From owner-freebsd-ipfw@FreeBSD.ORG  Mon Nov  5 16:06:19 2007
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F1D0716A420
	for <freebsd-ipfw@freebsd.org>; Mon,  5 Nov 2007 16:06:18 +0000 (UTC)
	(envelope-from gbell72@rogers.com)
Received: from web88015.mail.re2.yahoo.com (web88015.mail.re2.yahoo.com
	[206.190.39.220])
	by mx1.freebsd.org (Postfix) with SMTP id 9D2F113C4A6
	for <freebsd-ipfw@freebsd.org>; Mon,  5 Nov 2007 16:06:18 +0000 (UTC)
	(envelope-from gbell72@rogers.com)
Received: (qmail 53802 invoked by uid 60001); 5 Nov 2007 16:05:34 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=rogers.com;
	h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
	b=hB4WHDr7A77eyWurwrhGEV/E9yrvkJ5wUPqDW8uF7PjeXDijCfIBqN47yxkLJm126mKS+rGmqu7J+vPNzJ7hF+7UvUZo6pZwhpsOspnpZklQw7VJkWuAQM9Jv7qpYaWrAhyVrOkOgLIZ6G29JMIR80BOKrxHsHovJx7q7eIb+Lg=;
X-YMail-OSG: ufboG2AVM1ly_POcr4pXu2PmrkFr2rTTX9Tf7Nsv
Received: from [99.233.189.147] by web88015.mail.re2.yahoo.com via HTTP;
	Mon, 05 Nov 2007 11:05:34 EST
Date: Mon, 5 Nov 2007 11:05:34 -0500 (EST)
From: Gardner Bell <gbell72@rogers.com>
To: Julian Elischer <julian@elischer.org>
In-Reply-To: <472E96BE.4050504@elischer.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <324579.51265.qm@web88015.mail.re2.yahoo.com>
Cc: freebsd-ipfw@freebsd.org
Subject: Re: IPFW Problem
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2007 16:06:19 -0000


--- Julian Elischer <julian@elischer.org> wrote:

> Gardner Bell wrote:
> > I'm hoping some of you can help me out with the problem that I'm
> having
> > as I'm not very good when it comes to networking..
> > 
> > I've recently configured 6.3-PRERELEASE with IPFW/NATD to act as my
> > LAN's firewall/router.  After I initially access certain http
> sites,
> > particularly google groups and yahoo web mail I'm noticing
> subsequent
> > attempts take > 2mins to resolve the next link that I am interested
> in
> > reading.  
> > 
> > This appears to be caused by rule 01000 as the counter increases
> each
> > time I access one of the above mentioned sites.
> > 
> > Short of removing this rule, is there any other way that I can fix
> this
> > issue?  Below is a listing of my present ruleset and a tcpdump of a
> > Windows XP machine trying to access a link on google groups.
> > 
> > regards,
> > 
> > Gardner
> > 
> > mx1# ipfw show
> > 00100   76  11134 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
> > 00200    0      0 deny log logamount 10 ip from 127.0.0.1 to any
> > 00300    0      0 deny log logamount 10 ip from any to 127.0.0.1
> > 00400    0      0 deny log logamount 10 ip from any to any not
> > verrevpath in
> > 00500    0      0 deny log logamount 10 ip from any to any
> ipoptions
> > ssrr,lsrr,rr,ts in
> > 00600    0      0 deny ip from any to any frag
> > 00700    0      0 allow icmp from any to any icmptypes 0,3,11,12
> > 00800 1081 452405 divert 8668 ip from any to any via bge0
> > 00900    0      0 check-state
> > 01000   36  17682 deny tcp from any to any established
> > 01100 2704 853904 allow ip from any to any via bge1 keep-state
> > 01200  262  57586 allow tcp from any to any dst-port 80 keep-state
> > 01300    0      0 allow tcp from any to any dst-port 443 keep-state
> > 01400  102   7752 allow udp from me to any dst-port 123 keep-state
> > 01500    0      0 allow tcp from me to any dst-port 53 setup
> keep-state
> > 01600  169  30563 allow udp from me to any dst-port 53 keep-state
> > 01700    0      0 allow tcp from any to any dst-port 1863 setup
> > keep-state
> > 01800    0      0 allow log logamount 10 udp from any to
> > 255.255.255.255 dst-port 68 in via bge0
> > 01900    0      0 allow tcp from x.x.x.x to x.x.x.x dst-port 22
> > keep-state
> > 02000    0      0 deny log logamount 10 ip 
> 
> After many years fo doing ipfw rules at work I've cone to the
> conclusion that
> one needs to be more explicit about what is going on that most ipfw
> rulesets are:
> 
> 
> for example:
> Assuming bge0 is on the outside, and bge1 is on the inside...
> 
> #split to incoming and outgoing (from this system) packets.
> ipfw add 1 skipto 1000 ip from any to any in
> 
> ############ Output interface sorting #############
> # now do output processing. Split up according to interface:
> ipfw add 100 allow ip from any to any via lo0
> ipfw add 110 skipto 3400 ip from any to any out xmit bge0
> ipfw add 120 skipto 2400 ip from any to any out xmit bge1
> # what is left? should never happen.
> ipfw add 130 drop log ip from any to any 
> 
> ########### Input interface sorting ###########\
> # split up according to source interface.
> # do checking for lo0 an dloopback addr.
> ipfw add 1000 accept ip from any to any via lo0
> ipfw add 1010 drop log ip from any to 127.0.0.1/8
> 
> ipfw add 1020 skipto 2300 ip from any to any recv bge0
> ipfw add 1030 skipto 3300 ip from any to any recv bge1
> 
> # should never happen so log it:
> ipfw add 1040 drop log ip from any to any
> 
> #####################################################
> ####### Per interface - per-direction filters #######
> #####################################################
> 
> ########################################
> #### Inside Interface input filters ####
> # trust the inside.
> ipfw add 2300 accept ip from any to any
> 
> 
> #### Inside interface output filters ###
> # things to do for packets leaving towards the inside.
> ipfw add 2400 allow ip from any to any
> 
> 
> #################################
> #### Outside interface input ####
> # process packets coming in from the Internet.
> # do special processing for packets not of interest to NATD.
> ipfw add 3300 skipto 1260 ip from any to not me
> # If they are aimed at our inside address, pass them to NATD.
> # it should pass on packets that are just to us if set up right.
> ipfw add 3310 divert 8668 ip from any to me 
> # packets diverted and reinjected come here
> ipfw add 3320 accept ip from any to any
> 
> # for now no special processing..
> ipfw add 3360 drop log ip from any to any
> 
> #### Outside Interface output####
> # things we need to do for packets leaving via bge0 to the Internet.
> # Nat packets that are suitable. Don't wast time NATing other
> packets.
> ipfw add 3400 divert 8668 ip from not me to any recv bge1
> #nat'd packets will turn up here when re-injected.
> ipfw add 3410 allow ip from any to any.
> 
> 
> 
> now you can put in rules that are specific to exactly certain traffic
> and know what the h*ck is going on.
> 

I believe with IPFW not having one set structure to go by has indeed
confused me as a beginner. This template will definitely help out with
any further rules I need to add to my configuration.  Thank you.

Gardner