From owner-freebsd-questions Fri Jun 7 7:46:36 2002 Delivered-To: freebsd-questions@freebsd.org Received: from spin.web.net (spin.web.net [192.139.37.16]) by hub.freebsd.org (Postfix) with ESMTP id DB7EB37B40B for ; Fri, 7 Jun 2002 07:45:21 -0700 (PDT) Received: by spin.web.net (Postfix, from userid 1000) id 6136A12E709; Fri, 7 Jun 2002 10:45:32 -0400 (EDT) Date: Fri, 7 Jun 2002 10:45:32 -0400 From: Rob Ellis To: Joe & Fhe Barbish Cc: freebsd-questions@freebsd.org Subject: Re: ipfw: 'out via fxp0' rules don't work Message-ID: <20020607144532.GD83160@web.ca> Mail-Followup-To: Rob Ellis , Joe & Fhe Barbish , freebsd-questions@freebsd.org References: <20020606172128.GH18966@web.ca> <20020607144408.GC83160@web.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020607144408.GC83160@web.ca> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG the box is set up like this: routable-network --| routable-network --| 192.168.1.1 --| |-- internet what i was trying to do is allow any outbound traffic out to the internet from the internal routable networks with a keep-state rule. i've already sorted out natd and the rules for the 192.168 network. for the routable (class c) networks, i thought from reading the ipfw man page that it should be possible to do ipfw add allow tcp from any to any out via fxp0 setup keep-state to allow outbound tcp traffic that wasn't already being allowed. but it didn't work. i don't want to do just ipfw add allow tcp from $net1 to any setup keep-state because "any" in this case also includes my other internal networks which i want to keep firewalled off from each other. so i end up doing something like ipfw add 20000 skipto 20003 tcp from $net1 to $net2 ipfw add 20001 skipto 20004 tcp from $net1 to $net3 ipfw add 20002 allow tcp from $net1 to any setup keep-state ipfw add 20003 count tcp from $net1 to $net2 ipfw add 20004 count tcp from $net1 to $net3 repeated for each network, which works, but seems kludgey. - rob On Thu, Jun 06, 2002 at 08:02:17PM -0400, Joe & Fhe Barbish wrote: > Rob > You are not clear about what you are trying to do. > Saying you have 4 interfaces that are intended to allow outbound > connections leaves one guessing. Does this mean you have 4 Nic cards > each connected to different isp account, or 4 Nic cards servicing > private internal Lans? > > The keep-state option builds a entry in the dynamic rules table for > automatic bi-directional packet exchange and is normally used just > on the public interface. > > > Advanced stateful rules and IPFW's built in divert natd function is > very hard to get to function correctly for an LAN behind the firewall. > > I have stumbled into the solution to this problem after many months of > testing. > This solution has only been tested on FBSD version 4.5. > All private LAN Nic interface devices must have an keep-state rule > so they get in sync with the keep-state dynamic table rules for the > DSL or Cable internet connection interface. > > The order of private Lan rules before the public out & in rules, > both which have to come after the divert natd rule is very important. > > See rule 500 below. > > > Content of /etc/ipfw.rules.conf > > # These rules can be reloaded with out rebooting by issuing this command > # sh /etc/ipfw.rules.conf > > /sbin/ipfw -q -f flush > > # Set rules command prefix > # The -q option on the command is for quite mode. > # Do not display rules as they load. Remove during development to see. > cmd="/sbin/ipfw -q add" > > # Set defaults > oif="rl0" # Nic card to DSL modem public internet > connection > odns1="241.250.241.250" # ISP's dns server IP address > > $cmd 00200 divert natd all from any to any via $oif > > > ######## control section ############################################ > # Start of IPFW advanced Stateful Filtering using "dynamic" rules. > # The check-state statement behavior is to match bi-directional packet > traffic > # flow between source and destination using protocol/IP/port/sequence > number. > > # Allow the packet through if