Date: Sun, 14 Apr 2013 20:49:20 +0200 From: Spil Oss <spil.oss@gmail.com> To: Michael Sierchio <kudzu@tenebras.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: Problems with ipfw/natd and axe(4) Message-ID: <CAEJyAvMZX0z0WZCs4JM=YsG1_kL%2BQq=bR2_MqWdpNdshiRhs8w@mail.gmail.com> In-Reply-To: <CAHu1Y71kKcMRTHeknGYi0rWU-u8HzzELakef4YiUd3krJjDbtA@mail.gmail.com> References: <CAEJyAvOZ6fW0i3yT_D4fH1huje-qsJwA7GGeXqAO1PKzge-YNw@mail.gmail.com> <CAHu1Y71kKcMRTHeknGYi0rWU-u8HzzELakef4YiUd3krJjDbtA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Michael, I was aware that these deny-rules could be created more efficiently, but I wanted to stay as close as possible to the 'simple' ruleset from the base /etc/rc.firewall rules. settings for /etc/rc.firewall natd_interface=ue0 firewall_simple_iif=re0 # Inside IPv4 network interface. firewall_simple_inet=10.16.1.2.1 # Inside IPv4 network address. firewall_simple_oif=ue0 # Outside IPv4 network interface. firewall_simple_onet=172.17.2.111 # Outside IPv4 network address. #firewall_simple_iif_ipv6= Inside IPv6 network interface. #firewall_simple_inet_ipv6= Inside IPv6 network prefix. #firewall_simple_oif_ipv6= Outside IPv6 network interface. #firewall_simple_onet_ipv6= Outside IPv6 network prefix. 1. Requirements and intentions This machine is my next router/firewall and web/mail/etc-server. ue0 connected to my cable modem, re0 connected to my LAN, ath0 my access point. re0 and ath0 will later be part of bridge0. Webserver and mail-services running in separate jails using natd redirect_port, cannot initiate outbound connections. Inbound ssh, http(s), smtp, imaps, submission allowed in from internet. I'm aware that with checksum offloading the tcpdump checksum will appear incorrect. Earlier I worked with the examples from the handbook which I was told on this mailing-list are not a good starting point for a ruleset. This is why I have taken the ruleset delivered in base as my starting point. The fact is that if I reverse re0 and ue0 (configuration as well as physical connections) the ruleset behaves as expected. 2. Interaction of NAT + stateful I'm trying to understand the interaction, starting with the most default. I had tcpdump, /var/log/security, natd -v running in separate tmux windows to try and figure out what happens. 3. Gradually add complexity I had taken /etc/rc.firewall as the lowest level of complexity and intend to add the extra functions. Will bring it down to the bare minimum and try again. natd config from /etc/rc.conf natd_interface=ue0 natd_flags=" -config /etc/natd.conf" or natd -n ue0 -f /etc/natd.conf -v /etc/natd.conf same_ports yes dynamic yes # redirect http, https to web-jail # Disabled Thanks for the pointers! Kind regards, Spil. On Sat, Apr 13, 2013 at 8:01 PM, Michael Sierchio <kudzu@tenebras.com>wrote: > There are some things about this ruleset that are confused. Multiple > deny rules where one will do, et. > > > 01100 deny ip from 10.16.2.1 to any in via ue0 > > 01200 deny ip from 172.17.2.111 to any in via re0 > > 01300 deny ip from any to 10.0.0.0/8 via ue0 > > 01500 deny ip from any to 192.168.0.0/16 via ue0 > > 01600 deny ip from any to 0.0.0.0/8 via ue0 > > 01700 deny ip from any to 169.254.0.0/16 via ue0 > > 01800 deny ip from any to 192.0.2.0/24 via ue0 > > 01900 deny ip from any to 224.0.0.0/4 via ue0 > > 02000 deny ip from any to 240.0.0.0/4 via ue0 > > and you need to think about inbound and outbound traffic, and a few > other things. You have keep-state rules way down the ruleset and a > divert natd in the middle. This won't do. > > 1. State what the requirements and intent are. I'm reluctant to dive > into the solution space for an ill-defined problem. You conclude that > the problem is with the NIC, and I think it's with your ruleset. For > example, which interfaces are external, what's the topology, do > external interfaces have public or private addresses, etc? Is this > a firewall or a standalone box? > > Note that