:      Steven Kehlet <kehlet@fisix.com>
To:        Darren Henderson <darren@nighttide.net>
Cc:        Rene de Vries <freebsd@canyon.demon.nl>, Luigi Rizzo <rizzo@aciri.org>, freebsd-security@freebsd.org
Subject:   Re: statefull packet filter together with natd question
Message-ID:  <20010103120449.A66966@leviathan.techfuel.com>
In-Reply-To: <Pine.BSF.4.30.0101022059580.20461-100000@localhost>; from darren@nighttide.net on Tue, Jan 02, 2001 at 09:09:19PM -0500
References:  <20010102151817.F59927@leviathan.techfuel.com> <Pine.BSF.4.30.0101022059580.20461-100000@localhost>

next in thread | previous in thread | raw e-mail | index | archive | help
Your rules work :-), but because you're just passing any established
tcp traffic you're not taking advantage of the security gain the
statefulness of the firewall can give you (i.e., checking sequence
numbers on established packets, etc).  I see you got this from
http://www.bsdtoday.com/2000/December/Features359.html.

You could improve security by instead denying all established
packets and putting this check after your check-state rule (as the
ipfw manpage suggests).

So let's say you do this.  Now here's the problem I was originally
bringing up: Internet-bound packets from your internal network
still cause two dynamic rules to be created--one passing over the
internal interface, untranslated; and the other passing over the
external interface, translated--but because natd is at the top of
your rules, returning packets get untranslated immediately and thus
no packets ever touch the second dynamic rule.  This second dynamic
rule is left in a half-open state until it finally times out.
Depending on how tightly you structure your rules this becomes more
than just a nuisance :-).

My question was: how can we arrange our rules to avoid creating
this second superfluous dynamic rule?  Luigi suggested adding
keep-state on the natd rule itself, which I will try tonight.

Thanks! :-),

Steve


On Tue, Jan 02, 2001 at 09:09:19PM -0500, Darren Henderson wrote:
> Date: Tue, 2 Jan 2001 21:09:19 -0500 (EST)
> From: Darren Henderson <darren@nighttide.net>
> To: Steven Kehlet <kehlet@fisix.com>
> cc: Rene de Vries <freebsd@canyon.demon.nl>, Luigi Rizzo <rizzo@aciri.org>,
>         <freebsd-security@FreeBSD.ORG>
> Subject: Re: statefull packet filter together with natd question
> 
> On Tue, 2 Jan 2001, Steven Kehlet wrote:
> 
> > [ moved from -hackers to -security ]
> >
> > For whatever it's worth, I struggled with this same problem for an
> > entire day before giving up and using ipfilter.  It seems to me
> > that there is a fundamental problem with using the ipfw stateful
> > rules and natd (as I'm sure you discovered yourself):  the ordering
> 
> Perhaps I'm missing the gist of the problem (not enough details here) but
> I don't haven't seen any problems with this under 4.2-Stable, (haven't
> used natd with a 5-Current system yet).... Sample rule set follows. Let me
> know if you (or anyone for that matter) see any problems with this.
> 
> 
> #!/bin/sh
> 
> fwcmd="/sbin/ipfw"
> 
> oif="ppp0"
> oip="a.b.c.d"
> iif="dc0"
> iip="10.a.b.c"
> imk="10.a.b.c/8"
> 
> $fwcmd -f flush
> 
> # loopback has to work
> $fwcmd add allow all from any to any via lo0
> 
> # disallow spoofing of loopback
> $fwcmd add deny log all from any to 127.0.0.0/8
> 
> # disallow spoofing of our address
> $fwcmd add deny log ip from $oip to any in via $oif
> 
> # no private space address should cross the outside interface
> $fwcmd add deny log ip from 192.168.0.0/16  to any            in  via $oif
> $fwcmd add deny log ip from 172.16.0.0/12   to any            in  via $oif
> $fwcmd add deny log ip from 10.0.0.0/8      to any            in  via $oif
> $fwcmd add deny log ip from any             to 192.168.0.0/16 in  via $oif
> $fwcmd add deny log ip from any             to 172.16.0.0/12  in  via $oif
> $fwcmd add deny log ip from any             to 10.0.0.0/8     in  via $oif
> 
> # stop draft-manning-dsua-01.txt nets on the outside interface
> $fwcmd add deny log all from 0.0.0.0/8      to any            in via $oif
> $fwcmd add deny log all from 169.254.0.0/16 to any            in via $oif
> $fwcmd add deny log all from 192.0.2.0/24   to any            in via $oif
> $fwcmd add deny log all from 224.0.0.0/4    to any            in via $oif
> $fwcmd add deny log all from 240.0.0.0/4    to any            in via $oif
> $fwcmd add deny log all from any            to 0.0.0.0/8      in via $oif
> $fwcmd add deny log all from any            to 169.254.0.0/16 in via $oif
> $fwcmd add deny log all from any            to 192.0.2.0/24   in via $oif
> $fwcmd add deny log all from any            to 224.0.0.0/4    in via $oif
> $fwcmd add deny log all from any            to 240.0.0.0/4    in via $oif
> 
> # divert the the outside interface
> $fwcmd add divert natd all from any to any via $oif
> 
> # allow all established sessions
> $fwcmd add allow tcp from any to any established
> 
> # we want to allow some connections to originate outside
> $fwcmd add allow tcp from any to $oip 21,22,25,53,80,113 setup
> 
> # allow required ICMP
> $fwcmd add allow icmp from any to any icmptypes 0,3,4,8,11,12
> 
> # allow udp dns queries
> $fwcmd add allow udp from any to any 53
> $fwcmd add allow udp from any 53 to any
> 
> # allow traceroute
> $fwcmd add allow udp from any to $oip 33400-33499 via $oif
> 
> # allow smb traffic
> $fwcmd add allow udp from any to any 137-139 via $iif
> 
> # dynamic rule set
> $fwcmd add check-state
> 
> # let this machine talk to anyone
> $fwcmd add allow ip from $oip to any keep-state out via $oif
> 
> # allow any traffic from the inner network to any
> $fwcmd add allow ip from $imk to any keep-state via $iif
> 
> # deny everything else
> $fwcmd add 65435 deny log logamount 1000 ip from any to any
> 
> 
> ______________________________________________________________________
> Darren Henderson                                  darren@nighttide.net
> 
>                    Help fight junk e-mail, visit http://www.cauce.org/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010103120449.A66966>