Date: Sat, 12 Apr 2003 08:30:57 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Tommy Forrest - KE4PYM <tforrest@shellworld.net> Cc: freebsd-questions@freebsd.org Subject: Re: Firewall Rules/connection troubles Message-ID: <20030412053057.GB65034@gothmog.gr> In-Reply-To: <200304120023.h3C0NtvN036040@server1.shellworld.net> References: <200304120023.h3C0NtvN036040@server1.shellworld.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2003-04-11 20:24, Tommy Forrest - KE4PYM <tforrest@shellworld.net> wrote:
> Recently, I upgraded to FreeBSD 4.8. I decided to use a closed
> firewall. I did some research and found some sample statefull
> firewall rules. I've worked them somewhat into my requirements.
>
> I'm having some trouble. My main complaint is that my telnet and ssh
> connections to the net timeout. In the script you see below you do
> not see the setup or keep-state comments for telnet/ssh. I've tried
> it with both and to no avail. IRC connections also time out rather
> quickly. FTP connections to the machine are very slow and web sites
> seem to lag unless you click on the links several times (all of these
> behaviors are noted from an internal w2k machine.
>
> [snip large ruleset]
There are various problems with your ruleset. I'll try to describe some,
but you'll probably have to ditch the entire mess of it all and start again
with a simpler set of rules.
a. You're using explicit numbers for your rules.
This isn't really a problem, but it's a shotgun begging for
permission to have fun with your toes. Just drop the numbers
altogether, and let ipfw number the rules with whatever numbers it
pleases. You only have a few dozens of rules. There's still a lot
of free space up to the limit of 600 or so rules that ipfw can use
before being in need of smaller inter-rule space.
b. You're using both 'check-state' and 'established'.
With check-state and smart use of keep-state for new connections
you don't need 'established'. It's probably better to check-state,
then allow selectively *some* tcp connections, reject all other
connection setup attempts with a port-unreachable ICMP and just
drop dead on the floor all other packets.
check-state
allow tcp from any to any 22 out xmit $oif setup keep-state
unreach port tcp from any to any in recv $oif setup
deny tcp from any to any
c. You're only letting DNS requests to your ISPs name servers through,
but haven't mentioned anything about your local DNS configuration.
It's not a wise thing to block all DNS traffic if you haven't set
up a local named that forwards all requests to your ISPs servers.
This would probably explain some of the telnet/ssh problems you're
having when keep-state is enabled. When keep-state is disabled,
you're blocking yourself out of the world anyway.
d. You're not letting NTP replies back in. At all!
e. You don't have keep-state in your outgoing telnet/ssh/MSN-chat
rules. Put it back there, or there isn't any point in letting
outgoing packets through since you'll never 'see' a reply.
f. The MSN file transfers rule in your incoming section lack
keep-state too, so it needs fixing too.
g. You do allow outgoing connections to port 6667 for IRC, but bear in
mind that many servers accept connections to other ports too. You
might want to consider enabling ports 6668, 7325, 10000 and a few
others too. If not all outgoing connections, that is . . .
Another potential source of IRC problems is the fact that you're
not allowing through incoming auth/ident connections. Many IRC
servers will block for long periods, waiting for an ident reply and
reject you when it eventually times out.
h. You're blocking fragments. It's not always a good idea.
i. Your incoming ftp port 20 rule only claims to be 'incoming'. It
uses 'out via' which isn't quite the same thing.
k. You're not allowing any icmp packets through. This can result in some
pretty bizzare things. You should probably allow all icmp packets
through and tune net.inet.icmp.icmplim for incoming icmp packets and
net.inet.icmp.icmplim_output for outgoing.
A much cleaner ruleset that works in a similar way could be written as shown
below. I haven't used a lot of comments, but I'm sure you'll quickly grasp
what's going on. It wasn't very clear if you wanted to allow incoming or
outgoing irc connections, so I've added rules to allow both. Delete or
comment the one you don't need.
#!/bin/sh
fw="/sbin/ipfw"
ifout='xl0'
ifin='xl1'
$fw -q -f flush
$fw add divert natd ip from any to any via "${ifout}"
# loopback traffic
$fw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0
$fw add deny all from any to 127.0.0.0/8
$fw add deny ip from 127.0.0.0/8 to any
# pass icmp or evil things can happen
$fw add allow icmp from any to any
# inside interface isn't limited in any way
$fw add allow all from any to any via "${ifin}"
# stateful rules follow ------------------------------------------------
$fw add check-state
# outbound section -----------------------------------------------------
# You might want to allow *any* sort of dns/ntp traffic, but the following
# seems to work fine if you increase net.inet.ip.fw.dyn_udp_lifetime a
# bit. Its default is too short for some slow links (like my dialup).
$fw add allow udp from any to any 53,123 keep-state
# Allow outgoing connections: ssh, telnet, mail, web, ntp and msn-chat.
$fw add allow tcp from any to any 22,23,25,80,110,123,443,1863,6667 \
out xmit "${ifout}" setup keep-state
# irc
$fw add allow tcp from any to any 6667,6668,7325,10000 \
out xmit "${ifout}" setup keep-state limit src-addr 4
# inbound section -----------------------------------------------------
$fw add allow tcp from any to any 21,22,25,80 \
in recv "${ifout}" setup keep-state limit src-addr 4
$fw add allow tcp from any 20 to any 1024-49151 \
in recv "${ifout}" setup keep-state limit src-addr 4
$fw add allow tcp from any to any 22,25 \
in recv "${ifout}" setup keep-state limit src-addr 5
# kazaa & msn file transfers
$fw add allow tcp from any to any 1214,6891-6900 \
in recv "${ifout}" setup keep-state
# irc
$fw add allow tcp from any to any 6667,6668,7325,10000 \
in recv "${ifout}" setup keep-state limit src-addr 4
# fast reset of all auth/ident requests.
$fw add unreach port tcp from any to any 113 in recv "${ifout}" setup
# default policy ------------------------------------------------------
$fw add deny ip from any to any
HTH,
Giorgos.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030412053057.GB65034>