Date: Fri, 02 Nov 2007 22:59:04 +0100 From: deeptech71@gmail.com To: freebsd-questions@freebsd.org Subject: Re: IPFW Rules and Games Message-ID: <472B9DA8.6000800@gmail.com> In-Reply-To: <472B6552.9060602@gmail.com> References: <472AF4FF.9000803@gmail.com> <20071102141525.19a05fc7@gumby.homeunix.com.> <472B6552.9060602@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Jack, let's see. Jack Barnett wrote: > > Lots of people play games here and basically a pain to keep trying to > get these stupid things to work with individual rules for each. > > I'm running FreeBSD 6.x with IPFW/natd > > I get a dynamic IP from my ISP and the internal nic is 192.168.17.1 > Everything inside the network is 192.168.17.xxx > > The setup is this: > 192.168.17.x <--> 192.168.17.1 <[FreeBSD]> Dynamic IP <--> {Random Game > Server on the Internets} > [Internet Network(GAME)] <--> [FreeBSD] <--> {Internets} > > There are a bunch of games that send out TCP/UDP packets (and who knows > what else) on different ports to different destinations and then > receive data back on "random" ports. Basically, anything on any > protocol from the internal network should be able to establish and setup > connections out AND be allowed to receive data back from whomever they > connected out to; but "random" hosts trying to connect in should be > blocked. Back on "random" ports? That's not how it should be. Your client must send a request (ping or connect) to a server, using the game's client port as the local port, and the server port as the remote port. The reply should come back the same way, reversed. for example, a client sends a connect request: 192.168.17.7:28000 > 87.15.13.165 natd converts the packet to: 49.74.121.3:28000 > 87.15.13.165:29000 (49.74.121.3 is your public IP) and adds a dynamic rule (inside natd, not ipfw), that packet coming from 87.15.13.165, port 29000 to 49.74.121.3 port 28000 should be routed to 192.168.17.7, port 28000. So: the server replies: 87.15.13.165:29000 > 49.74.121.3:28000 natd converts the packet to: 87.15.13.165:29000 > 192.168.17.7:28000 Any unknown packets will be blocked by natd. These are the "unauthorized random hosts". So basically the ruleset should be simple: ipfw -f flush # allow lo0 stuff # block some spoofs/attacks # if you are hosting gameservers from 192.168.17.3 or whatever, # you should (manually) open server ports, in other words, add # routes to 192.168.17.3 to specific server ports ipfw add divert natd all from any to any via $outside_interface allow all from any to any # block some more spoofs/attacks :) # define services (like you did with http) Correct me if I'm wrong. What games do reply back on random ports? > > I added this for a temporary fix: > ${fwcmd} add pass all from any to any > > I don't think that is the right answer; That allows to much in? > > I've tried these per the docs: > > ${fwcmd} add allow all from any to any out via {$iip} setup > ${fwcmd} add allow all from any to any out via {$iip} established > ${fwcmd} add allow all from any to any in via {$iip} established > > and also a bunch of others; but none of them worked. > > Here is my full config: > # simple > [Ss][Ii][Mm][Pp][Ll][Ee]) > ############ > # This is a prototype setup for a simple firewall. Configure this > # machine as a DNS and NTP server, and point all the machines > # on the inside at this machine for those services. > ############ > > # set these to your outside interface network and netmask and ip > oif="xl0" > onet=`ifconfig xl0 | grep "inet " | awk '{print $6}'` I'm not sure about this. Isn't the sixth word the broadcast address (ending with .255)? > omask="0xfffffe00" 0xfffffe00 wtf? > oip=`ifconfig xl0 | grep "inet " | awk '{print $2}'` > > # set these to your inside interface network and netmask and ip > iif="dc1" > inet="192.168.17.0" > imask="0xffffff00" > iip="192.168.17.1" What kind of internet connection do you have? > > setup_loopback > > # Stop spoofing > ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} > ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} > ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} > ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} > > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes > RESERVED-1, > # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and > class E) > # on the outside interface > ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} > ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} > ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} > ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} > ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} > > # Network