Date: Mon, 08 Dec 2003 10:47:00 +0800 From: Ganbold <ganbold@micom.mng.net> To: "Ken Joostens" <ken@calpop.com> Cc: freebsd-ipfw@freebsd.org Subject: RE: bridged ipfw problem in FreeBSD 5.2beta Message-ID: <6.0.0.22.2.20031208104427.029dc538@202.179.0.80> In-Reply-To: <OEEHJCJCLNNGEFBMKKLDGEKCCLAA.ken@calpop.com> References: <6.0.0.22.2.20031205202453.02a0fd78@202.179.0.80> <OEEHJCJCLNNGEFBMKKLDGEKCCLAA.ken@calpop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
Thanks for reply.
I think IPFW2 is default in FreeBSD 5.x Current branch, so I don't need to
define options IPF2 in kernel config and compile all other sources with DIPFW2
Ganbold
At 01:53 AM 06.12.2003, you wrote:
>Hi,
>
>I had a similar problem myself on my new bridge. Apperently when you do deny
>ip from any to any, it also matches 'layer2'-packets like ARP, which means
>they will not be propagated. After some time the connection dies... There
>are no rules in ipfw to allow ARP traffic, the only rule that matches it is
>'ip from any to any'. But! ipfw2 does to layer2 filtering, you can filter on
>MAC address and allow/deny ARP traffic.
>What I did is the following:
>
>Run /stand/sysinstall (as root), choose Configure -> Distributions, then
>src, and then lib, sbin and sys.
>
>To compile libalias:
>cd /usr/src/lib/libalias
>make -DIPFW2
>make install
>
>To compile ipfw:
>cd /usr/src/sbin/ipfw
>make -DIPFW2
>make install
>
>Build a Kernel with:
>cd /usr/src/sys/i386/conf
>options IPFW2
>
>or if you would like to do a make buildworld etc. put IPFW2=TRUE in
>/etc/make.conf
>
>IPFW2 has a few advantages, over like layer2 filtering, there are options to
>filter based on the length of the package, for example to block nachi.. deny
>icmp from any to any iplen 92
>
>Regards,
>Ken
>
>
>
>-----Original Message-----
>From: owner-freebsd-ipfw@freebsd.org
>[mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Ganbold
>Sent: Friday, December 05, 2003 4:42 AM
>To: freebsd-ipfw@freebsd.org
>Subject: bridged ipfw problem in FreeBSD 5.2beta
>
>
>Hi,
>
>I'm new to ipfw and I have configured ipfw in Pentium 4 2GHz, 18GB HDD,
>128MB RAM computer.
>This computer will work as a bridge. It has 3 Intel Pro 100Mb cards, 2 for
>bridging and 1 for just connection to this computer
>from remote machine.
>Bridging work just fine, but after 4 hours it doesn't work. It happened 3
>times, all after 4 hours of operation.
>Machine itself was working fine, only it seems it doesn't
>forward packets from internal interface to external or internal interface
>didn't receive anything.
>
>Can somebody tell me where I did wrong in config files? Is it problem with
>NIC or problem with bridge?
>Or is it problem related to arp?
>
>I'm asking a lot of questions in one time, but I really need to install and
>use bridging firewall and
>I hope somebody in this list point me to the right direction.
>
>
>thanks in advance,
>
>Ganbold Ts.
