Date: Fri, 31 Aug 2007 05:41:25 +1200 From: Russell Fulton <r.fulton@auckland.ac.nz> To: Russell Fulton <r.fulton@auckland.ac.nz> Cc: freebsd-ipfw@freebsd.org Subject: Re: getting state to work properly Message-ID: <46D70145.3030708@auckland.ac.nz> In-Reply-To: <46D66176.9020300@auckland.ac.nz> References: <46D66176.9020300@auckland.ac.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------080606030308080508070508 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Rule set appended -- anonymizing the rule set while keeping the sense would be a lot of work and I don't want to trim it down for fear of dropping something vital. As this network is not exposed to the internet and the firewall's primary purpose is traffic shaping not security I'll post it. Attached. Russell Russell Fulton wrote: > Hi Folks > > I have a fair bit of experience with firewalls particularly pf and also > iptables but I have never played with ipfw before. I have the ipfw man > page and some of the free bsd tutorial stuff to consult -- all looks > pretty straight forward. > > I have inherited a ipfw firewall which I am trying to make some changes > to. The current rule set does not use state and is very difficult to > understand as filtering is being done on many interfaces (four vlans > representing the 'inside' and one physical interface being the > 'outside'). In an attempt to impose some order I rewrote the rule set > from scratch doing all the real filtering on the external interface and > using state to keep track of connections. Today I had a two hour outage > to try and make it work and totally failed. (I'm not really surprised...) > > My first question is "is there anyway of maintaining state over a rule > reload?" One way of doing it would be to change the rule set number of > the running rule set before loading the new rules. Is this possible? But > this is in the "it would be nice category". > > More importantly I failed to make the state stuff work. > > State gets created -- ipfw -ad show shows the dynamic rules with numbers > in both counters but the returning packets never appear on either the > inbound or outbound interfaces (according to tcpdump). I have log > logamount 0 on *all* denies but nothing is logged. I know, from > monitoring traffic out side the firewall that the original packets are > coming out and replies are being sent to the firewall where they > silently vanish. > > Any ideas appreciated. My gut feeling is that I'm missing something basic. > > If anyone wants to have a look at the rule set I'm happy to mail it to > them but I don't want it appearing in a public mail archive ;) > > Thanks, Russell. > > ISO, The University of Auckland, New Zealand. > > > > > --------------080606030308080508070508 Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0"; name="ipfw.conf.sh" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw.conf.sh" #!/bin/sh # the file /etc/ipfw.conf.sh - configuration script for ipfw disable firewall # Flush out the list before we begin. -f flush #interfaces: # fxp0 is inside # fxp1 is outside # vlan89 is UoA # vlan90 is a copy of UoA # vlan94 is guest # vlan95 is Eduroam # already established connections continue going through add 10 check-state # allow outbond traffic to mailhost from UoA add 11 allow tcp from 130.216.89.0/24, 130.216.90.0/23 to 130.216.11.210 25, 587, 465 xmit fxp1 setup keep-state # bad ports that we want to block add 15 deny log logamount 0 udp from any to any 7,67,68,69,111,134-140,199,445,512,513,520,1993,2049,1900,5000 via fxp1 add 16 deny log logamount 0 tcp from any to any 7,11,15,25,67,68,87,111,134-140,144,199,445,511-516,1025,1993,1900,2049,2766,5000,5999-6020 via fxp1 # multicast rules VRP # wgate-1 add 20 allow all from 130.216.89.6 to 224.0.0.18 via vlan89 keep-state add 21 allow all from 130.216.90.6 to 224.0.0.18 via vlan90 keep-state add 22 allow all from 130.216.94.6 to 224.0.0.18 via vlan94 keep-state add 23 allow all from 130.216.95.6 to 224.0.0.18 via vlan95 keep-state add 24 allow all from 130.216.1.11 to 224.0.0.18 via fxp1 keep-state #wgate-2 add 25 allow all from 130.216.89.7 to 224.0.0.18 via vlan89 keep-state add 26 allow all from 130.216.90.7 to 224.0.0.18 via vlan09 keep-state add 27 allow all from 130.216.94.7 to 224.0.0.18 via vlan94 keep-state add 28 allow all from 130.216.95.7 to 224.0.0.18 via vlan95 keep-state add 29 allow all from 130.216.1.12 