Date: Wed, 30 Apr 2003 14:24:24 +0200 From: Antoine Jacoutot <ajacoutot@lphp.org> To: freebsd-ipfw@freebsd.org Subject: Re: ipfw dynamic rule timeout --> find a solution, but need confirmation Message-ID: <200304301424.24536.ajacoutot@lphp.org>
next in thread | raw e-mail | index | archive | help
Hi !
In my problem with keep-state+ipfw2+natd, I came to the following solution
which seems to work well.
Now, I would like to be sure that there's no security issue with that
(expecially with the sysctl variable), so if you feel like it, please comment
the following configuration.
Thanks in advance.
Antoine
### Configuration ###
sysctl variables:
net.inet.ip.fw.dyn_syn_lifetime=300 # same as net.inet.ip.fw.dyn_ack_lifetime
rc.conf:
natd_flags="-log_denied -log_facility LOG_WARNING -use_sockets -same_ports
-unregistered_only -dynamic"
firewall ruleset (tun0 being the outsite interface):
# Firewall Command - quiet mode (suppress rule display)
fwcmd="/sbin/ipfw -q add"
# Flush out the list before we begin.
/sbin/ipfw -q -f flush
# Setup Loopback
${fwcmd} 100 pass all from any to any via lo0
${fwcmd} 200 deny log all from any to 127.0.0.0/8
${fwcmd} 300 deny log ip from 127.0.0.0/8 to any
# Stop spoofing
${fwcmd} 400 deny all from 192.168.0.0/24 to any in via tun0
### The following rule is disabled since we have a dynamic @ip
### ${fwcmd} add 500 deny all from ${outside_net}:${outside_mask} to any in
via vr0
# Stop RFC1918 nets on the outside interface
${fwcmd} 600 deny all from any to 10.0.0.0/8 via tun0
${fwcmd} 700 deny all from any to 172.16.0.0/12 via tun0
${fwcmd} 800 deny all from any to 192.168.0.0/16 via tun0
# Stop draft-manning-dsua-03.txt nets
${fwcmd} 900 deny all from any to 0.0.0.0/8 via tun0
${fwcmd} 1000 deny all from any to 169.254.0.0/16 via tun0
${fwcmd} 1100 deny all from any to 192.0.2.0/24 via tun0
${fwcmd} 1200 deny all from any to 224.0.0.0/4 via tun0
${fwcmd} 1300 deny all from any to 240.0.0.0/4 via tun0
# Network address Translation
# This rule is placed here deliberately so that it does not interfere with the
surrounding address-checking rules
${fwcmd} 1400 divert natd all from any to any via tun0
# Stop RFC1918 nets on the outside interface (following of rules 600, 700 and
800 because NAT is now on)
${fwcmd} 1500 deny all from 10.0.0.0/8 to any via tun0
${fwcmd} 1600 deny all from 172.16.0.0/12 to any via tun0
${fwcmd} 1700 deny all from 192.168.0.0/16 to any via tun0
# From man 8 ipfw: use of dynamic rules
${fwcmd} 1800 check-state
${fwcmd} 1900 deny log tcp from any to any established
${fwcmd} 2000 allow tcp from 192.168.0.0/24 to any setup keep-state
${fwcmd} 2100 allow tcp from me to any setup keep-state
${fwcmd} 2200 allow udp from 192.168.0.0/24 to any keep-state
${fwcmd} 2300 allow udp from me to any keep-state
${fwcmd} 2400 deny log udp from any to any
# Reset ident incoming connections
${fwcmd} 2500 reset log tcp from any to me 113 in recv tun0 setup
# Deny & log suspicious packets (like nmap scans)
$fwcmd 2600 deny log tcp from any to any in tcpflags syn,fin
# Allow some icmp
# echo reply (0), destination unreachable (3), source quench (4), echo request
(8), time-to-live exceeded (11), IP header bad (12)
${fwcmd} 2700 pass icmp from any to any icmptype 0,3,4,8,11,12
# Allow IP fragments to pass through
${fwcmd} 2800 pass all from any to any frag
# Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3
# find a way to allow FTP inbound
${fwcmd} 2900 pass tcp from any to me 22,25,53,80,110 in recv tun0 setup
keep-state
${fwcmd} 3000 pass udp from any to me 53 in recv tun0 keep-state
# Reject & log everything else
${fwcmd} 65000 deny log all from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304301424.24536.ajacoutot>