Address Translation. This rule is placed here > deliberately > # so that it does not interfere with the surrounding > address-checking > # rules. If for example one of your internal LAN machines had > its IP > # address set to 192.0.2.1 then an incoming packet for it after > being > # translated by natd(8) would match the `deny' rule above. > Similarly > # an outgoing packet originated from it before being translated > would > # match the `deny' rule below. > case ${natd_enable} in > [Yy][Ee][Ss]) > if [ -n "${natd_interface}" ]; then > ${fwcmd} add divert natd all from any to any via > ${natd_interface} > fi > ;; > esac > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} > ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} > ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} > > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes > RESERVED-1, > # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and > class E) > # on the outside interface > ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} > ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} > ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} > ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} > ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} > > # Allow internal traffic > ${fwcmd} add allow all from any to any via ${iif} > # Allow all local traffic > ${fwcmd} add allow all from ${inet}:${imask} to ${inet}:${imask} > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag > > # Allow setup of incoming email > #${fwcmd} add pass tcp from any to ${oip} 25 setup > #${fwcmd} add pass tcp from any to ${iip} 25 setup > ${fwcmd} add pass tcp from any to any 25 setup > > # Allow access to our DNS > ${fwcmd} add pass tcp from any to ${iip} 53 setup > ${fwcmd} add pass udp from any to ${iip} 53 > ${fwcmd} add pass udp from ${iip} 53 to any > > #${fwcmd} add pass tcp from {$inet}:{$imask} to ${oip} 53 setup > #${fwcmd} add pass udp from {$inet}:{$imask} to ${oip} 53 > #${fwcmd} add pass udp from ${oip} 53 to {$inet}:{$imask} > > # SMB - Samba > #${fwcmd} add pass tcp from any to ${iip} 137 > #${fwcmd} add pass udp from any to ${iip} 137 > #${fwcmd} add pass tcp from any to ${iip} 138 > #${fwcmd} add pass udp from any to ${iip} 138 > #${fwcmd} add pass udp from any to ${iip} 791 > > # Allow access to our WWW > #${fwcmd} add pass tcp from any to ${oip} 80 setup > ${fwcmd} add pass tcp from any to any 80 setup > > ${fwcmd} add pass tcp from any to ${iip} 888 setup > > # Allow access to our SSH > #${fwcmd} add pass tcp from any to ${oip} 22 setup > ${fwcmd} add pass tcp from any to any 22 setup > > # Reject&Log all setup of incoming connections from the outside > ${fwcmd} add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > ${fwcmd} add pass tcp from any to any setup > > # Allow DNS queries out in the world > #${fwcmd} add pass udp from ${oip} to any 53 keep-state > ${fwcmd} add pass udp from any to any 53 keep-state > > # Allow NTP queries out in the world > #${fwcmd} add pass udp from ${oip} to any 123 keep-state > ${fwcmd} add pass udp from any to any 123 keep-state > > # NWN/NWN2 Client > > #http://nwn2forums.bioware.com/forums/viewtopic.html?topic=507894&forum=116&sp=30 > > > #http://nwn.bioware.com/forums/viewtopic.html?topic=387975&forum=56&sp=135 > > #add 123 allow udp from any to 1.2.3.4 > 5120-5300,6500,6667,27900,28900 > > #UDP 5120 - Outbound and Inbound packets > #UDP 2485 - Outbound and Inbound packets > > #TCP 2486 - Outbound and Inbound packets > #TCP 2487 - Outbound and Inbound packets > #TCP 2488 - Outbound and Inbound packets > > #UDP 2489 - Outbound and Inbound packets > #TCP 28910 - Server port > #UDP 5121 - Server port > #UDP 5122 - Server port > #UDP 27900 - Server port > #UDP 50643 - Server port > #UDP 6121 - Server port > > # not working. > #add allow all from any to any > 2485-2490,5210-5230,6121-6500,27900,27900-28910,50643 > #add pass all from any to any > 2485-2490,5210-5230,6121-6500,27900,27900-28910,50643 > #add allow all from any to any 5120-5300,6500,6667,27900,28900 > > #allow outbound setup connections > # not working. #${fwcmd} add allow tcp from any to any > out via {$iip} setup > #allow in and outbound established connections > #${fwcmd} add allow tcp from any to any out via {$iip} established > #${fwcmd} add allow tcp from any to any in via {$iip} established > > ${fwcmd} add pass all from any to any > > # Everything else is denied by default, unless the > # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel > # config file. > ;; >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?472B9DA8.6000800>