From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 18 22:13:30 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E70611065673 for ; Sun, 18 Jan 2009 22:13:30 +0000 (UTC) (envelope-from kim@tinker.com) Received: from mail2.tinker.com (2-55-228-66.tinker.com [66.228.55.2]) by mx1.freebsd.org (Postfix) with ESMTP id C7E4F8FC19 for ; Sun, 18 Jan 2009 22:13:30 +0000 (UTC) (envelope-from kim@tinker.com) Received: from sneffels.tinker.com (204.16.225.169.tinker.com [204.16.225.169]) by mail2.tinker.com (Postfix) with ESMTP id CB72E8738A6; Sun, 18 Jan 2009 15:57:54 -0600 (CST) Message-Id: <4A2B0C19-799B-4C09-A887-8FDC6AE0B019@tinker.com> From: Kim Shrier To: fbsdmail@dnswatch.com In-Reply-To: <1528c4e04e7e0d186cf8a9d9c4974ad6.dnswclient@webmail.dnswatch.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sun, 18 Jan 2009 14:57:53 -0700 References: <1528c4e04e7e0d186cf8a9d9c4974ad6.dnswclient@webmail.dnswatch.com> X-Mailer: Apple Mail (2.930.3) Cc: freebsd-ipfw@freebsd.org Subject: Re: possible to block one address on all ports? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2009 22:13:33 -0000 On Jan 18, 2009, at 1:38 AM, fbsdmail@dnswatch.com wrote: > Greetings, > I have what I hope is a simple question that I /hope/ has a simple > option. Here's my scenario; My current filtering is done on an > application/ > service level. While I'm anxious to migrate this to IPFW, I'm don't > yet > have the time available that will be required. But I have a > situation that > requires the need to drop any, and all requests from one single IP > address. > So I thought I might seize this situation as an opportunity to "get my > feet wet" with IPFW. So here's my question; > Is it possible for me to use IPFW without altering any traffic - > that is; > nothing changes on incoming/outgoing EXCEPT where this /evil/ IP is > concerned? > Or, can I start IPFW, and use it to ONLY drop all requests from this > /evil/ IP > no matter which ports that IP makes a request on? > I can? Can/would anyone be willing to tell me how? > Apologies in advance, I realize this is pretty "ground level stuff". > But I > feel if I could get a good start, getting up to speed from there > will be a > greatly shortened learning curve. > > Thank you for all your time and consideration. > > --Chris > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw- > unsubscribe@freebsd.org" > In order to use ipfw, you need to have it compiled into your kernel or you need to load the ipfw.so kernel module and then you need to enable filtering and finally you need to specify some rules to control the filtering. I am going to assume that you don't have ipfw compiled into your kernel and will need to load the kernel module. Probably the easiest way to get started is to define the following variables in /etc/rc.conf or /etc/rc.conf.local, your preference. firewall_enable="YES" firewall_type="OPEN" firewall_logging="YES" These directives enable ipfw, tell it to block nothing, and enables logging of blocked packets. You can then startup ipfw with the following command: # /etc/rc.d/ipfw start You can view the filtering rules that are installed with this command: # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any The following discription of what happens is oversimplified but is accurate enough to get you started with ipfw. Each filter rule has a rule number. When a packet comes in, it is compared to each rule until there is a match. When there is a match, the specified action is carried out. In the rules above, the only action is allow or deny. There are other actions but you can learn about them later as you get more comfortable with ipfw. The first rule (100) allows all ip traffic that goes through the loopback interface to go on through. This basically says that anything on the machine that wants to talk to anything else on the machine via the loopback interface should be allowed to do it. The second rule (200) blocks anything whose destination ip is to the 127.0.0.0 network. The reason you want to block these packets is because legitimate network packets going to the 127.0.0.0 network should be on the lo0 interface. Those packets would have been matched by rule 100 and already allowed. They would never get to rule 200. So packets going to the 127.0.0.0 network but not on the lo0 interface are blocked. The third rule (300) is similar to rule 200 except that if blocks packets that have a source address on the 127.0.0.0 network that are not on the lo0 interface. Once again, legitimate packets coming from a 127.0.0.0 network address should be on lo0 and already allowed by rule 100. The fourth rule (65000) allows all ip packets with any source address and any destination address to go on through the filter. The fifth rule (65535) is installed by ipfw as the default rule. It blocks all ip packets that have not been explicitly allowed or blocked by previous rules. Once you have these rules in place, it is easy to add a rule to block traffic from the evil machine. Assuming that you want to block all ip traffic, including TCP, UDP, ICMP, etc., you can insert a rule after 300 and before 65000 to do this. # ipfw add 1000 deny log ip from www.xxx.yyy.zzz to any This defines a filter rule numbered 1000 that will be evaluated after rule 300. It will deny (drop) all ip packets with a source address of www.xxx.yyy.zzz and any destination address. It will also log this event to /var/log/security. If you don't want to log these packets, you can remove the word "log" from the above command. Viewing your rules should give you the following: # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 01000 deny log ip from www.xxx.yyy.zzz to any 65000 allow ip from any to any 65535 deny ip from any to any This gives you an open firewall that only blocks packets from the evil machine and spoofed 127.0.0.0/8 packets. Kim -- Kim Shrier - principal, Shrier and Deihl - mailto:kim@tinker.com Remote Unix Network Admin, Security, Internet Software Development Tinker Internet Services - Superior FreeBSD-based Web Hosting http://www.tinker.com/