to 224.0.0.18 via fxp1 keep-state add 30 allow all from 130.216.4.173 to 224.0.0.18 via fxp1 keep-state add 31 allow all from 130.216.4.174 to 224.0.0.18 via fxp1 keep-state # filter traffic to and from main campus on the external interface # telnet for network management ?? need a better way of doing this! add 40 allow all from 130.216.4.0/23, 130.216.76.0/23 to any in recv fxp1 setup keep-state # deny all traffic between vlans i.e. all traffic coming in on a vlan goes out fxp1 add 01121 deny log logamount 0 all from any to any out recv vlan89 not xmit fxp1 add 01122 deny log logamount 0 all from any to any out recv vlan90 not xmit fxp1 add 01123 deny log logamount 0 all from any to any out recv vlan94 not xmit fxp1 add 01124 deny log logamount 0 all from any to any out recv vlan95 not xmit fxp1 # anti spoofing rules add 01125 deny log logamount 0 all from not 130.216.89.0/24 to any in recv vlan89 add 01126 deny log logamount 0 all from not 130.216.90.0/23 to any in recv vlan90 add 01127 deny log logamount 0 all from not 130.216.94.0/24 to any in recv vlan94 add 01128 deny log logamount 0 all from not 130.216.95.0/24 to any in recv vlan95 # allow anything else in from the vlans add 01135 allow all from 130.216.89.0/24 to any in recv vlan89 add 01136 allow all from 130.216.90.0/23 to any in recv vlan90 add 01137 allow all from 130.216.94.0/24 to any in recv vlan94 add 01138 allow all from 130.216.95.0/24 to any in recv vlan # allow icmp through fxp1 -- review !!!! add 01160 allow icmp from any to any via fxp1 setup keep-state ### dns rules #add 01167 allow udp from any to 130.216.1.1, 130.216.1.2 53 out xmit fxp1 keep-state #add 01168 allow tcp from any to 130.216.1.1, 130.216.1.2 53 out xmit fxp1 setup keep-state # don't forget the loopback interface or some things might break add 01102 allow all from any to any via lo0 setup keep-state ### Rate limited access to Internet for UoA vlan89 add 01281 allow tcp from 130.216.89.0/24 to any xmit fxp1 setup keep-state add 01282 allow all from 130.216.89.0/24 to any xmit fxp1 keep-state pipe 1 config mask src-ip 0x000000ff bw 128Kbit/s ###pipe 2 config mask dst-ip 0x000000ff bw 128Kbit/s #pipe 3 config mask src-ip 0x000000ff bw 128Kbit/s pipe 4 config mask dst-ip 0x000000ff bw 128Kbit/s add 01285 pipe 1 all from 130.216.89.0/24 to not 130.216.0.0/16 #add 01286 pipe 2 all from 130.216.89.0/24 to any #add 01287 pipe 3 all from any to 130.216.89.0/24 add 01288 pipe 4 all from not 130.216.0.0/16 to 130.216.89.0/24 ### Rate limited access to Internet for UoA vlan90 add 01301 allow tcp from 130.216.90.0/23 to any xmit fxp1 setup keep-state add 01302 allow all from 130.216.90.0/23 to any xmit fxp1 keep-state pipe 11 config mask src-ip 0x000001ff bw 128Kbit/s #pipe 12 config mask dst-ip 0x000001ff bw 128Kbit/s #pipe 13 config mask src-ip 0x000001ff bw 128Kbit/s pipe 14 config mask dst-ip 0x000001ff bw 128Kbit/s #add 01305 pipe 11 all from 130.216.90.0/23 to not 130.216.0.0/16 #add 01306 pipe 12 all from 130.216.90.0/23 to any #add 01307 pipe 13 all from any to 130.216.90.0/23 #add 01308 pipe 14 all from not 130.216.0.0/16 to 130.216.90.0/23 ### campus access for Guests and Student to UoA network vlan94 add 02300 allow tcp from 130.216.94.0/24 to 130.216.0.0/16 xmit fxp1 setup keep-state add 02301 allow all from 130.216.94.0/24 to 130.216.0.0/16 xmit fxp1 keep-state ### Eduroam access to Internet vlan95 add 02410 allow tcp from 130.216.95.0/24 to any out xmit fxp1 setup keep-state add 02411 allow all from 130.216.95.0/24 to any out xmit fxp1 keep-state pipe 5 config mask src-ip 0x000000ff bw 128Kbit/s #pipe 6 config mask dst-ip 0x000000ff bw 128Kbit/s #pipe 7 config mask src-ip 0x000000ff bw 128Kbit/s pipe 8 config mask dst-ip 0x000000ff bw 128Kbit/s add 02420 pipe 5 all from 130.216.95.0/24 to not 130.216.0.0/16 #add 02421 pipe 6 all from 130.216.95.0/24 to any #add 02422 pipe 7 all from any to 130.216.95.0/24 add 02422 pipe 8 all from not 130.216.0.0/16 to 130.216.95.0/24 # this next one is by default the last one. You can choose a LARGE number if you # like. I chose '6000', you can pick anything up to 65535. In FreeBSD the rule # for '65535' is initially defined as 'deny all from any to any' when you load ipfw. add 06000 deny log logamount 0 all from any to any enable firewall --------------080606030308080508070508--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46D70145.3030708>