if you do a tcpdump, the checksums will look wrong because > they're offloaded onto the NIC. That's normal. > > 2. Until you understand the interaction of NAT + stateful rules, > don't use them. > > 3. Start with a small ruleset and nat config (show us your natd > config) that is permissive, then gradually add protection. natd by > itself is stateful, and will probably provide all you need. > > - M > > On Sat, Apr 13, 2013 at 6:34 AM, Spil Oss <spil.oss@gmail.com> wrote: > > Hi All, > > > > I can't use ipfw with natd with my ASIX AX88772B USB NIC > > > > ipfw ruleset (slightly modified /etc/rc.firewall simple ruleset) > > 00010 allow ip from any to me dst-port 22 recv ue0 > > 00010 allow tcp from me 22 to any xmit ue0 > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00300 deny ip from 127.0.0.0/8 to any > > 00400 deny ip from any to ::1 > > 00500 deny ip from ::1 to any > > 00600 allow ipv6-icmp from :: to ff02::/16 > > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 > > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > > 01100 deny ip from 10.16.2.1 to any in via ue0 > > 01200 deny ip from 172.17.2.111 to any in via re0 > > 01300 deny ip from any to 10.0.0.0/8 via ue0 > > 01500 deny ip from any to 192.168.0.0/16 via ue0 > > 01600 deny ip from any to 0.0.0.0/8 via ue0 > > 01700 deny ip from any to 169.254.0.0/16 via ue0 > > 01800 deny ip from any to 192.0.2.0/24 via ue0 > > 01900 deny ip from any to 224.0.0.0/4 via ue0 > > 02000 deny ip from any to 240.0.0.0/4 via ue0 > > 02100 divert 8668 ip4 from any to any via ue0 > > 02200 deny ip from 10.0.0.0/8 to any via ue0 > > 02400 deny ip from 192.168.0.0/16 to any via ue0 > > 02500 deny ip from 0.0.0.0/8 to any via ue0 > > 02600 deny ip from 169.254.0.0/16 to any via ue0 > > 02700 deny ip from 192.0.2.0/24 to any via ue0 > > 02800 deny ip from 224.0.0.0/4 to any via ue0 > > 02900 deny ip from 240.0.0.0/4 to any via ue0 > > 03000 allow tcp from any to any established > > 03100 allow ip from any to any frag > > 03200 allow tcp from any to me dst-port 22 setup > > 03300 allow tcp from any to me dst-port 25 setup > > 03400 allow tcp from any to me dst-port 465 setup > > 03500 allow tcp from any to me dst-port 587 setup > > 03600 allow tcp from any to me dst-port 80 setup > > 03700 allow tcp from any to me dst-port 443 setup > > 03800 deny log logamount 5 ip4 from any to any in via ue0 setup proto tcp > > 03900 allow tcp from any to any setup > > 04000 allow udp from me to any dst-port 53 keep-state > > 04100 allow udp from me to any dst-port 123 keep-state > > 04200 allow ip from any to any dst-port 22 recv ue0 > > 65535 deny ip from any to any > > > > If I remove rule 10 it will NOT work with ue0, the same ruleset without > > rule 10 DOES work with re0 on the same machine (re0 as external and ue0 > as > > internal NIC). > > > > If I connect from the gateway on 172.17.2.1 to the ssh server on this > > machine, I can see the ACK and SYN+ACK but there's no ACK from the client > > to the server to establish the tcp session. Only difference I could find > > was that the checksum was incorrect. > > > > Found an older PR kern/170081 about fxp having trouble with nat when > > rxcsum/txcsum was enabled, that is why I started fiddling with > > rxcsum/txcsum and found that the NIC is unusable/dead without > rxcsum/txcsum > > enabled so this was not an option. > > > > # ifconfig ue0 > > ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 > > options=8000b<RXCSUM,TXCSUM,VLAN_MTU,LINKSTATE> > > ether 00:60:6e:42:5b:53 > > inet6 fe80::260:6eff:fe42:5b53%ue0 prefixlen 64 scopeid 0x7 > > inet 172.17.2.111 netmask 0xffffff00 broadcast 172.17.2.255 > > nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> > > media: Ethernet autoselect (100baseTX <full-duplex>) > > status: active > > > > Any suggestions or pointers? > > > > Kind regards, > > > > Spil. > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEJyAvMZX0z0WZCs4JM=YsG1_kL%2BQq=bR2_MqWdpNdshiRhs8w>