Date: Fri, 7 Jun 2002 10:45:32 -0400 From: Rob Ellis <rob@web.ca> To: Joe & Fhe Barbish <barbish@a1poweruser.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw: 'out via fxp0' rules don't work Message-ID: <20020607144532.GD83160@web.ca> In-Reply-To: <20020607144408.GC83160@web.ca> References: <20020606172128.GH18966@web.ca> <MIEPLLIBMLEEABPDBIEGEEDECCAA.barbish@a1poweruser.com> <20020607144408.GC83160@web.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
the box is set up like this:
routable-network --|
routable-network --|
192.168.1.1 --|
|-- internet
what i was trying to do is allow any outbound traffic
out to the internet from the internal routable networks
with a keep-state rule. i've already sorted out natd and
the rules for the 192.168 network.
for the routable (class c) networks, i thought from reading the ipfw
man page that it should be possible to do
ipfw add allow tcp from any to any out via fxp0 setup keep-state
to allow outbound tcp traffic that wasn't already being allowed.
but it didn't work.
i don't want to do just
ipfw add allow tcp from $net1 to any setup keep-state
because "any" in this case also includes my other internal networks
which i want to keep firewalled off from each other. so i end
up doing something like
ipfw add 20000 skipto 20003 tcp from $net1 to $net2
ipfw add 20001 skipto 20004 tcp from $net1 to $net3
ipfw add 20002 allow tcp from $net1 to any setup keep-state
ipfw add 20003 count tcp from $net1 to $net2
ipfw add 20004 count tcp from $net1 to $net3
repeated for each network, which works, but seems kludgey.
- rob
On Thu, Jun 06, 2002 at 08:02:17PM -0400, Joe & Fhe Barbish wrote:
> Rob
> You are not clear about what you are trying to do.
> Saying you have 4 interfaces that are intended to allow outbound
> connections leaves one guessing. Does this mean you have 4 Nic cards
> each connected to different isp account, or 4 Nic cards servicing
> private internal Lans?
>
> The keep-state option builds a entry in the dynamic rules table for
> automatic bi-directional packet exchange and is normally used just
> on the public interface.
>
>
> Advanced stateful rules and IPFW's built in divert natd function is
> very hard to get to function correctly for an LAN behind the firewall.
>
> I have stumbled into the solution to this problem after many months of
> testing.
> This solution has only been tested on FBSD version 4.5.
> All private LAN Nic interface devices must have an keep-state rule
> so they get in sync with the keep-state dynamic table rules for the
> DSL or Cable internet connection interface.
>
> The order of private Lan rules before the public out & in rules,
> both which have to come after the divert natd rule is very important.
>
> See rule 500 below.
>
>
> Content of /etc/ipfw.rules.conf
>
> # These rules can be reloaded with out rebooting by issuing this command
> # sh /etc/ipfw.rules.conf
>
> /sbin/ipfw -q -f flush
>
> # Set rules command prefix
> # The -q option on the command is for quite mode.
> # Do not display rules as they load. Remove during development to see.
> cmd="/sbin/ipfw -q add"
>
> # Set defaults
> oif="rl0" # Nic card to DSL modem public internet
> connection
> odns1="241.250.241.250" # ISP's dns server IP address
>
> $cmd 00200 divert natd all from any to any via $oif
>
>
> ######## control section ############################################
> # Start of IPFW advanced Stateful Filtering using "dynamic" rules.
> # The check-state statement behavior is to match bi-directional packet
> traffic
> # flow between source and destination using protocol/IP/port/sequence
> number.
>
> # Allow the packet through if it has previous been added to the
> # the "dynamic" rules table by an allow keep-state statement.
> $cmd 00400 check-state
>
> # Run all private LAN xl0 packet traffic through the dynamic rules
> # table so the IP address are in sync with Natd. You would have one
> # rule like this for each Nic card you have for private lans.
