Date: Mon, 2 Dec 2002 17:48:04 +0200 (EET) From: "BigBrother (BigB3)" <bigbrother@bonbon.net> To: questions@FreeBSD.ORG Subject: STATEFULL IPFW AND NATD (Was: NAT & IPFW) Message-ID: <20021202172536.F97211-100000@bigb3server.bbcluster.gr> In-Reply-To: <bulk.76788.20021202003554@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nelis wrote >... >inside machines cannot telnet... >.... >#allow all outbound and only inbound TCP connections I've created >add 0301 divert natd all from any to any via rl0 >add 00302 check-state >add 00303 allow tcp from any to any established >add 00304 allow tcp from any to any out setup keep-state >add 00305 allow tcp from any to 192.x.x.0/24 22,25,53,80,443 setup >add 00306 allow tcp from 192.x.x.125 to 192.x.x.0/24 161,162 setup >add 00307 allow tcp from any to 192.168.x.0/27 in recv rl1 >#allow all outbound and only inbound UDP connections I've created >add 00400 allow udp from 192.x.x.0/24 to any 53,123 keep-state out via rl0 >add 00401 allow udp from any to 192.x.x.0/24 53,123 keep-state in via rl0 >add 00402 allow udp from 192.x.x.0/24 to 192.x.x.125 161,162 keep-state out via rl0 >add 00403 allow udp from 192.x.x.125 to 192.x.x.0/24 161,162 keep-state >in via rl0 >add 00404 allow udp from any to 192.168.x.0/27 in recv rl1 >add 00405 allow udp from any to any out >#allow some icmp types (codes not supported) >##allow path-mtu in both directions >add 00600 allow icmp from any to any icmptypes 3 >##allow source quench in and out >add 00601 allow icmp from any to any icmptypes 4 >##allow me to ping out and receive response back >add 00602 allow icmp from any to any icmptypes 8 out >add 00603 allow icmp from any to any icmptypes 0 in >##allow people to ping me >add 00604 allow icmp from any to any icmptypes 8 in >add 00605 allow icmp from any to any icmptypes 0 out >##allow me to run traceroute >add 00606 allow icmp from any to any icmptypes 11 in >#allow ident requests >add 00700 allow tcp from any to any 113 keep-state setup >#deny syn and fin bits used for OS finger printing using nmap >add 00701 deny log tcp from any to any in tcpflags syn,fin >#log anything that falls through >add 09000 deny log ip from any to any Using statefull IPFW and NATD is a very very tricky thing. I have invested a lot of efford to try to create a ruleset that combines all these, so perhaps u could use this advice... In order to use statefull and NATD you should learn what NAT does. Lets say u have an internal net of 192.168.3.1/24 and an external IP of 300.400.500.345 (hypothetically). When an internal machine of 192.168.3.10 tryies to establish a telnet connection with outside that is what happens when the packet reachs the gw 1) 192.168.3.10 request to connect to 216.136.204.117 port 23 Rule 301 makes the request 300.400.500.345 request to connect to 216.136.204.117 port 23 2) Packet reinjected to firewall rule with changed SRC field 3) Rule 304 will allow it so the SYN packet will leave... 4) what about the ACK packet? An ACK is sent back so now a packet has to be checked 216.136.204.117 port 23 ACK to 300.400.500.345 5) 301 rule matches...is the ACK to our internal telnet request...so its translated to 216.136.204.117 23 ACK destination to 192.168.3.10 6) NO rule allows this....oops ACK lost and all every responses. - ---------------- In order to compensate this...I give u a part of my own firewall.... any comments welcome... You have to put a lot of extra things in ur ruleset...take an example of this .... #!/bin/sh oip="XXXXX" #external ip of gateway oif="XXX" #external if iif="YYY" #internal if iip="ZZZ" #internal ip of gateway <...snip...other local variables....> # ########################################################################### # ## F I R E W A L L R U L E S S T A R T H E R E ################ # ########################################################################### # Force a flush of the current firewall rules before we reload $fwcmd -f flush # Allow the loopback to work $fwcmd add 100 allow all from any to any via lo0 # Prevent spoofing of your loopback $fwcmd add 200 deny log all from any to 127.0.0.0/8 # Deny suspicious packets $fwcmd add 300 deny log tcp from any to any in tcpflags syn,fin # Deny fragmented packets....they may cause our server to crash...(network buffers exchaustion) $fwcmd add 301 deny all from any to any frag # ############################################################### # Stop private networks (RFC1918) from entering the outside interface. # ################################################################ $fwcmd add 351 deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add 352 deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add 353 deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add 354 deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add 355 deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add 356 deny log ip from any to 10.0.0.0/8 in via $oif # ################################################################# # Stop draft-manning-dsua-01.txt nets on the outside interface # ############################################################## # The following line stops all broadcasts also.... #$fwcmd add 350 deny all from 0.0.0.0/8 to any in via $oif $fwcmd add 357 deny log all from 169.254.0.0/16 to any in via $oif $fwcmd add 358 deny log all from 192.0.2.0/24 to any in via $oif $fwcmd add 359 deny log all from 224.0.0.0/4 to any in via $oif $fwcmd add 360 deny log all from 240.0.0.0/4 to any in via $oif #$fwcmd add 361 deny log all from any to 0.0.0.0/8 in via $oif $fwcmd add 362 deny log all from any to 169.254.0.0/16 in via $oif $fwcmd add 363 deny log all from any to 192.0.2.0/24 in via $oif $fwcmd add 364 deny log all from any to 224.0.0.0/4 in via $oif $fwcmd add 365 deny log all from any to 240.0.0.0/4 in via $oif # #################################################################################### # ############################ # STATELESS RULES (rules that are used every time WITHOUT dynamic support) # ########################### # ###################################################################################### # NAT the internal lan so Internet access Sharing is enabled... # Nat is a steless rule because we may end up with XXXx keepstates.. $fwcmd add 380 divert natd all from any to any via $oif # AFter NAT we have the 192.168.0.0/16 ip appear. It is not spoofed so we accept it.. # keep-state option removed because it could prevent us from connecting to the system $fwcmd add 385 allow all from any to 192.168.0.0/16 $fwcmd add 386 allow all from 192.168.0.0/16 to any <...rest snipped.......> <...follows some STATELESS rules for basic services to avoid DoS....> <...then some STATEFULL rules.....> - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails!!!! Download my public key at http://www.us.pgp.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE964C3Ge/V3CxAyHoRAgHpAKC7KivALcx1Kgm+9EvU1bBEG65iagCeJ8ag tdJKZt6dmINe6oN4W3oHm70= =xrx9 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021202172536.F97211-100000>