Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 18 Jan 2009 15:28:51 -0800 (PST)
From:      fbsdmail@dnswatch.com
To:        "Kim Shrier" <kim@tinker.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: possible to block one address on all ports?
Message-ID:  <581b3767ad793d5bce046a42f6516798.dnswclient@webmail.dnswatch.com>
In-Reply-To: <4A2B0C19-799B-4C09-A887-8FDC6AE0B019@tinker.com>
References:  <1528c4e04e7e0d186cf8a9d9c4974ad6.dnswclient@webmail.dnswatch.com> <4A2B0C19-799B-4C09-A887-8FDC6AE0B019@tinker.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Greetings Kim, and thank you very much for such a concise overview...

On Sun, January 18, 2009 1:57 pm, Kim Shrier wrote:
> On Jan 18, 2009, at 1:38 AM, fbsdmail@dnswatch.com wrote:
>
>
>> Greetings,
>> I have what I hope is a simple question that I /hope/ has a simple
>> option. Here's my scenario; My current filtering is done on an
>> application/ service level. While I'm anxious to migrate this to IPFW,
>> I'm don't
>> yet have the time available that will be required. But I have a situation
>> that requires the need to drop any, and all requests from one single IP
>> address. So I thought I might seize this situation as an opportunity to
>> "get my
>> feet wet" with IPFW. So here's my question; Is it possible for me to use
>> IPFW without altering any traffic -
>> that is; nothing changes on incoming/outgoing EXCEPT where this /evil/ IP
>> is concerned? Or, can I start IPFW, and use it to ONLY drop all requests
>> from this /evil/ IP
>> no matter which ports that IP makes a request on? I can? Can/would anyone
>> be willing to tell me how? Apologies in advance, I realize this is
>> pretty "ground level stuff". But I
>> feel if I could get a good start, getting up to speed from there will be
>> a greatly shortened learning curve.
>>
>> Thank you for all your time and consideration.
>>
>>
>> --Chris
>>
>>
>>
>> _______________________________________________
>> freebsd-ipfw@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to "freebsd-ipfw-
>> unsubscribe@freebsd.org"
>>
>
>
> In order to use ipfw, you need to have it compiled into your kernel or
> you need to load the ipfw.so kernel module and then you need to enable
> filtering and finally you need to specify some rules to control the
> filtering.
>
> I am going to assume that you don't have ipfw compiled into your kernel
> and will need to load the kernel module.
>
> Probably the easiest way to get started is to define the following
> variables in /etc/rc.conf or /etc/rc.conf.local, your preference.
>
> firewall_enable="YES" firewall_type="OPEN" firewall_logging="YES"
>
> These directives enable ipfw, tell it to block nothing, and enables
> logging of blocked packets.  You can then startup ipfw with the following
> command:
>
>
> # /etc/rc.d/ipfw start
>
>
> You can view the filtering rules that are installed with this command:
>
>
> # ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 65000 allow ip from any to any
> 65535 deny ip from any to any
>
>
> The following discription of what happens is oversimplified but is
> accurate enough to get you started with ipfw.  Each filter rule has a rule
> number. When a packet comes in, it is compared to each rule until there is
> a match. When there is a match, the specified action is carried out.  In
> the rules above, the only action is allow or deny.  There are other actions
> but you can learn about them later as you get more comfortable with ipfw.
>
> The first rule (100) allows all ip traffic that goes through the
> loopback interface to go on through.  This basically says that anything on
> the machine that wants to talk to anything else on the machine via the
> loopback interface should be allowed to do it.
>
> The second rule (200) blocks anything whose destination ip is to the
> 127.0.0.0
> network.  The reason you want to block these packets is because legitimate
> network packets going to the 127.0.0.0 network should be on the lo0
> interface. Those packets would have been matched by rule 100 and already
> allowed.  They would never get to rule 200.  So packets going to the
> 127.0.0.0
> network but not on the lo0 interface are blocked.
>
> The third rule (300) is similar to rule 200 except that if blocks
> packets that have a source address on the 127.0.0.0 network that are not on
>  the lo0 interface.  Once again, legitimate packets coming from a
> 127.0.0.0
> network address should be on lo0 and already allowed by rule 100.
>
> The fourth rule (65000) allows all ip packets with any source address
> and any destination address to go on through the filter.
>
> The fifth rule (65535) is installed by ipfw as the default rule.  It
> blocks all ip packets that have not been explicitly allowed or blocked by
> previous rules.
>
> Once you have these rules in place, it is easy to add a rule to block
> traffic from the evil machine.  Assuming that you want to block all ip
> traffic, including TCP, UDP, ICMP, etc., you can insert a rule after 300
> and before 65000 to do this.
>
>
> # ipfw add 1000 deny log ip from www.xxx.yyy.zzz to any
>
>
> This defines a filter rule numbered 1000 that will be evaluated after
> rule 300.  It will deny (drop) all ip packets with a source address of
> www.xxx.yyy.zzz and any destination address.  It will also log this
event to
> /var/log/security.  If you don't want to log these packets, you can
> remove the word "log" from the above command.
>
> Viewing your rules should give you the following:
>
>
> # ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 01000 deny log ip from www.xxx.yyy.zzz to any
> 65000 allow ip from any to any
> 65535 deny ip from any to any
>
>
> This gives you an open firewall that only blocks packets from the evil
> machine and spoofed 127.0.0.0/8 packets.

I find I'm only left with one question;
If my box is assigned an internet routable IP (not a private IP),
which address should take precedence? In other words, knowing that
IPFW works "top down", or "first match". How would/should I add my
internet routable IP (assuming I should). Or should I simply replace
127.0.0.1 with my internet routable IP as shown in your example?

I see you have posted another reply. I'll see if you've already
addressed my question in that reply. :)

Thank you again for taking the time to be so helpful.

Best wishes.

--Chris


>
> Kim
>
>
> --
> Kim Shrier - principal, Shrier and Deihl - mailto:kim@tinker.com
> Remote Unix Network Admin, Security, Internet Software Development
> Tinker Internet Services - Superior FreeBSD-based Web Hosting
> http://www.tinker.com/
>
>
>
>





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?581b3767ad793d5bce046a42f6516798.dnswclient>