>Mongolia
>
>----------------------------------------------------------------------------
>--------------------------------------------------------------------
>
>In kernel config I included:
>----------------------------------------------------------------------------
>-----------------------
>options IPFIREWALL
>options IPFIREWALL_VERBOSE
>options IPFIREWALL_VERBOSE_LIMIT=100
>
>options IPDIVERT
>options TCPDEBUG
>options IPSTEALTH
>options TCP_DROP_SYNFIN
>
>options DUMMYNET
>options HZ=1000
>options BRIDGE
>----------------------------------------------------------------------------
>-----------------------
>
>In sysctl.conf I included:
>----------------------------------------------------------------------------
>-----------------------
>
>net.link.ether.bridge_cfg=fxp0:0,fxp1:0
>net.link.ether.bridge_ipfw=1
>net.link.ether.bridge.enable=1
>
>net.inet.ip.fw.one_pass=0
>security.bsd.see_other_uids=0
>net.link.ether.inet.max_age=1200
>kern.ipc.somaxconn=1024
>net.inet.tcp.sendspace=32768
>net.inet.tcp.recvspace=32768
>
>net.inet.ip.sourceroute=0
>net.inet.ip.accept_sourceroute=0
>net.inet.icmp.bmcastecho=0
>net.inet.icmp.maskrepl=0
>
>net.inet.tcp.blackhole=2
>net.inet.udp.blackhole=1
>
>net.inet.ip.fw.dyn_ack_lifetime=3600
>net.inet.ip.fw.dyn_udp_lifetime=10
>net.inet.ip.fw.dyn_buckets=1024
>----------------------------------------------------------------------------
>-----------------------
>
>Following is my rc.conf script:
>
>----------------------------------------------------------------------------
>-----------------------
>network_interfaces="fxp0 fxp1 fxp2 lo0"
>
>accounting_enable="YES"
>hostname="fw.ub.mng.net"
>defaultrouter="202.179.xxx.xxx"
>ifconfig_fxp1="media 100baseTX mediaopt full-duplex"
>ifconfig_fxp2="inet 202.179.xxx.xxx netmask 255.255.255.248 media 100baseTX
>mediaopt full-duplex"
>
>inetd_enable="YES"
>kern_securelevel_enable="NO"
>sendmail_enable="NONE"
>sshd_enable="YES"
>usbd_enable="YES"
>
>firewall_enable="YES"
>firewall_script="/etc/rc.firewall"
>firewall_type="custom"
>firewall_quiet="NO"
>
>log_in_vain=1
>icmp_drop_redirect="YES"
>icmp_log_redirect=YES
>tcp_drop_synfin="YES"
>tcp_restrict_rst="YES"
>----------------------------------------------------------------------------
>-----------------------
>
>Following is my rc.firewall part:
>----------------------------------------------------------------------------
>-----------------------
>..
>[Cc][Uu][Ss][Tt][Oo][Mm])
>
># 0 is external and 1 is internal nic
>fwinterface0="fxp0"
>fwinterface1="fxp1"
>
>${fwcmd} -f flush
>
>######################## CLASS A,B,C #########################
># Things that we have kept state on before get to go through in a hurry
>${fwcmd} add 10 check-state
>
># Denying Class A IP spoofing.
># NOTE: REMARK these lines if you have intranet clients with Class A IP.
>${fwcmd} add 20 deny all from any to 10.0.0.0/8 via fxp0
>${fwcmd} add 21 deny all from 10.0.0.0/8 to any via fxp0
>
># Denying Class B IP spoofing.
># NOTE: REMARK these lines if you have intranet clients with Class B IP.
>${fwcmd} add 22 deny all from any to 172.16.0.0/12 via fxp0
>${fwcmd} add 23 deny all from 172.16.0.0/12 to any via fxp0
>
># Denying Class C IP spoofing.
># NOTE: REMARK these lines if you have intranet clients with Class C IP.
>${fwcmd} add 24 deny all from any to 192.168.0.0/16 via fxp0
>${fwcmd} add 25 deny all from 192.168.0.0/16 to any via fxp0
>
>######################### CLASS D,E #########################
>
># Denying Class D, E IP spoofing.
># Refer to: draft-manning-dsua-03.txt for more information about Class D/E
>IP.
>${fwcmd} add 26 deny all from any to 0.0.0.0/8 via fxp0
>${fwcmd} add 27 deny all from 0.0.0.0/8 to any via fxp0
>
>${fwcmd} add 28 deny all from any to 192.0.2.0/24 via fxp0
>${fwcmd} add 29 deny all from 192.0.2.0/24 to any via fxp0
>
>${fwcmd} add 30 deny all from any to 169.254.0.0/16 via fxp0
>${fwcmd} add 31 deny all from 169.254.0.0/16 to any via fxp0
>
>${fwcmd} add 32 deny all from any to 224.0.0.0/4 via fxp0
>${fwcmd} add 33 deny all from 224.0.0.0/4 to any via fxp0
>
>####################### DUMMYNET config #######################
>
># apply DUMMYNET bandwidth here
>
># micom
>${fwcmd} pipe 41 config bw 0kbit/s
>${fwcmd} pipe 42 config bw 0kbit/s
>
>${fwcmd} add 60 pipe 41 all from 202.179.xxx.xxx/27 to any in via fxp1
>${fwcmd} add 61 pipe 42 all from any to 202.179.xxx.xxx/27 in via fxp0
>
>#glinkor
>${fwcmd} pipe 43 config bw 128kbit/s
>${fwcmd} pipe 44 config bw 128kbit/s
>
>${fwcmd} add 62 pipe 43 all from 202.179.xxx.xxx/29 to any in via fxp1
>${fwcmd} add 63 pipe 44 all from any to 202.179.xxx.xxx/29 in via fxp0
>
>######################### STANDARDS #########################
>
># Allow TCP through if setup succeeded
>${fwcmd} add 100 pass tcp from any to any established
>
># Allow the bridge machine to say anything it wants
># (if the machine is IP-less do not include these rows)
>${fwcmd} add 200 pass tcp from 202.179.xxx.xxx to any setup keep-state
>${fwcmd} add 210 pass udp from 202.179.xxx.xxx to any keep-state
>${fwcmd} add 220 pass ip from 202.179.xxx.xxx to any
>
># Allowing connections through localhost.