it has previous been added to the > # the "dynamic" rules table by an allow keep-state statement. > $cmd 00400 check-state > > # Run all private LAN xl0 packet traffic through the dynamic rules > # table so the IP address are in sync with Natd. You would have one > # rule like this for each Nic card you have for private lans. > $cmd 00500 allow all from any to any via xl0 keep-state > > # Deny all fragments coming in as bogus packets > $cmd 00530 deny all from any to any frag in via $oif > > # Deny ACK packets that did not match the dynamic rule table > $cmd 00540 deny tcp from any to any established in via $oif > > ######## outbound section ############################################ > # Interrogate packets originating from behind the firewall, private net. > # Upon a rule match, it's keep-state option will create a dynamic rule. > > # Allow out non-secure standard http function > $cmd 00600 allow tcp from any to any 80 out via $oif setup keep-state > > # Allow out secure www function https over TLS SSL > $cmd 00601 allow tcp from any to any 443 out via $oif setup keep-state > > # Allow out access to my ISP's Domain name server. > $cmd 00610 allow tcp from any to $odns1 53 out via $oif setup keep-state > $cmd 00611 allow udp from any to $odns1 53 out via $oif keep-state > > # Allow out send & get email function > $cmd 00630 allow tcp from any to any 25,110 out via $oif setup keep-state > > # Allow out FBSD (make install & CVSUP) functions > # Basically give user id [ROOT] "GOD" privileges. > $cmd 00640 allow tcp from me to any out via $oif setup keep-state uid root > > ######## inbound section ############################################ > # Interrogate packets originating from in front of the firewall, public net. > > # Allow in www http access to my apache server > $cmd 00800 allow tcp from any to any 80 in via $oif setup keep-state limit > src-addr 4 > > # Allow TCP FTP control channel in & data channel out > $cmd 00810 allow tcp from any to me 21 in via $oif setup keep-state limit > src-addr 4 > $cmd 00811 allow tcp from any 20 to any 1024-49151 out via $oif setup keep l > imit src-addr 4 > > # Allow in ssh function > $cmd 00820 allow log tcp from any to me 22 in via $oif setup keep-state > limit src-addr 4 > > # Allow in Telnet > $cmd 00830 allow tcp from any to me 23 in via $oif setup keep-state limit > src-addr 4 > > This is just a sample from which you can build from. The main thing is it > demonstrates how to code and organize your advanced stateful rules file. > > Joe > > > > > > > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Rob Ellis > Sent: Thursday, June 06, 2002 1:21 PM > To: freebsd-questions@FreeBSD.ORG > Subject: ipfw: 'out via fxp0' rules don't work > > i have the following rules, on a box with 4 interfaces, > that are intended to allow outbound connections... > > ipfw add allow udp from any to any out xmit fxp0 keep-state > ipfw add allow tcp from any to any out xmit fxp0 setup keep-state > > but this doesn't work as i thought it would. for instance, > 'in via xl0' packets are still being blocked. > > i also tried > > ipfw add allow udp from any to any out recv xl0 xmit fxp0 keep-state > ipfw add allow tcp from any to any out recv xl0 xmit fxp0 setup keep-state > > which also didn't work. the packets i want to allow are indeed coming > in via xl0 and out via fxp0, but the error is always like: > > > Jun 6 12:46:30 myname /kernel: ipfw: 22901 Deny TCP xxx.xxx.xxx.xxx:3325 > yyy.yyy.yyy.yyy:80 in via xl0 > > a rule like > > ipfw add allow tcp from xxx.xxx.xxx.0/24 to any 80 setup keep-state > > does work, but i want to firewall off the internal networks > from each other, and i didn't want to get into any more > skipto rules... > > in short, interface-based in/out rules don't seem to work. > > anyone have any ideas? i am just not understanding how the interface-based > rules are supposed to work? > > the firewall box is running 4.5-RELEASE-p4. > > thanks. > > - rob > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message