From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 30 09:53:55 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EE1637B401 for ; Wed, 30 Apr 2003 09:53:54 -0700 (PDT) Received: from metroplex.netnation.com (metroplex.netnation.com [204.174.223.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7863343F93 for ; Wed, 30 Apr 2003 09:53:53 -0700 (PDT) (envelope-from freebsd@code-space.com) Received: from [66.120.33.26] (helo=neptune) by metroplex.netnation.com with asmtp (Exim 3.36 #1) id 19Auq8-0001kZ-00; Wed, 30 Apr 2003 09:53:52 -0700 From: "C_Ahlers" To: "'Antoine Jacoutot'" , Date: Wed, 30 Apr 2003 09:53:49 -0700 Organization: code-space.com Message-ID: <000401c30f39$136f0020$0501a8c0@neptune> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 In-Reply-To: <200304301424.24536.ajacoutot@lphp.org> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@code-space.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 16:53:55 -0000 I realize that the following info is not exactly what you have been looking for - but it is in the spirit of building that perfect firewall... I would just like to point out that rules 200 and 300 that deal with traffic to and from 127.0.0.0/8 are NOT necessary. The reason for this is simple: FreeBSD doesn't allow that traffic, regardless of the presence of a firewall or not. If you take a look at some source code, specifically: \src\sys\netinet\ip_input.c (~ line 357) \src\sys\netinet\ip_output.c (~ line 807) you will see code like the following: /* 127/8 must not appear on wire - RFC1122 */ if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { ipstat.ips_badaddr++; goto bad; } } The packets are simply dropped... So this means you have 2 less rules to worry about that just clutter your ruleset. C_Ahlers freebsd@code-space.com -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Antoine Jacoutot Sent: Wednesday, April 30, 2003 5:24 AM To: freebsd-ipfw@freebsd.org Subject: Re: ipfw dynamic rule timeout --> find a solution, but needconfirmation Hi ! In my problem with keep-state+ipfw2+natd, I came to the following solution which seems to work well. Now, I would like to be sure that there's no security issue with that (expecially with the sysctl variable), so if you feel like it, please comment the following configuration. Thanks in advance. Antoine ### Configuration ### sysctl variables: net.inet.ip.fw.dyn_syn_lifetime=300 # same as net.inet.ip.fw.dyn_ack_lifetime rc.conf: natd_flags="-log_denied -log_facility LOG_WARNING -use_sockets -same_ports -unregistered_only -dynamic" firewall ruleset (tun0 being the outsite interface): # Firewall Command - quiet mode (suppress rule display) fwcmd="/sbin/ipfw -q add" # Flush out the list before we begin. /sbin/ipfw -q -f flush # Setup Loopback ${fwcmd} 100 pass all from any to any via lo0 ${fwcmd} 200 deny log all from any to 127.0.0.0/8 ${fwcmd} 300 deny log ip from 127.0.0.0/8 to any # Stop spoofing ${fwcmd} 400 deny all from 192.168.0.0/24 to any in via tun0 ### The following rule is disabled since we have a dynamic @ip ### ${fwcmd} add 500 deny all from ${outside_net}:${outside_mask} to any in via vr0 # Stop RFC1918 nets on the outside interface ${fwcmd} 600 deny all from any to 10.0.0.0/8 via tun0 ${fwcmd} 700 deny all from any to 172.16.0.0/12 via tun0 ${fwcmd} 800 deny all from any to 192.168.0.0/16 via tun0 # Stop draft-manning-dsua-03.txt nets ${fwcmd} 900 deny all from any to 0.0.0.0/8 via tun0 ${fwcmd} 1000 deny all from any to 169.254.0.0/16 via tun0 ${fwcmd} 1100 deny all from any to 192.0.2.0/24 via tun0 ${fwcmd} 1200 deny all from any to 224.0.0.0/4 via tun0 ${fwcmd} 1300 deny all from any to 240.0.0.0/4 via tun0 # Network address Translation # This rule is placed here deliberately so that it does not interfere with the surrounding address-checking rules ${fwcmd} 1400 divert natd all from any to any via tun0 # Stop RFC1918 nets on the outside interface (following of rules 600, 700 and 800 because NAT is now on) ${fwcmd} 1500 deny all from 10.0.0.0/8 to any via tun0 ${fwcmd} 1600 deny all from 172.16.0.0/12 to any via tun0 ${fwcmd} 1700 deny all from 192.168.0.0/16 to any via tun0 # From man 8 ipfw: use of dynamic rules ${fwcmd} 1800 check-state ${fwcmd} 1900 deny log tcp from any to any established ${fwcmd} 2000 allow tcp from 192.168.0.0/24 to any setup keep-state ${fwcmd} 2100 allow tcp from me to any setup keep-state ${fwcmd} 2200 allow udp from 192.168.0.0/24 to any keep-state ${fwcmd} 2300 allow udp from me to any keep-state ${fwcmd} 2400 deny log udp from any to any # Reset ident incoming connections ${fwcmd} 2500 reset log tcp from any to me 113 in recv tun0 setup # Deny & log suspicious packets (like nmap scans) $fwcmd 2600 deny log tcp from any to any in tcpflags syn,fin # Allow some icmp # echo reply (0), destination unreachable (3), source quench (4), echo request (8), time-to-live exceeded (11), IP header bad (12) ${fwcmd} 2700 pass icmp from any to any icmptype 0,3,4,8,11,12 # Allow IP fragments to pass through ${fwcmd} 2800 pass all from any to any frag # Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3 # find a way to allow FTP inbound ${fwcmd} 2900 pass tcp from any to me 22,25,53,80,110 in recv tun0 setup keep-state ${fwcmd} 3000 pass udp from any to me 53 in recv tun0 keep-state # Reject & log everything else ${fwcmd} 65000 deny log all from any to any _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"