>${fwcmd} add 300 pass all from any to any via lo0
># pass ARP
>${fwcmd} add 301 pass udp from 0.0.0.0 2054 to 0.0.0.0
>
># Allow the inside hosts to say anything they want
>${fwcmd} add pass tcp from any to any in via fxp1 setup keep-state
>${fwcmd} add pass udp from any to any in via fxp1 keep-state
>${fwcmd} add pass ip from any to any in via fxp1
>
>${fwcmd} add pass tcp from any to any in via fxp2 setup keep-state
>${fwcmd} add pass udp from any to any in via fxp2 keep-state
>${fwcmd} add pass ip from any to any in via fxp2
>
>######################### RESTRICTIONS #########################
>
>
># Allowing SSH,web connection and LOG all incoming connections.
>${fwcmd} add pass log tcp from any to any 22 in via fxp0 setup keep-state
>${fwcmd} add pass tcp from any to any 80,443 in via fxp0 setup keep-state
>
># Allowing and LOG all INCOMING, outgoing FTP, telnet, SMTP, POP3, ident,
>imap conections.
>${fwcmd} add pass tcp from any to any 20-21,23,25,110,113,143 in via
>fxp0 setup keep-state
>${fwcmd} add pass udp from any to any 20-21,23,25,110,113,143 in via fxp0
>keep-state
>
># Pass the "quarantine" range
>${fwcmd} add pass tcp from any to any 40000-65535 in via fxp0 setup
>keep-state
>${fwcmd} add pass udp from any to any 40000-65535 in via fxp0 keep-state
>
># MSN, Yahoo
>${fwcmd} add pass tcp from any to any 1863,5050 in via fxp0 setup keep-state
>${fwcmd} add pass udp from any to any 1863,5050 in via fxp0 keep-state
>
># additional MSN ports
>${fwcmd} add pass tcp from any to any 6891-6901,6801,2001-2120,7801-7825 in
>via fxp0 setup keep-state
>${fwcmd} add pass udp from any to any 6891-6901,6801,2001-2120,7801-7825 in
>via fxp0 keep-state
>
># additional h323,yahoo ports
>${fwcmd} add pass tcp from any to any
>1719-1721,5000-5010,5100,5190,8010,8100 in via fxp0 setup keep-state
>${fwcmd} add pass udp from any to any
>1719-1721,5000-5010,5100,5190,8010,8100 in via fxp0 keep-state
>
># allow radius
>${fwcmd} add pass tcp from any to any 1645,1646,1812,1813 in via
>fxp0 setup keep-state
>${fwcmd} add pass udp from any to any 1645,1646,1812,1813 in via fxp0
>keep-state
>
># Allowing mysql,Jabber,IRC,chat,SOCKS,HTTP proxy.
>${fwcmd} add pass tcp from any to any
>1080,3306,5222,5223,5269,6667,8000,8080 in via fxp0 setup keep-state
>${fwcmd} add pass udp from any to any
>1080,3306,5222,5223,5269,6667,8000,8080 in via fxp0 keep-state
>
># additional eMule ports
>${fwcmd} add pass tcp from any to any 2323,4242,4243,4661-4672,7700-7800 in
>via fxp0 setup keep-state
>${fwcmd} add pass udp from any to any 2323,4242,4243,4661-4672,7700-7800 in
>via fxp0 keep-state
>
># Allowing DNS lookups.
>${fwcmd} add pass tcp from any to any 53 in via fxp0 setup keep-state
>${fwcmd} add pass udp from any to any 53 in via fxp0 keep-state
>${fwcmd} add pass udp from any 53 to any in via fxp0 keep-state
>
>#${fwcmd} add pass tcp from any to any 53 out via fxp0 setup keep-state
>#${fwcmd} add pass udp from any to any 53 out via fxp0 keep-state
>
>######################### ICMP #########################
>
># Allowing outgoing PINGs.
># Allowing "Destination Unreachable" "Source Quench" "Time Exceeded" and
>"Bad Header".
>${fwcmd} add pass icmp from any to any icmptypes 0,3,4,8,11,12
>
># Allowing IP fragments to pass through.
>${fwcmd} add 65000 pass all from any to any frag
>
># Everything else is suspect
>${fwcmd} add drop log ip from any to any
> ;;
>
>----------------------------------------------------------------------------
>-----------------------
>
>
>
>
>
>_______________________________________________
>freebsd-ipfw@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20031208104427.029dc538>