Date: Tue, 14 Aug 2001 14:50:08 -0500 From: D J Hawkey Jr <hawkeyd@visi.com> To: freebsd-questions@freebsd.org Subject: traceroute under ipfilter Message-ID: <20010814145008.A2171@sheol.localdomain>
next in thread | raw e-mail | index | archive | help
Hello All.
Well, after going through ipfilter's manual (several times), DejaNews,
and Google searches, everything says that all I need for stateful
'traceroute's is:
pass out quick on dc1 proto udp from any to any port \
33434 >< 33525 keep state
(the newline is for readability; it's not in /etc/ipf.rules). But it
just doesn't. Not until I add:
pass in quick on dc1 proto icmp from any to any icmp-type 3
pass in quick on dc1 proto icmp from any to any icmp-type 11
will 'traceroute' work. This is OK, except that I don't want the world
to successfully 'traceroute' back to "me", so I'd much prefer just the
stateful outbound rule.
What have I missed? See below my ASCII-dig for my /etc/ipf.rules and
/etc/ipnat.rules, in case context matters. Note that it's the inbound
"catch-all" rule that stops the transaction when the inbound ICMP rules
are omitted.
I also wouldn't mind any insightful critiques; 'nmap' from the outside
says only SSH and HTTP are open, but I'm not above constructive criticism.
TIA,
Dave
--
Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"
---8<--- /etc/ipf.rules
# Inside interface: dc0
# address: A.B.C.2
# network: A.B.C.0/24
# Outside interface: dc1
# address: X.Y.Z.193
# network: X.Y.Z.192/30
# Web server: A.B.C.3
# DNS server: any
# NTP server: 128.101.101.101
block in quick on dc1 all head 1
# Stop RFC1918 networks
block in quick on dc1 from 192.168.0.0/16 to any group 1
block in quick on dc1 from 172.16.0.0/12 to any group 1
block in quick on dc1 from 10.0.0.0/8 to any group 1
block in quick on dc1 from 127.0.0.0/8 to any group 1
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
block in quick on dc1 from 0.0.0.0/8 to any group 1
block in quick on dc1 from 169.254.0.0/16 to any group 1
block in quick on dc1 from 192.0.2.0/24 to any group 1
block in quick on dc1 from 204.152.64.0/23 to any group 1
block in quick on dc1 from 224.0.0.0/3 to any group 1
# Allow only these: HTTP and SSH
pass in quick on dc1 proto tcp from any to any port = 80 flags S keep state keep frags group 1
pass in quick on dc1 proto tcp from any to X.Y.Z.193 port = 22 flags S keep state keep frags group 1
# Allow only these: traceroute
pass in quick on dc1 proto icmp from any to any icmp-type 3 group 1
pass in quick on dc1 proto icmp from any to any icmp-type 11 group 1
# Catch-all defaults
block return-rst in quick on dc1 proto tcp all group 1
block return-icmp-as-dest(port-unr) in quick on dc1 proto udp all group 1
block in log on dc1 all group 1
block out quick on dc1 all head 10
# Stop RFC1918 networks
block out quick on dc1 from any to 192.168.0.0/16 group 10
block out quick on dc1 from any to 172.16.0.0/12 group 10
block out quick on dc1 from any to 10.0.0.0/8 group 10
block out quick on dc1 from any to 127.0.0.0/8 group 10
# Stop draft-mannoutg-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
block out quick on dc1 from any to 0.0.0.0/8 group 10
block out quick on dc1 from any to 169.254.0.0/16 group 10
block out quick on dc1 from any to 192.0.2.0/24 group 10
block out quick on dc1 from any to 204.152.64.0/23 group 10
block out quick on dc1 from any to 224.0.0.0/3 group 10
# Allow only these: HTTP[S], SMTP, NNTP, POP[23], passive FTP,
# SSH, and telnet
pass out quick on dc1 proto tcp from any to any port = 80 flags S keep state keep frags group 10
pass out quick on dc1 proto tcp from any to any port = 443 flags S keep state keep frags group 10
pass out quick on dc1 proto tcp from any to any port = 25 flags S keep state keep frags group 10
pass out quick on dc1 proto tcp from any to any port = 119 flags S keep state keep frags group 10
pass out quick on dc1 proto tcp from any to any port 108 >< 111 flags S keep state keep frags group 10
pass out quick on dc1 proto tcp from any to any port = 21 flags S keep state keep frags group 10
pass out quick on dc1 proto tcp from any to any port 32999 >< 63001 flags S keep state keep frags group 10
pass out quick on dc1 proto tcp from any to any port = 22 flags S keep state keep frags group 10
pass out quick on dc1 proto tcp from any to any port = 23 flags S keep state keep frags group 10
# Allow only these: DNS, NTP, traceroute, and ping
pass out quick on dc1 proto udp from any to any port = 53 keep state group 10
pass out quick on dc1 proto udp from any to 128.101.101.101 port = 123 keep state group 10
pass out quick on dc1 proto udp from any to any port 33434 >< 33525 keep state group 10
pass out quick on dc1 proto icmp from any to any keep state group 10
# Catch-all defaults
block out log on dc1 all group 10
--->8---
---8<--- /etc/ipnat.rules
# Inside interface: dc0
# address: A.B.C.2
# network: A.B.C.0/24
# Outside interface: dc1
# address: X.Y.Z.193
# network: X.Y.Z.192/30
# Web server: A.B.C.3
# DNS server: any
# NTP server: 128.101.101.101
# NAT
map dc1 A.B.C.0/24 -> X.Y.Z.193/32
# Redirect HTTP
rdr dc1 X.Y.Z.193/32 port 80 -> A.B.C.3 port 80
--->8---
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010814145008.A2171>