Date: Thu, 30 Jan 2003 12:10:51 -0500 From: "JoeB" <barbish@a1poweruser.com> To: "Michael Sierchio" <kudzu@tenebras.com> Cc: "Nick Rogness" <nick@rogness.net>, "Simon L. Nielsen" <simon@nitro.dk>, <freebsd-ipfw@FreeBSD.ORG> Subject: RE: Error in ipfw manpage for stateful rules? Message-ID: <MIEPLLIBMLEEABPDBIEGMENPDEAA.barbish@a1poweruser.com> In-Reply-To: <3E394339.6080201@tenebras.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nice little rule set, but without explanation of what each rule is
suppose to be doing
and at what timing do that take effect,
your sample rule set does not convey any insight into how it works.
What interface is the dynamic rules being built on? Internal Nic ip
addresses or external Nic ip address.
And this is a let everything pass example. What good is it as a
real world working example when most firewall users deny all in and
out except those protocol / port combinations that only allow
desired functions. Your example is a very poor one.
S again I state that the documentation for keep-state rules using
IPFW/NATD do not contain the information to create an fully enabled
keep-state firewall using the IPFW/NATD function.
Here is my IPFW rules which function perfectly when I use user
ppp -nat to do the NAT function out side of IPFW and when I stop
using PPP -NAT and use IPFW/NATD with the same rule set including
the divert natd rule 200 being uncommented it stops working. This
should not be.
So show my how your example can be made to be restrictive like my
rules are.
####################################################################
#######
#
# Define IPFW firewall rules for gateway.a1poweruser.com
# 2/15/2002 Joe Barbish
#
# User ppp tun0 dial out to ISP with dynamic IP addresses
assigned.
# User ppp tun1 dial in to this box with dynamic IP addresses
assigned
# User ppp tun2 dial in to this box with dynamic IP addresses
assigned
# User ppp nat used. Private Ip address used inside.
# 3 win98 boxes on LAN with static IP address hard coded.
# Protect the whole private network from loss of service attacks
# These rules can be reloaded with out rebooting by issuing this
command
# sh /etc/ipfw.stdrules
#
# The use of 'me' in rules means IP address 127.0.0.0 localhost
#
# Firewall Policy Statement.
# All packet traffic originating behind this firewall not
requiring access
# to the public internet is exempt from these firewall rules.
#
# Each public internet function must be explicitly allowed by a
rule.
# Only valid response to the packets I've sent out are allowed in.
# All packets must use the IPFW advanced "dynamic" rules function.
# No state-less rules or simple-stateful rules are allowed.
####################################################################
#########
# Flush out the list before we begin.
/sbin/ipfw -q -f flush
# Set rules command prefix
# The -q option on the command is for quite mode.
# Do not display rules as they load. Remove during development to
see.
cmd="/sbin/ipfw -q add"
# Set defaults
# set these to your outside interface network and netmask and ip
# for dynamic IP address from ISP use there range
oif="tun0"
odns1="208.206.15.11" # ISP's dns server 1 IP address
odns2="208.206.15.12" # ISP's dns server 2 IP address
oisp="208.206.15.4" # Mangobay ISP router issueing rip
oip="63.70.155.25/24" # For testing dial isp from standalone pc
and
# access this FBSD box over the internet.
# This value is the dynamic IP address
range
# issued by ISP. oip is in inbound
section
# statments to only allow inbound access
from me.
# /24 means 63.70.155.1 thru
63.70.155.256
# Set these to your inside interface network and ip address range
iif="xl0" # Nic card
iip="10.0.10.2/29" # Private IP address range on Nic card
# /29 means 10.0.10.1 thru 10.0.10.08
# 10.0.10.2 Lan Nic card
# 10.0.10.5 Lan Windows98 machine1
iip2="10.0.0.1/29" # Private IP address range for dial in
# /29 means 10.0.0.1 thru 10.0.10.08
# 10.0.0.2 User PPP Dialin Host
# 10.0.0.5 User PPP Dialin Windows98
machine1
# This is the start of the rules.
# All traffic coming in from the internet or
# leaving the local LAN start here
# Handle Mangobay router 520 rip request
$cmd 00002 deny udp from $oisp 520 to me in via $oif
#*** TESTING PURPOSES ONLY *** TESTING PURPOSES ONLY *** TESTING
PURPOSES ONLY
# The following rule if un-commented will change the behaviour of
this
# FireWall rule set from closed to completely open, thus bypassing
all of the
# following rules. This single rule is placed here for TESTING
PURPOSES ONLY.
#$cmd 00005 allow all from any to any via xl0
#$cmd 00006 allow log logamount 200 all from any to any
# Internal gateway housekeeping
# Rules # 100 - 130 exempt everything behind the firewall from this
rules set.