> $cmd 00500 allow all from any to any via xl0 keep-state
>
> # Deny all fragments coming in as bogus packets
> $cmd 00530 deny all from any to any frag in via $oif
>
> # Deny ACK packets that did not match the dynamic rule table
> $cmd 00540 deny tcp from any to any established in via $oif
>
> ######## outbound section ############################################
> # Interrogate packets originating from behind the firewall, private net.
> # Upon a rule match, it's keep-state option will create a dynamic rule.
>
> # Allow out non-secure standard http function
> $cmd 00600 allow tcp from any to any 80 out via $oif setup keep-state
>
> # Allow out secure www function https over TLS SSL
> $cmd 00601 allow tcp from any to any 443 out via $oif setup keep-state
>
> # Allow out access to my ISP's Domain name server.
> $cmd 00610 allow tcp from any to $odns1 53 out via $oif setup keep-state
> $cmd 00611 allow udp from any to $odns1 53 out via $oif keep-state
>
> # Allow out send & get email function
> $cmd 00630 allow tcp from any to any 25,110 out via $oif setup keep-state
>
> # Allow out FBSD (make install & CVSUP) functions
> # Basically give user id [ROOT] "GOD" privileges.
> $cmd 00640 allow tcp from me to any out via $oif setup keep-state uid root
>
> ######## inbound section ############################################
> # Interrogate packets originating from in front of the firewall, public net.
>
> # Allow in www http access to my apache server
> $cmd 00800 allow tcp from any to any 80 in via $oif setup keep-state limit
> src-addr 4
>
> # Allow TCP FTP control channel in & data channel out
> $cmd 00810 allow tcp from any to me 21 in via $oif setup keep-state limit
> src-addr 4
> $cmd 00811 allow tcp from any 20 to any 1024-49151 out via $oif setup keep l
> imit src-addr 4
>
> # Allow in ssh function
> $cmd 00820 allow log tcp from any to me 22 in via $oif setup keep-state
> limit src-addr 4
>
> # Allow in Telnet
> $cmd 00830 allow tcp from any to me 23 in via $oif setup keep-state limit
> src-addr 4
>
> This is just a sample from which you can build from. The main thing is it
> demonstrates how to code and organize your advanced stateful rules file.
>
> Joe
>
>
>
>
>
>
> -----Original Message-----
> From: owner-freebsd-questions@FreeBSD.ORG
> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Rob Ellis
> Sent: Thursday, June 06, 2002 1:21 PM
> To: freebsd-questions@FreeBSD.ORG
> Subject: ipfw: 'out via fxp0' rules don't work
>
> i have the following rules, on a box with 4 interfaces,
> that are intended to allow outbound connections...
>
> ipfw add allow udp from any to any out xmit fxp0 keep-state
> ipfw add allow tcp from any to any out xmit fxp0 setup keep-state
>
> but this doesn't work as i thought it would. for instance,
> 'in via xl0' packets are still being blocked.
>
> i also tried
>
> ipfw add allow udp from any to any out recv xl0 xmit fxp0 keep-state
> ipfw add allow tcp from any to any out recv xl0 xmit fxp0 setup keep-state
>
> which also didn't work. the packets i want to allow are indeed coming
> in via xl0 and out via fxp0, but the error is always like:
>
> > Jun 6 12:46:30 myname /kernel: ipfw: 22901 Deny TCP xxx.xxx.xxx.xxx:3325
> yyy.yyy.yyy.yyy:80 in via xl0
>
> a rule like
>
> ipfw add allow tcp from xxx.xxx.xxx.0/24 to any 80 setup keep-state
>
> does work, but i want to firewall off the internal networks
> from each other, and i didn't want to get into any more
> skipto rules...
>
> in short, interface-based in/out rules don't seem to work.
>
> anyone have any ideas? i am just not understanding how the interface-based
> rules are supposed to work?
>
> the firewall box is running 4.5-RELEASE-p4.
>
> thanks.
>
> - rob
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020607144532.GD83160>