Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 19 Jan 2004 20:51:17 -0500
From:      "fbsd_user" <fbsd_user@a1poweruser.com>
To:        "Lowell Gilbert" <freebsd-questions-local@be-well.ilk.org>, <freebsd-questions@freebsd.org>
Subject:   RE: ipfw/nated stateful rules example
Message-ID:  <MIEPLLIBMLEEABPDBIEGAEDEFFAA.fbsd_user@a1poweruser.com>
In-Reply-To: <44ektvpgle.fsf@be-well.ilk.org>

next in thread | previous in thread | raw e-mail | index | archive | help
That's a play on words. And still does not prove stateful
rules work on the interface facing the public internet.
There is no documentation that says keep-state and limit
only works on the interface facing the private Lan network.
And the implied meaning is they are to be used on the
interface facing the public internet.

This is the IPFW Inclusive Rule Set that I use with 'user ppp' -Nat.
This works just fine on the public internet facing interface.
Where in this rule set should I place the divert rule so the
stateful
table will match the returning packets. I tried many different
locations and all it accomplished is changing whether the
private or public IP address is posted in the stateful table and
the returning packet is always the reverse of what was posted in
the stateful table.

There are other users trying to do the same thing with the same
results
as I get. So I know it's not me.

This is looking like IPFW2 divert/Natd function has an legacy
fundamental
design error when used with stateful rules on the interface
facing the public internet.


##############  Start of IPFW rules file
###############################
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"

pif="tun0"        # public interface name of interface
                 # facing the public internet


#################################################################
# No restrictions on Inside Lan Interface for private network
#################################################################

$cmd 00005 allow all from any to any via xl0


#################################################################
# No restrictions on Loopback Interface
#################################################################

$cmd 00010 allow all from any to any via lo0


#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.
#################################################################

$cmd 00015 check-state


#################################################################
# Interface facing Public internet  (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public internet.
#################################################################


# Allow out access to my ISP's Domain name server.
$cmd 00110 allow tcp  from any to xxx.xxx.xxx.xxx 53 out via $pif
setup keep-state
$cmd 00111 allow udp  from any to xxx.xxx.xxx.xxx 53 out via $pif
keep-state


# Allow out non-secure standard www function
$cmd 00200 allow tcp  from any to any 80  out via $pif setup
keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp  from any to any 443  out via $pif setup
keep-state

# Allow out send & get email function
$cmd 00230 allow tcp  from any to any 25  out via $pif setup
keep-state
$cmd 00231 allow tcp  from any to any 110 out via $pif setup
keep-state

# Allow out FBSD (make install & CVSUP)  functions
# Basically give user root  "GOD"  privileges.
$cmd 00240 allow tcp  from me to any  out via $pif setup keep-state
uid root

# Allow out ping
$cmd 00250 allow icmp from any to any  out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp  from any to any 37  out via $pif setup
keep-state

# Allow out nntp news (IE: news groups)
$cmd 00270 allow tcp  from any to any 119 out via $pif setup
keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH  (secure shell)
$cmd 00280 allow tcp  from any to any 22 out via $pif setup
keep-state

# Allow out whois
$cmd 00290 allow tcp  from any to any 43 out via $pif setup
keep-state

# deny and log everything else that's trying to get out.
# This rule enforces the block all by default logic.
$cmd 00299 deny log all from any to any out via $pif


#################################################################
# Interface facing Public internet  (Inbound Section)
# Interrogate packets originating from the public internet
# destine for this gateway server or the private network.
#################################################################


# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16  to any in via $pif   #RFC
1918 private IP
$cmd 00301 deny all from 172.16.0.0/12   to any in via $pif   #RFC
1918 private IP
$cmd 00302 deny all from 10.0.0.0/8      to any in via $pif   #RFC
1918 private IP
$cmd 00303 deny all from 127.0.0.0/8     to any in via $pif
#loopback
$cmd 00304 deny all from 0.0.0.0/8       to any in via $pif
#loopback
$cmd 00305 deny all from 169.254.0.0/16  to any in via $pif   #DHCP
auto-config
$cmd 00306 deny all from 192.0.2.0/24    to any in via $pif
#reserved for doc's
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif   #Sun
cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3     to any in via $pif   #Class
D & E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81  in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit
src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit
src-addr 2

# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# internet as clear text.
$cmd 00420 allow tcp from any to me 23 in via $pif setup limit
src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any  in via $pif

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any

################  End of IPFW rules file
###############################


-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Lowell
Gilbert
Sent: Monday, January 19, 2004 8:14 PM
To: freebsd-questions@freebsd.org
Subject: Re: ipfw/nated stateful rules example

"fbsd_user" <fbsd_user@a1poweruser.com> writes:

> Sorry but the rule set you posted is doing 'keep-state' on the lan
> interface and not the interface facing the public internet. All
the
> rule statements processing against the public interface are
> stateless.  Doing stateful testing on the private lan is just
waste
> of cpu cycles, it proves nothing other than you have less turst in
> your lan users that you have in unknown public internet users.

Not really; the stateful rules are being applied against the public
Internet responses to packets sent out by the LAN users.

--
Lowell Gilbert, embedded/networking software engineer, Boston area:
                resume/CV at
http://be-well.ilk.org:8088/~lowell/resume/
                username/password "public"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGAEDEFFAA.fbsd_user>