From owner-freebsd-questions Fri Oct 4 1:23:42 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C212B37B401 for ; Fri, 4 Oct 2002 01:23:39 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id D207243E7B for ; Fri, 4 Oct 2002 01:23:38 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id g948NBOL032080; Fri, 4 Oct 2002 09:23:11 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id g948N6gV032079; Fri, 4 Oct 2002 09:23:06 +0100 (BST) Date: Fri, 4 Oct 2002 09:23:06 +0100 From: Matthew Seaman To: Nelis Lamprecht Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw ruleset Message-ID: <20021004082306.GB31681@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , Nelis Lamprecht , freebsd-questions@FreeBSD.ORG References: <5.1.0.14.2.20021004085609.012ed3c8@192.96.48.11> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.2.20021004085609.012ed3c8@192.96.48.11> User-Agent: Mutt/1.5.1i X-Spam-Status: No, hits=-13.9 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_03_05, USER_AGENT,USER_AGENT_MUTT version=2.41 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Oct 04, 2002 at 08:58:50AM +0200, Nelis Lamprecht wrote: > Hi People, > > I'm trying to setup my firewall using ipfw on 4.6 Stable. I have read > through the man pages and also several howto's but now I need your advice. > I would like to setup a DNS server that will respond to queries and my > current ruleset does not seem to permit this. Please tell me what I am > doing wrong. > > My Ruleset: ( ip's omitted ) > > add 00301 check-state > add 00302 allow tcp from any to any established Um... This rule is probably not what you want. Essentially it makes all the later tcp rules pointless... Try: add 00302 deny log tcp from any to any established The idea is that the 'setup' packet for a tcp connection will generate a specific dynamic rule via keep-state, and that will match at rule 00301. Any other tcp packets should be denied. > add 00303 allow tcp from any to any out setup keep-state > add 00304 allow tcp from any to $lan 22,25,80,443 setup Modify this to say: add 00304 allow tcp from any to $lan 22,25,53,80,443 setup DNS uses tcp connections for zone transfers and also it will fall back to tcp if the response generated is too big for a single UDP packet. > add 00400 allow udp from any to any out > add 00401 allow udp from $lan to any 53 > add 00402 allow udp from any 53 to $lan in recv rl0 If DNS is the only UDP service you use (which is quite possible), then drop your rule 00400. Otherwise, move it to after the DNS specific rules. You need to allow your server to perform recursive lookups on your behalf: add 00401 allow udp from $lan to any 53 keep-state out via rl0 and to let other people query your server: add 00402 allow udp from any to $lan 53 keep-state in via rl0 Using dynamic rules for a DNS server like this gives a good level of security and is OK for a low traffic site, but it would probably overwhelm IPFW's dynamic rule capacity if there was any significant DNS traffic. If you want to use static rules only, you need something like add 00401 add allow udp from $lan to any 53 out via rl0 add 00402 add allow udp from any 53 to $lan in via rl0 add 00403 add allow udp from any to $lan 53 in via rl0 add 00404 add allow udp from $lan 53 to any out via rl0 Unfortunately if going the static rule way, rule 00402 will expose all of your UDP ports to a sufficiently wily cracker. This section in the default /etc/namedb/named.conf may prove illuminating: /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; That will let you lock down both source and destination ports in rules 00401 and 00402. > #allow some icmp types (codes not supported) > ##allow path-mtu in both directions > add 00600 allow icmp from any to any icmptypes 3 > ##allow source quench in and out > add 00601 allow icmp from any to any icmptypes 4 > ##allow me to ping out and receive response back > add 00602 allow icmp from any to any icmptypes 8 out > add 00603 allow icmp from any to any icmptypes 0 in > ##allow me to run traceroute > add 00604 allow icmp from any to any icmptypes 11 in > #allow ident requests > add 00700 allow tcp from any to any 113 keep-state setup > #deny syn and fin bits used for OS finger printing using nmap > add 00701 deny log tcp from any to any in tcpflags syn,fin > #log anything that falls through > add 09000 deny log ip from any to any Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message