Date: Wed, 29 Dec 2021 22:32:20 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: Kurt Hackenberg <kh@panix.com> Cc: "questions@FreeBSD.org" <questions@freebsd.org> Subject: Re: ipfw syntax clarification Message-ID: <CAHu1Y72AgMjVhv_qE1C529NcQbGOi0O-4vRTKNeO2PHK=_t%2BVQ@mail.gmail.com> In-Reply-To: <Yc1MxCxJ6Mk6bsdf@rain.home> References: <8b2c341d-10e6-51a2-0654-86f4394865c7@tundraware.com> <Yc1MxCxJ6Mk6bsdf@rain.home>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000008ae09205d45739f1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
On Wed, Dec 29, 2021 at 10:08 PM Kurt Hackenberg <kh@panix.com> wrote:
> On Wed, Dec 29, 2021 at 05:32:15PM -0600, Tim Daneliuk via
> freebsd-questions wrote:
>
> >We have a FBSD firewall/gateway/natd server on the permimeter of one of
> our networks.
> >
> >We have an ipfw table that is loaded with pesky IPs like this:
> >
> > ipfw add deny all from table\(10\) to any via ${OIF}
> >
> >This does block traffic which originates from those IPs to our server.
> >However, it also prevents our server from originating requests TO those
> IPs.
> >
> >This is an issue because some of the table entries are CIDR blocks
> intended
> >to geoblock known problem areas. However, it's sometimes desirable to,
> say,
> >connect to a web server within one of those CIDR blocks.
> >
> >How/can the rule above be modified to let no one in the table to connect
> or
> >ping to the server, but still allow the server to connect to something i=
n
> >the forbidden blocks/IPs?
>
> Your browser tries to make a TCP connection to a web server in the
> hostile zone, but establishing that connection takes two-way
> communication. Blocking all incoming traffic from that outside web
> server makes it impossible to establish the connection.
>
> You can deny incoming TCP connections from the hostile zone, but still
> allow outgoing connections to it, with something like this:
>
> ipfw add pass tcp from me to table\(10\) via ${OIF} established
> ipfw add pass tcp from table\(10\) to me via ${OIF} established
> ipfw add pass tcp from me to table\(10\) via ${OIF} setup
> ipfw add deny all from table\(10\) to any via ${OIF}
>
You don't want to permit any traffic from the bad IPs that aren't part of a
stateful rule.
Not accounting for NAT (which makes things a little more complicated, but
still entirely feasible):
$FW add 00500 check-state :gb
$FW add deny ip from table\(reject\) to any in recv $WAN
...
$FW add allow tcp from any to any out xmit $WAN setup keep-state :gb
$FW add allow udp from any to any out xmit $WAN keep-state :gb
$FW add allow icmp from any to any out xmit $WAN keep-state :gb
$FW add allow ip6 from any to any out xmit $WAN setup keep-state :gb
proto tcp
$FW add allow ip6 from any to any out xmit $WAN keep-state :gb proto
udp
$FW add allow ipv6-icmp from any to any out xmit $WAN keep-state :gb
To the OP: there are no geoblocks of CIDR addresses =E2=80=93 they don't r=
eally
exist. You can block NL, for example, but that includes addresses in the
Antilles. There are addresses that belong in the FR blocks that are in
North America (Saint-Pierre et Miquelon). Actual location of IP addresses
is something known to the CDNs (Akamai, Cloudflare, AWS, etc.) and is
somewhat proprietary.
--0000000000008ae09205d45739f1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Wed, Dec 29, 2021 at 10:08 PM Kurt=
Hackenberg <<a href=3D"mailto:kh@panix.com">kh@panix.com</a>> wrote:=
<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8=
ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Dec 29,=
2021 at 05:32:15PM -0600, Tim Daneliuk via freebsd-questions wrote:<br>
<br>
>We have a FBSD firewall/gateway/natd server on the permimeter of one of=
our networks.<br>
><br>
>We have an ipfw table that is loaded with pesky IPs like this:<br>
><br>
>=C2=A0 =C2=A0ipfw add deny all from table\(10\) to any via ${OIF}<br>
><br>
>This does block traffic which originates from those IPs to our server.<=
br>
>However, it also prevents our server from originating requests TO those=
IPs.<br>
><br>
>This is an issue because some of the table entries are CIDR blocks inte=
nded<br>
>to geoblock known problem areas.=C2=A0 However, it's sometimes desi=
rable to, say,<br>
>connect to a web server within one of those CIDR blocks.<br>
><br>
>How/can the rule above be modified to let no one in the table to connec=
t or<br>
>ping to the server, but still allow the server to connect to something =
in<br>
>the forbidden blocks/IPs?<br>
<br>
Your browser tries to make a TCP connection to a web server in the<br>
hostile zone, but establishing that connection takes two-way<br>
communication.=C2=A0 Blocking all incoming traffic from that outside web<br=
>
server makes it impossible to establish the connection.<br>
<br>
You can deny incoming TCP connections from the hostile zone, but still<br>