# Rules # 150 & 160 deny the reference to the localhost default IP
address.
$cmd 00100 allow all from any to any via lo0 # allow all localhost
$cmd 00110 allow all from any to any via xl0 # allow all local LAN
$cmd 00120 allow all from any to any via tun1 # allow all dialin
call 1
$cmd 00130 allow all from any to any via tun2 # allow all dialin
call 2
$cmd 00150 deny all from any to 127.0.0.0/8 # deny use of
localhost IP
$cmd 00160 deny all from 127.0.0.0/8 to any # deny use of
localhost IP
#$cmd 00200 divert natd all from any to any via tun0
######## control section
############################################
# Start of IPFW advanced Stateful Filtering using "dynamic" rules.
# The check-state statment behaviour is to match bidirectional
packet traffic
# flow between source and destination using
protocol/IP/port/sequance number.
# The dynamic rule has a limited lifetime which is controlled by a
set of
# sysctl(8) variables. The lifetime is refreshed every time a
matching
# packet is found in the dynamic table.
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.
$cmd 00500 check-state
# Deny & log all fragments as bogus packets
$cmd 00502 deny log all from any to any frag
# Deny & log ACK packets that did not match the dynamic rule table
$cmd 00501 deny log tcp from any to any established
######## outbound section
############################################
# Interrogate packets originating from behind the firewall, private
net.
# Upon a rule match, it's keep-state option will create a dynamic
rule.
