From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 18 23:28:53 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0BFF2106566B for ; Sun, 18 Jan 2009 23:28:53 +0000 (UTC) (envelope-from fbsdmail@dnswatch.com) Received: from fast.dnswatch.com (fast.dnswatch.com [75.160.109.234]) by mx1.freebsd.org (Postfix) with ESMTP id C06508FC16 for ; Sun, 18 Jan 2009 23:28:52 +0000 (UTC) (envelope-from fbsdmail@dnswatch.com) Received: from webmail.dnswatch.com (localhost.dnswatch.com [127.0.0.1]) by fast.dnswatch.com (8.14.2/8.14.2) with ESMTP id n0INSgA6033858; Sun, 18 Jan 2009 15:28:51 -0800 (PST) (envelope-from fbsdmail@dnswatch.com) Received: from hitme.hitometer.net ([75.160.109.235]) (DNSwatchWebMail authenticated user infos) by webmail.dnswatch.com with HTTP; Sun, 18 Jan 2009 15:28:51 -0800 (PST) Message-ID: <581b3767ad793d5bce046a42f6516798.dnswclient@webmail.dnswatch.com> In-Reply-To: <4A2B0C19-799B-4C09-A887-8FDC6AE0B019@tinker.com> References: <1528c4e04e7e0d186cf8a9d9c4974ad6.dnswclient@webmail.dnswatch.com> <4A2B0C19-799B-4C09-A887-8FDC6AE0B019@tinker.com> Date: Sun, 18 Jan 2009 15:28:51 -0800 (PST) From: fbsdmail@dnswatch.com To: "Kim Shrier" User-Agent: DNSwatchWebMail/1.5.2 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: possible to block one address on all ports? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2009 23:28:53 -0000 Greetings Kim, and thank you very much for such a concise overview... On Sun, January 18, 2009 1:57 pm, Kim Shrier wrote: > On Jan 18, 2009, at 1:38 AM, fbsdmail@dnswatch.com wrote: > > >> Greetings, >> I have what I hope is a simple question that I /hope/ has a simple >> option. Here's my scenario; My current filtering is done on an >> application/ service level. While I'm anxious to migrate this to IPFW, >> I'm don't >> yet have the time available that will be required. But I have a situation >> that requires the need to drop any, and all requests from one single IP >> address. So I thought I might seize this situation as an opportunity to >> "get my >> feet wet" with IPFW. So here's my question; Is it possible for me to use >> IPFW without altering any traffic - >> that is; nothing changes on incoming/outgoing EXCEPT where this /evil/ IP >> is concerned? Or, can I start IPFW, and use it to ONLY drop all requests >> from this /evil/ IP >> no matter which ports that IP makes a request on? I can? Can/would anyone >> be willing to tell me how? Apologies in advance, I realize this is >> pretty "ground level stuff". But I >> feel if I could get a good start, getting up to speed from there will be >> a greatly shortened learning curve. >> >> Thank you for all your time and consideration. >> >> >> --Chris >> >> >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw- >> unsubscribe@freebsd.org" >> > > > In order to use ipfw, you need to have it compiled into your kernel or > you need to load the ipfw.so kernel module and then you need to enable > filtering and finally you need to specify some rules to control the > filtering. > > I am going to assume that you don't have ipfw compiled into your kernel > and will need to load the kernel module. > > Probably the easiest way to get started is to define the following > variables in /etc/rc.conf or /etc/rc.conf.local, your preference. > > firewall_enable="YES" firewall_type="OPEN" firewall_logging="YES" > > These directives enable ipfw, tell it to block nothing, and enables > logging of blocked packets. You can then startup ipfw with the following > command: > > > # /etc/rc.d/ipfw start > > > You can view the filtering rules that are installed with this command: > > > # ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > > The following discription of what happens is oversimplified but is > accurate enough to get you started with ipfw. Each filter rule has a rule > number. When a packet comes in, it is compared to each rule until there is > a match. When there is a match, the specified action is carried out. In > the rules above, the only action is allow or deny. There are other actions > but you can learn about them later as you get more comfortable with ipfw. > > The first rule (100) allows all ip traffic that goes through the > loopback interface to go on through. This basically says that anything on > the machine that wants to talk to anything else on the machine via the > loopback interface should be allowed to do it. > > The second rule (200) blocks anything whose destination ip is to the > 127.0.0.0 > network. The reason you want to block these packets is because legitimate > network packets going to the 127.0.0.0 network should be on the lo0 > interface. Those packets would have been matched by rule 100 and already > allowed. They would never get to rule 200. So packets going to the > 127.0.0.0 > network but not on the lo0 interface are blocked. > > The third rule (300) is similar to rule 200 except that if blocks > packets that have a source address on the 127.0.0.0 network that are not on > the lo0 interface. Once again, legitimate packets coming from a > 127.0.0.0 > network address should be on lo0 and already allowed by rule 100. > > The fourth rule (65000) allows all ip packets with any source address > and any destination address to go on through the filter. > > The fifth rule (65535) is installed by ipfw as the default rule. It > blocks all ip packets that have not been explicitly allowed or blocked by > previous rules. > > Once you have these rules in place, it is easy to add a rule to block > traffic from the evil machine. Assuming that you want to block all ip > traffic, including TCP, UDP, ICMP, etc., you can insert a rule after 300 > and before 65000 to do this. > > > # ipfw add 1000 deny log ip from www.xxx.yyy.zzz to any > > > This defines a filter rule numbered 1000 that will be evaluated after > rule 300. It will deny (drop) all ip packets with a source address of > www.xxx.yyy.zzz and any destination address. It will also log this event to > /var/log/security. If you don't want to log these packets, you can > remove the word "log" from the above command. > > Viewing your rules should give you the following: > > > # ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 01000 deny log ip from www.xxx.yyy.zzz to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > > This gives you an open firewall that only blocks packets from the evil > machine and spoofed 127.0.0.0/8 packets. I find I'm only left with one question; If my box is assigned an internet routable IP (not a private IP), which address should take precedence? In other words, knowing that IPFW works "top down", or "first match". How would/should I add my internet routable IP (assuming I should). Or should I simply replace 127.0.0.1 with my internet routable IP as shown in your example? I see you have posted another reply. I'll see if you've already addressed my question in that reply. :) Thank you again for taking the time to be so helpful. Best wishes. --Chris > > Kim > > > -- > Kim Shrier - principal, Shrier and Deihl - mailto:kim@tinker.com > Remote Unix Network Admin, Security, Internet Software Development > Tinker Internet Services - Superior FreeBSD-based Web Hosting > http://www.tinker.com/ > > > >