Date: Tue, 5 Jun 2007 23:31:25 +0200 From: "Robert Usle" <robertus.n@gmail.com> To: freebsd-ipfw@freebsd.org Subject: ipfw tcp/udp dropping - why ? Message-ID: <3713853f0706051431u26528562u85cc237f1e41c533@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello,
I'm not sure if my ruleset is correct, but I've noticed a strange
ruleset behavior.
OS: FreeBSD 4.11-STABLE #7:
Here's my ruleset.
desc:
table 5 ip+bw for download
table 6 ip+bw for upload ($ip,$bw)
table 1 (ip, hosts allowed to use internet)
NAT via IPNAT + patch for ipnat/ipfw order
-------------
## sysctls
sysctl -w net.inet.ip.fw.one_pass=0
sysctl -w net.inet.ip.fw.dyn_max=10000
# Flush rules
##############
${fwcmd} -fq flush
${fwcmd} -f pipe flush
${fwcmd} -f queue flush
${fwcmd} zero
${fwcmd} table 1 flush
${fwcmd} table 5 flush
${fwcmd} table 6 flush
myip="x.x.x.x"
int_if1="rl0"
int_if2="rl1"
ext_if1="xl0"
trusted="x.x.x.y,z.z.z.z"
up_conn_limit=20
down_conn_limit=20
goodtcptoports="22,21,25,80,110,443,3389,3306,8074,995,993,567"
## trusted hosts
${fwcmd} add 20 allow ip from $trusted to me
${fwcmd} add 20 allow ip from me to $trusted
# me -> outside PASS
${fwcmd} add 30 allow tcp from me to any out setup keep-state
${fwcmd} add 30 allow udp from me to any out keep-state
${fwcmd} add 100 set 1 allow ip from any to any via lo0
${fwcmd} add 110 set 1 deny ip from any to 127.0.0.0/8
${fwcmd} add 120 set 1 deny ip from 127.0.0.0/8 to any
# netbios BLOCK
${fwcmd} add 130 deny ip from any to any 137-139
# icmp
${fwcmd} add 140 allow icmp from any to any
${fwcmd} add 150 allow ip from any to any via $int_if1
${fwcmd} add 150 allow ip from any to any via $int_if2
# SNORT p2p (table 1 = hosts allowed for internet usage)
${fwcmd} add 160 divert 8000 ip from table\(1\) to any
${fwcmd} add 161 divert 8000 ip from any to table\(1\)
# these are pipes with mask src-addr 0xffffffff ipfw table($ip,$bw)
${fwcmd} add 10001 pipe 11 ip from any to table\(5,2048\) in recv $ext_if1
${fwcmd} add 10002 pipe 13 ip from any to table\(5,256\) in recv $ext_if1
${fwcmd} add 10003 pipe 15 ip from any to table\(5,512\) in recv $ext_if1
${fwcmd} add 10004 pipe 18 ip from any to table\(5,128\) in recv $ext_if1
${fwcmd} add 10005 pipe 19 ip from any to table\(5,1024\) in recv $ext_if1
${fwcmd} add 10006 pipe 12 ip from table\(6,2048\) to any out xmit $ext_if1
${fwcmd} add 10007 pipe 14 ip from table\(6,256\) to any out xmit $ext_if1
${fwcmd} add 10008 pipe 16 ip from table\(6,512\) to any out xmit $ext_if1
${fwcmd} add 10009 pipe 17 ip from table\(6,128\) to any out xmit $ext_if1
${fwcmd} add 10010 pipe 20 ip from table\(6,1024\) to any out xmit $ext_if1
${fwcmd} add 45000 check-state
${fwcmd} add 45100 allow tcp from table\(1\) to any not
$goodtcptoports out xmit $ext_if1 setup limit src-addr $up_conn_limit
${fwcmd} add 45200 allow udp from table\(1\) to any out xmit $ext_if1
limit src-addr $up_conn_limit
${fwcmd} add 45300 allow tcp from table\(1\) to any out xmit $ext_if1
setup keep-state
${fwcmd} add 45400 allow udp from table\(1\) to any out xmit xl0 keep-state
# outside -> me PASS
${fwcmd} add 64000 allow tcp from any to me 80,443,22 setup keep-state
# outside -> LAN hosts PASS
${fwcmd} add 64100 allow tcp from any to 10.0.5.36 3389 setup keep-state
${fwcmd} add 65000 deny log logamount 10000000 ip from any to any
-------- ENDRULES --------------
Thought I see http working I notice in ipfw logs in rule 65000:
Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3182
38.99.77.44:80 out via xl0
Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3180
38.99.77.44:80 out via xl0
Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.62:2259
62.129.240.58:80 out via xl0
Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3204
85.25.133.18:80 out via xl0
Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3171
209.172.60.89:80 out via xl0
Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3079
207.44.164.103:80 out via xl0
Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3080
207.44.164.103:80 out via xl0
Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.0.91:1353
213.180.131.42:80 out via xl0
Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3203
85.25.133.18:80 out via xl0
Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3202
85.25.133.18:80 out via xl0
....
Shouldn't this be handled by:
${fwcmd} add 45300 allow tcp from table\(1\) to any out xmit $ext_if1
setup keep-state ?
Thanks,
--
Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3713853f0706051431u26528562u85cc237f1e41c533>