# Allow out www function
$cmd 00600 allow tcp from any to any 80 out via $oif setup
keep-state
# Allow lan winbox access to FBSD Apache13/Frontpage Server
$cmd 00601 allow tcp from $iip to any 80 out via $oif setup
keep-state
# Allow out access to my ISP's Domain name server.
$cmd 00610 allow tcp from any to $odns1 53 out via $oif setup
keep-state
$cmd 00611 allow udp from any to $odns1 53 out via $oif keep-state
$cmd 00615 allow tcp from any to $odns2 53 out via $oif setup
keep-state
$cmd 00616 allow udp from any to $odns2 53 out via $oif keep-state
# Allow out access to internet Domain name server.
$cmd 00618 allow tcp from any to any 53 out via $oif setup
keep-state
$cmd 00619 allow udp from any to any 53 out via $oif keep-state
# Allow out send & get email function
$cmd 00630 allow tcp from any to any 25,110 out via $oif setup
keep-state
# Allow out & in FBSD (make install & CVSUP) functions
# Basically give user id root "GOD" priveledges.
$cmd 00640 allow tcp from me to any out via $oif setup keep-state
uid root
#$cmd 00641 allow tcp from any to me in via $oif setup keep-state
uid root
# Allow out & in console traceroot command
$cmd 00642 allow udp from me to any 33435-33500 out via $oif
keep-state
$cmd 00643 allow icmp from any to me icmptype 3,11 in via $oif limit
src-addr 2
# Allow out ping
$cmd 00650 allow icmp from any to any out via $oif keep-state
# Allow out FTP control channel & in of data channel
$cmd 00671 allow tcp from any to any 21 out via $oif setup
keep-state
# Allow in FTP data channel to Lan ip range
$cmd 00672 allow tcp from any 20 to $iip 1024-49151 in via $oif
setup keep-state
# Allow in FTP data channel to Dialin users ip range
$cmd 00673 allow tcp from any 20 to $iip2 1024-49151 in via $oif
setup keep-state
# Allow out ssh
#$cmd 00680 allow tcp from any to any 22 out via $oif setup
keep-state
# Allow out TELNET
$cmd 00690 allow tcp from any to any 23 out via $oif setup
keep-state
# Allow out Network Time Protocol (NTP) queries
#$cmd 00694 allow tcp from any to any 123 out via $oif setup
keep-state
#$cmd 00695 allow udp from any to any 123 out via $oif keep-state
# Allow out Time
$cmd 00696 allow tcp from any to any 37 out via $oif setup
keep-state
$cmd 00697 allow udp from any to any 37 out via $oif keep-state
# Allow out ident
#$cmd 00700 allow tcp from any to any 113 out via $oif setup
keep-state
#$cmd 00701 allow udp from any to any 113 out via $oif keep-state
# Allow out IRC
#$cmd 00710 allow tcp from any to any 194 out via $oif setup
keep-state
#$cmd 00711 allow udp from any to any 194 out via $oif keep-state
# Allow out whois
$cmd 00712 allow tcp from any to any 43 out via $oif setup
keep-state
$cmd 00713 allow udp from any to any 43 out via $oif keep-state
# Allow out whois++
#$cmd 00715 allow tcp from any to any 63 out via $oif setup
keep-state
#$cmd 00716 allow udp from any to any 63 out via $oif keep-state
# Allow out finger
#$cmd 00720 allow tcp from any to any 79 out via $oif setup
keep-state
#$cmd 00721 allow udp from any to any 79 out via $oif keep-state
# Allow out nntp news
#$cmd 00725 allow tcp from any to any 119 out via $oif setup
keep-state
#$cmd 00726 allow udp from any to any 119 out via $oif keep-state
# Allow out gopher
#$cmd 00730 allow tcp from any to any 70 out via $oif setup
keep-state
#$cmd 00731 allow udp from any to any 70 out via $oif keep-state
# Allow out pcANYwhere software product
# Can Only call out can not receive incomming calls because of
private
# IP address on Lan.
#$cmd 00740 allow udp from $iip to any 22,5632 out via $oif
keep-state
#$cmd 00741 allow tcp from $iip to any 5631 out via $oif setup
keep-state
######## inbound section
############################################
# Interrogate packets originating from in front of the firewall,
public net.
# Place statments here to allow public requests for service.
# The ${oip} holds the dynamic ip address range that both this FBSD
box and
# the standalong pc I use for testing logs into, so the result is
only I can
# gain public access from the internet to these functions.
# Allow in www
$cmd 00800 allow tcp from $oip to any 80 in via $oif setup
keep-state limit src-addr 4
# Allow TCP FTP control channel in & data channel out
$cmd 00810 allow tcp from $oip to me 21 in via $oif setup
keep-state limit src-addr 4
$cmd 00811 allow tcp from $oip 20 to any 1024-49151 out via $oif
setup keep limit src-addr 4
# Allow in ssh function
#$cmd 00820 allow log tcp from $oip to me 22 in via $oif setup
keep-state limit src-addr 4
# Allow in Telnet
$cmd 00830 allow tcp from $oip to me 23 in via $oif setup keep-state
limit src-addr 4
# This sends a RESET to all ident packets.
$cmd 00840 reset log tcp from any to me 113 in via $oif limit
src-addr 4
# Stop & log external redirect requests.
$cmd 00845 deny log icmp from any to any icmptype 5 in via $oif
# Stop & log spoofing Attack attempts.
# Examine incoming traffic for packets with both a source and
destination
# IP address in my local domain as per CIAC prevention alert.
$cmd 00850 deny log ip from me to me in via $oif
# Stop & log ping echo attacks
# stop echo reply (ICMP type 0), and echo request (type 8).
$cmd 00860 deny log icmp from any to me icmptype 0,8 in via $oif
# Reject & Log all setup of tcp incoming connections from the
outside
$cmd 00900 deny log tcp from any to any setup in via $oif
# Reject & Log all netbios Name service
$cmd 00910 deny log tcp from any to any 137 in via $oif
$cmd 00911 deny log udp from any to any 137 in via $oif
#delta force game (not working yet)
$cmd 00912 allow udp from $iip to any 3568,3569 out via $oif
keep-state
$cmd 00913 allow udp from 65.214.130.47 1436 to $iip in via $oif
keep-state
$cmd 00914 allow tcp from 208.231.90.229 80 to $iip in via $oif
keep-state
$cmd 00915 allow tcp from $iip to 208.231.90.229 80 out via $oif
keep-state
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 00950 deny log all from any to any
-----Original Message-----
From: owner-freebsd-ipfw@FreeBSD.ORG
[mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Michael Sierchio
Sent: Thursday, January 30, 2003 10:23 AM
To: barbish@a1poweruser.com
Cc: Nick Rogness; Simon L. Nielsen; freebsd-ipfw@FreeBSD.ORG
Subject: Re: Error in ipfw manpage for stateful rules?
JoeB wrote:
> That is not the only thing wrong with the example.
> IPFW with NATD does not function with keep-state rules.
Oh, but it does. It just requires the right set of rules.
This is oft-discussed, and is not a design defect but a
consequence of using two different types of stateful mechanism.
I myself use stateful rules and natd -- some of the ruleset
is quite non-intuitive.
> Just read the IPFW-list archives back through 1/2002 and you will
> get a very clear picture of the problem.
I believe that, if you go further back in the archives, you'll see
I was laboring under the same misunderstanding.
Here's an example:
pub_hosts=outside IP addr list / public net
prv_net= rfc1918 addrs / private net
oif= outside if
iif= inside if
$fw add 02100 set 0 divert natd ip from any to any via $oif
$fw add 02200 set 0 check-state
$fw add 02400 set 0 allow ip from $pub_hosts to any out xmit $oif
$fw add 02450 set 0 deny tcp from any to any established
$fw add 03300 set 0 allow tcp from $prv_net to any in via $iif
keep-state setup
$fw add 03400 set 0 allow udp from $prv_net to any keep-state
$fw add 03500 set 0 allow icmp from $prv_net to any
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGMENPDEAA.barbish>