Date: Mon, 08 Dec 2003 10:47:00 +0800 From: Ganbold <ganbold@micom.mng.net> To: "Ken Joostens" <ken@calpop.com> Cc: freebsd-ipfw@freebsd.org Subject: RE: bridged ipfw problem in FreeBSD 5.2beta Message-ID: <6.0.0.22.2.20031208104427.029dc538@202.179.0.80> In-Reply-To: <OEEHJCJCLNNGEFBMKKLDGEKCCLAA.ken@calpop.com> References: <6.0.0.22.2.20031205202453.02a0fd78@202.179.0.80> <OEEHJCJCLNNGEFBMKKLDGEKCCLAA.ken@calpop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Thanks for reply. I think IPFW2 is default in FreeBSD 5.x Current branch, so I don't need to define options IPF2 in kernel config and compile all other sources with DIPFW2 Ganbold At 01:53 AM 06.12.2003, you wrote: >Hi, > >I had a similar problem myself on my new bridge. Apperently when you do deny >ip from any to any, it also matches 'layer2'-packets like ARP, which means >they will not be propagated. After some time the connection dies... There >are no rules in ipfw to allow ARP traffic, the only rule that matches it is >'ip from any to any'. But! ipfw2 does to layer2 filtering, you can filter on >MAC address and allow/deny ARP traffic. >What I did is the following: > >Run /stand/sysinstall (as root), choose Configure -> Distributions, then >src, and then lib, sbin and sys. > >To compile libalias: >cd /usr/src/lib/libalias >make -DIPFW2 >make install > >To compile ipfw: >cd /usr/src/sbin/ipfw >make -DIPFW2 >make install > >Build a Kernel with: >cd /usr/src/sys/i386/conf >options IPFW2 > >or if you would like to do a make buildworld etc. put IPFW2=TRUE in >/etc/make.conf > >IPFW2 has a few advantages, over like layer2 filtering, there are options to >filter based on the length of the package, for example to block nachi.. deny >icmp from any to any iplen 92 > >Regards, >Ken > > > >-----Original Message----- >From: owner-freebsd-ipfw@freebsd.org >[mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Ganbold >Sent: Friday, December 05, 2003 4:42 AM >To: freebsd-ipfw@freebsd.org >Subject: bridged ipfw problem in FreeBSD 5.2beta > > >Hi, > >I'm new to ipfw and I have configured ipfw in Pentium 4 2GHz, 18GB HDD, >128MB RAM computer. >This computer will work as a bridge. It has 3 Intel Pro 100Mb cards, 2 for >bridging and 1 for just connection to this computer >from remote machine. >Bridging work just fine, but after 4 hours it doesn't work. It happened 3 >times, all after 4 hours of operation. >Machine itself was working fine, only it seems it doesn't >forward packets from internal interface to external or internal interface >didn't receive anything. > >Can somebody tell me where I did wrong in config files? Is it problem with >NIC or problem with bridge? >Or is it problem related to arp? > >I'm asking a lot of questions in one time, but I really need to install and >use bridging firewall and >I hope somebody in this list point me to the right direction. > > >thanks in advance, > >Ganbold Ts. >Mongolia > >---------------------------------------------------------------------------- >-------------------------------------------------------------------- > >In kernel config I included: >---------------------------------------------------------------------------- >----------------------- >options IPFIREWALL >options IPFIREWALL_VERBOSE >options IPFIREWALL_VERBOSE_LIMIT=100 > >options IPDIVERT >options TCPDEBUG >options IPSTEALTH >options TCP_DROP_SYNFIN > >options DUMMYNET >options HZ=1000 >options BRIDGE >---------------------------------------------------------------------------- >----------------------- > >In sysctl.conf I included: >---------------------------------------------------------------------------- >----------------------- > >net.link.ether.bridge_cfg=fxp0:0,fxp1:0 >net.link.ether.bridge_ipfw=1 >net.link.ether.bridge.enable=1 > >net.inet.ip.fw.one_pass=0 >security.bsd.see_other_uids=0 >net.link.ether.inet.max_age=1200 >kern.ipc.somaxconn=1024 >net.inet.tcp.sendspace=32768 >net.inet.tcp.recvspace=32768 > >net.inet.ip.sourceroute=0 >net.inet.ip.accept_sourceroute=0 >net.inet.icmp.bmcastecho=0 >net.inet.icmp.maskrepl=0 > >net.inet.tcp.blackhole=2 >net.inet.udp.blackhole=1 > >net.inet.ip.fw.dyn_ack_lifetime=3600 >net.inet.ip.fw.dyn_udp_lifetime=10 >net.inet.ip.fw.dyn_buckets=1024 >---------------------------------------------------------------------------- >----------------------- > >Following is my rc.conf script: > >---------------------------------------------------------------------------- >----------------------- >network_interfaces="fxp0 fxp1 fxp2 lo0" > >accounting_enable="YES" >hostname="fw.ub.mng.net" >defaultrouter="202.179.xxx.xxx" >ifconfig_fxp1="media 100baseTX mediaopt full-duplex" >ifconfig_fxp2="inet 202.179.xxx.xxx netmask 255.255.255.248 media 100baseTX >mediaopt full-duplex" > >inetd_enable="YES" >kern_securelevel_enable="NO" >sendmail_enable="NONE" >sshd_enable="YES" >usbd_enable="YES" > >firewall_enable="YES" >firewall_script="/etc/rc.firewall" >firewall_type="custom" >firewall_quiet="NO" > >log_in_vain=1 >icmp_drop_redirect="YES" >icmp_log_redirect=YES >tcp_drop_synfin="YES" >tcp_restrict_rst="YES" >---------------------------------------------------------------------------- >----------------------- > >Following is my rc.firewall part: >---------------------------------------------------------------------------- >----------------------- >.. >[Cc][Uu][Ss][Tt][Oo][Mm]) > ># 0 is external and 1 is internal nic >fwinterface0="fxp0" >fwinterface1="fxp1" > >${fwcmd} -f flush > >######################## CLASS A,B,C ######################### ># Things that we have kept state on before get to go through in a hurry >${fwcmd} add 10 check-state > ># Denying Class A IP spoofing. ># NOTE: REMARK these lines if you have intranet clients with Class A IP. >${fwcmd} add 20 deny all from any to 10.0.0.0/8 via fxp0 >${fwcmd} add 21 deny all from 10.0.0.0/8 to any via fxp0 > ># Denying Class B IP spoofing. ># NOTE: REMARK these lines if you have intranet clients with Class B IP. >${fwcmd} add 22 deny all from any to 172.16.0.0/12 via fxp0 >${fwcmd} add 23 deny all from 172.16.0.0/12 to any via fxp0 > ># Denying Class C IP spoofing. ># NOTE: REMARK these lines if you have intranet clients with Class C IP. >${fwcmd} add 24 deny all from any to 192.168.0.0/16 via fxp0 >${fwcmd} add 25 deny all from 192.168.0.0/16 to any via fxp0 > >######################### CLASS D,E ######################### > ># Denying Class D, E IP spoofing. ># Refer to: draft-manning-dsua-03.txt for more information about Class D/E >IP. >${fwcmd} add 26 deny all from any to 0.0.0.0/8 via fxp0 >${fwcmd} add 27 deny all from 0.0.0.0/8 to any via fxp0 > >${fwcmd} add 28 deny all from any to 192.0.2.0/24 via fxp0 >${fwcmd} add 29 deny all from 192.0.2.0/24 to any via fxp0 > >${fwcmd} add 30 deny all from any to 169.254.0.0/16 via fxp0 >${fwcmd} add 31 deny all from 169.254.0.0/16 to any via fxp0 > >${fwcmd} add 32 deny all from any to 224.0.0.0/4 via fxp0 >${fwcmd} add 33 deny all from 224.0.0.0/4 to any via fxp0 > >####################### DUMMYNET config ####################### > ># apply DUMMYNET bandwidth here > ># micom >${fwcmd} pipe 41 config bw 0kbit/s >${fwcmd} pipe 42 config bw 0kbit/s > >${fwcmd} add 60 pipe 41 all from 202.179.xxx.xxx/27 to any in via fxp1 >${fwcmd} add 61 pipe 42 all from any to 202.179.xxx.xxx/27 in via fxp0 > >#glinkor >${fwcmd} pipe 43 config bw 128kbit/s >${fwcmd} pipe 44 config bw 128kbit/s > >${fwcmd} add 62 pipe 43 all from 202.179.xxx.xxx/29 to any in via fxp1 >${fwcmd} add 63 pipe 44 all from any to 202.179.xxx.xxx/29 in via fxp0 > >######################### STANDARDS ######################### > ># Allow TCP through if setup succeeded >${fwcmd} add 100 pass tcp from any to any established > ># Allow the bridge machine to say anything it wants ># (if the machine is IP-less do not include these rows) >${fwcmd} add 200 pass tcp from 202.179.xxx.xxx to any setup keep-state >${fwcmd} add 210 pass udp from 202.179.xxx.xxx to any keep-state >${fwcmd} add 220 pass ip from 202.179.xxx.xxx to any > ># Allowing connections through localhost. >${fwcmd} add 300 pass all from any to any via lo0 ># pass ARP >${fwcmd} add 301 pass udp from 0.0.0.0 2054 to 0.0.0.0 > ># Allow the inside hosts to say anything they want >${fwcmd} add pass tcp from any to any in via fxp1 setup keep-state >${fwcmd} add pass udp from any to any in via fxp1 keep-state >${fwcmd} add pass ip from any to any in via fxp1 > >${fwcmd} add pass tcp from any to any in via fxp2 setup keep-state >${fwcmd} add pass udp from any to any in via fxp2 keep-state >${fwcmd} add pass ip from any to any in via fxp2 > >######################### RESTRICTIONS ######################### > > ># Allowing SSH,web connection and LOG all incoming connections. >${fwcmd} add pass log tcp from any to any 22 in via fxp0 setup keep-state >${fwcmd} add pass tcp from any to any 80,443 in via fxp0 setup keep-state > ># Allowing and LOG all INCOMING, outgoing FTP, telnet, SMTP, POP3, ident, >imap conections. >${fwcmd} add pass tcp from any to any 20-21,23,25,110,113,143 in via >fxp0 setup keep-state >${fwcmd} add pass udp from any to any 20-21,23,25,110,113,143 in via fxp0 >keep-state > ># Pass the "quarantine" range >${fwcmd} add pass tcp from any to any 40000-65535 in via fxp0 setup >keep-state >${fwcmd} add pass udp from any to any 40000-65535 in via fxp0 keep-state > ># MSN, Yahoo >${fwcmd} add pass tcp from any to any 1863,5050 in via fxp0 setup keep-state >${fwcmd} add pass udp from any to any 1863,5050 in via fxp0 keep-state > ># additional MSN ports >${fwcmd} add pass tcp from any to any 6891-6901,6801,2001-2120,7801-7825 in >via fxp0 setup keep-state >${fwcmd} add pass udp from any to any 6891-6901,6801,2001-2120,7801-7825 in >via fxp0 keep-state > ># additional h323,yahoo ports >${fwcmd} add pass tcp from any to any >1719-1721,5000-5010,5100,5190,8010,8100 in via fxp0 setup keep-state >${fwcmd} add pass udp from any to any >1719-1721,5000-5010,5100,5190,8010,8100 in via fxp0 keep-state > ># allow radius >${fwcmd} add pass tcp from any to any 1645,1646,1812,1813 in via >fxp0 setup keep-state >${fwcmd} add pass udp from any to any 1645,1646,1812,1813 in via fxp0 >keep-state > ># Allowing mysql,Jabber,IRC,chat,SOCKS,HTTP proxy. >${fwcmd} add pass tcp from any to any >1080,3306,5222,5223,5269,6667,8000,8080 in via fxp0 setup keep-state >${fwcmd} add pass udp from any to any >1080,3306,5222,5223,5269,6667,8000,8080 in via fxp0 keep-state > ># additional eMule ports >${fwcmd} add pass tcp from any to any 2323,4242,4243,4661-4672,7700-7800 in >via fxp0 setup keep-state >${fwcmd} add pass udp from any to any 2323,4242,4243,4661-4672,7700-7800 in >via fxp0 keep-state > ># Allowing DNS lookups. >${fwcmd} add pass tcp from any to any 53 in via fxp0 setup keep-state >${fwcmd} add pass udp from any to any 53 in via fxp0 keep-state >${fwcmd} add pass udp from any 53 to any in via fxp0 keep-state > >#${fwcmd} add pass tcp from any to any 53 out via fxp0 setup keep-state >#${fwcmd} add pass udp from any to any 53 out via fxp0 keep-state > >######################### ICMP ######################### > ># Allowing outgoing PINGs. ># Allowing "Destination Unreachable" "Source Quench" "Time Exceeded" and >"Bad Header". >${fwcmd} add pass icmp from any to any icmptypes 0,3,4,8,11,12 > ># Allowing IP fragments to pass through. >${fwcmd} add 65000 pass all from any to any frag > ># Everything else is suspect >${fwcmd} add drop log ip from any to any > ;; > >---------------------------------------------------------------------------- >----------------------- > > > > > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20031208104427.029dc538>