allow outgoing connections to it, with something like this:<br>
<br>
=C2=A0 =C2=A0 ipfw add pass tcp from me to table\(10\) via ${OIF} establish=
ed<br>
=C2=A0 =C2=A0 ipfw add pass tcp from table\(10\) to me via ${OIF} establish=
ed<br>
=C2=A0 =C2=A0 ipfw add pass tcp from me to table\(10\) via ${OIF} setup<br>
=C2=A0 =C2=A0 ipfw add deny all from table\(10\) to any via ${OIF}<br></blo=
ckquote><div><br></div><div>You don't want to permit any traffic from t=
he bad IPs that aren't part of a stateful rule.=C2=A0</div><div><br>Not=
accounting for NAT (which makes things a little more complicated, but stil=
l entirely feasible):<br><br></div>
<div><span style=3D"font-variant-ligatures:no-common-ligatures;color:rgb(26=
,0,0);font-family:"Roboto Mono";font-size:11px">$FW add 00500 che=
ck-state :gb</span></div><div><br></div><div>
<p class=3D"gmail-p1" style=3D"margin:0px;font-variant-numeric:normal;font-=
variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:no=
rmal;font-family:"Roboto Mono";color:rgb(26,0,0)"><span class=3D"=
gmail-s1" style=3D"font-variant-ligatures:no-common-ligatures">$FW add=C2=
=A0 =C2=A0 =C2=A0 =C2=A0deny ip from table\(reject\) to any in recv $WAN</s=
pan></p></div><div>...<br></div><div>
<p class=3D"gmail-p1" style=3D"margin:0px;font-variant-numeric:normal;font-=
variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:no=
rmal;font-family:"Roboto Mono";color:rgb(26,0,0)"><span class=3D"=
gmail-s1" style=3D"font-variant-ligatures:no-common-ligatures">$FW add <spa=
n class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0 =C2=A0 </span>allow t=
cp from any to any out xmit $WAN setup keep-state :gb</span></p>
<p class=3D"gmail-p1" style=3D"margin:0px;font-variant-numeric:normal;font-=
variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:no=
rmal;font-family:"Roboto Mono";color:rgb(26,0,0)"><span class=3D"=
gmail-s1" style=3D"font-variant-ligatures:no-common-ligatures">$FW add <spa=
n class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0 =C2=A0 </span>allow u=
dp from any to any out xmit $WAN keep-state :gb</span></p>
<p class=3D"gmail-p1" style=3D"margin:0px;font-variant-numeric:normal;font-=
variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:no=
rmal;font-family:"Roboto Mono";color:rgb(26,0,0)"><span class=3D"=
gmail-s1" style=3D"font-variant-ligatures:no-common-ligatures">$FW add <spa=
n class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0 =C2=A0 </span>allow i=
cmp from any to any out xmit $WAN keep-state :gb</span></p>
<p class=3D"gmail-p2" style=3D"margin:0px;font-variant-numeric:normal;font-=
variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:no=
rmal;font-family:"Roboto Mono";color:rgb(26,0,0);min-height:15px"=
><span class=3D"gmail-s1" style=3D"font-variant-ligatures:no-common-ligatur=
es"></span><br></p>
<p class=3D"gmail-p1" style=3D"margin:0px;font-variant-numeric:normal;font-=
variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:no=
rmal;font-family:"Roboto Mono";color:rgb(26,0,0)"><span class=3D"=
gmail-s1" style=3D"font-variant-ligatures:no-common-ligatures">$FW add <spa=
n class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0 =C2=A0 </span>allow i=
p6 from any to any out xmit $WAN setup keep-state :gb proto tcp</span></p>
<p class=3D"gmail-p1" style=3D"margin:0px;font-variant-numeric:normal;font-=
variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:no=
rmal;font-family:"Roboto Mono";color:rgb(26,0,0)"><span class=3D"=
gmail-s1" style=3D"font-variant-ligatures:no-common-ligatures">$FW add <spa=
n class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0 =C2=A0 </span>allow i=
p6 from any to any out xmit $WAN keep-state :gb proto udp</span></p>
<p class=3D"gmail-p1" style=3D"margin:0px;font-variant-numeric:normal;font-=
variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:no=
rmal;font-family:"Roboto Mono";color:rgb(26,0,0)"><span class=3D"=
gmail-s1" style=3D"font-variant-ligatures:no-common-ligatures">$FW add <spa=
n class=3D"gmail-Apple-converted-space">=C2=A0 =C2=A0 =C2=A0 </span>allow i=
pv6-icmp from any to any out xmit $WAN keep-state :gb</span></p></div><div>=
<div><div><br></div></div><div>To the OP:=C2=A0 there are no geoblocks of C=
IDR addresses =E2=80=93 they don't really exist.=C2=A0 You can block NL=
, for example, but that includes addresses in the Antilles.=C2=A0 There are=
addresses that belong in the FR blocks that are in North America (Saint-Pi=
erre et Miquelon).=C2=A0 Actual location of IP addresses is something known=
to the CDNs (Akamai, Cloudflare, AWS, etc.) and is somewhat proprietary.<b=
r></div></div><div><br></div><div><br></div></div></div>
--0000000000008ae09205d45739f1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y72AgMjVhv_qE1C529NcQbGOi0O-4vRTKNeO2PHK=_t%2BVQ>