Date: Fri, 31 May 2002 19:41:48 -0400 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: "Jon Larssen" <jonlarssen@hotmail.com> Cc: "FBSDQ" <questions@FreeBSD.ORG> Subject: RE: IPFW + NATD + stateful ruleset? Message-ID: <MIEPLLIBMLEEABPDBIEGCEKHCBAA.barbish@a1poweruser.com> In-Reply-To: <F160cZK7VtzsHmIWwUj0000ec91@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
IPFW has 3 different rule categories. Stateless, Simple stateful, setup/established, and advanced stateful, check-state/keep-state. Stateless rules are very primitive, they allow or deny individual packet types and have no knowledge of the session conversation. Simple stateful is basically an rule file logic coding technique to group tcp packets together in the rules file. It has minimal knowledge of the session conversation. Advanced stateful which first became part of IPFW in FBSD version 4.0 uses an dynamic rules table which tracks the packet session conversation of the by-directional exchange of packets between your FBSD host and the remote system. If you are going to use IPFW for your firewall you should use advanced stateful rules exclusively as they provide the max in firewall protection. Now here is the problem, advanced stateful rules are not documented in the FBSD handbook and the sample rules file that come with FBSD are out dated and provides no comments about how the rules are intended to be used. The man page on ipfw is as usual very hard to understand as it just lists the values that can be used in the rule context. Nowhere does it describe how to organize the rules in the rules file for functional control. Compounded on top of this is the question about using user ppp -nat function or IPFW's built in divert natd function. Advanced stateful rules and IPFW's built in divert natd function is very hard to get to function correctly for an LAN behind the file wall. The bottom line is most inexperienced firewall builders should use advanced stateful rules and user ppp -nat function for modem dialup stand-a-lone FBSD workstations and firewall servers with lans behind them. For DSL and cable internet connection you have to use the IPFW built in divert natd rule and with advanced stateful rules. Many users never get this configuration to function correctly. This is what I believe you are referring to. I have stumbled into the solution to this problem after many months of testing. This solution has only been tested on FBSD version 4.5. There can not be any rules before the divert natd rule, and all private LAN Nic interface devices must have keep-state on the rule so they get in sync with the keep-state dynamic table rules for the DSL or Cable internet connection interface. See rule 500 below. Content of /etc/ipfw.rules.conf # These rules can be reloaded with out rebooting by issuing this command # sh /etc/ipfw.rules.conf /sbin/ipfw -q -f flush # Set rules command prefix # The -q option on the command is for quite mode. # Do not display rules as they load. Remove during development to see. cmd="/sbin/ipfw -q add" # Set defaults oif="rl0" # Nic card to cable modem public internet connection odns1="241.250.241.250" # ISP's dns server IP address $cmd 00200 divert natd all from any to any via $oif ######## control section ############################################ # Start of IPFW advanced Stateful Filtering using "dynamic" rules. # The check-state statement behavior is to match bi-directional packet traffic # flow between source and destination using protocol/IP/port/sequence number. # The dynamic rule has a limited lifetime which is controlled by a set of # sysctl(8) variables. The lifetime is refreshed every time a matching # packet is found in the dynamic table. # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. $cmd 00400 check-state # Run all private LAN xl0 packet traffic through the dynamic rules # table so the IP address are in sync with Natd. $cmd 00500 allow all from any to any via xl0 keep-state # Deny all fragments as bogus packets $cmd 00530 deny all from any to any frag in via $oif # Deny ACK packets that did not match the dynamic rule table $cmd 00540 deny tcp from any to any established in via $oif ######## outbound section ############################################ # Interrogate packets originating from behind the firewall, private net. # Upon a rule match, it's keep-state option will create a dynamic rule. # Allow out non-secure standard http function $cmd 00600 allow tcp from any to any 80 out via $oif setup keep-state # Allow out secure www function https over TLS SSL $cmd 00601 allow tcp from any to any 443 out via $oif setup keep-state # Allow out access to my ISP's Domain name server. $cmd 00610 allow tcp from any to $odns1 53 out via $oif setup keep-state $cmd 00611 allow udp from any to $odns1 53 out via $oif keep-state # Allow out send & get email function $cmd 00630 allow tcp from any to any 25,110 out via $oif setup keep-state # Allow out & in FBSD (make install & CVSUP) functions # Basically give user id [ROOT] "GOD" privileges. $cmd 00640 allow tcp from me to any out via $oif setup keep-state uid root ######## inbound section ############################################ # Interrogate packets originating from in front of the firewall, public net. # Allow in www http access to my apache server $cmd 00800 allow tcp from any to any 80 in via $oif setup keep-state limit src-addr 4 # Allow TCP FTP control channel in & data channel out $cmd 00810 allow tcp from any to me 21 in via $oif setup keep-state limit src-addr 4 $cmd 00811 allow tcp from any 20 to any 1024-49151 out via $oif setup keep limit src-addr 4 # Allow in ssh function $cmd 00820 allow log tcp from any to me 22 in via $oif setup keep-state limit src-addr 4 # Allow in Telnet $cmd 00830 allow tcp from any to me 23 in via $oif setup keep-state limit src-addr 4 This is just a sample from which you can build from. The main thing is it demonstrates how to code and organize your advanced stateful rules file. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jon Larssen Sent: Friday, May 31, 2002 11:32 AM To: freebsd-questions@freebsd.org Subject: IPFW + NATD + stateful ruleset? Hello, from reading the list archives it seems that currently a stateful IPFW rule in a box that also does the NAT doesn't work well. Granted, I need to study more on the subject; but, can I still use a stateful rule in the non-NATted interface? (the public one) Best regards, Jon. (Enjoy the World Cup) _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGCEKHCBAA.barbish>