Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 16 Feb 2002 04:36:50 -0800
From:      "Crist J. Clark" <cjc@FreeBSD.ORG>
To:        Joe & Fhe Barbish <barbish@a1poweruser.com>
Cc:        FBSD <freebsd-questions@FreeBSD.ORG>
Subject:   Re: IPFW check-state rules
Message-ID:  <20020216043650.F36782@blossom.cjclark.org>
In-Reply-To: <LPBBIGIAAKKEOEJOLEGOMEKHCHAA.barbish@a1poweruser.com>; from barbish@a1poweruser.com on Fri, Feb 15, 2002 at 12:22:17PM -0500
References:  <LPBBIGIAAKKEOEJOLEGOMEKHCHAA.barbish@a1poweruser.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Fri, Feb 15, 2002 at 12:22:17PM -0500, Joe & Fhe Barbish wrote:
> My FBSD box is a gateway to a small lan of 3 winboxs.
> I have used a rule set based on the basic established/setup
> rules for a simple Stateful Filtering firewall.
> I changed my rules to use advanced Stateful Filtering based
> on check-state/keep-state. The new rules work fine for every
> thing originating from the FBSD gateway box, but anything
> originating from the lan needing internet access does not work
> and generates this error message
> Failed to write packet back(permission denied).
> 
> What am I missing?

Here's what happens:

  1) Machine on internal LAN sends out a SYN to some server on the
     Internet (192.0.2.100),

      10.100.100.2:1025 -> 192.0.2.100:80

  2) Packet goes in interface xl0, passes rule 110, gets routed,
     yada-yada. 

  3) Packet goes through firewall rules on way out of tun0, hits rule
     10, diverted to natd(8), and rewritten as,

     110.170.155.117:4240 -> 192.0.2.100:80

    And natd(8) creates a state entry in its internal table for this
    connection.

  4) Rewritten packet reinjected to firewall, passes rule 600 and
     creates a state entry for,

     110.170.155.117:4240 <-> 192.0.2.100:80

     And packet goes out onto Internet.

  5) 192.0.2.100 responds and sends back the SYN-ACK,

     192.0.2.100:80 -> 110.170.155.117:4240

  6) The response comes in tun0, starts through firewall, matches rule
     10 and goes to natd(8). natd(8) has an entry for this and
     rewrites the packet to,

     192.0.2.100:80 -> 10.100.100.2:1025

  7) This packet is reinjected into the firewall and goes on... and
     falls through. It does NOT match any 'pass' rules. It hits the
     default 'deny,' and when this happens, natd(8) compains that it
     failed to write the packet back.

What happened in step (7)? Note that when the packet we got in step
(6) comes down to the (gratuitous) 'check-state' rule 500, it does NOT
match the state we generated in step (4).

> Below is my rule set, please review.
> 
> oif="tun0"
> odns1="208.226.115.111"      # ISP's dns server 1 IP address
> odns2="208.226.115.112"      # ISP's dns server 2 IP address
> oip="110.170.155.117/24"     # For testing from standalone pc
> 
> iif="xl0"                    # Nic card
> iip="10.100.100.1/24"        # IP address range for LAN Nic card
> 
> 
> ${fwcmd} add 00010 divert natd all from any to any via ${oif}
> 
> 
> # Internal gateway housekeeping
> ${fwcmd} add 00100 allow ip from any to any via lo0  # allow all localhost
> ${fwcmd} add 00110 allow ip from any to any via xl0  # allow all local LAN
> ${fwcmd} add 00120 allow ip from any to any via tun1 # allow all dialin call
> 1
> ${fwcmd} add 00130 allow ip from any to any via tun2 # allow all dialin call
> 2
> ${fwcmd} add 00150 deny  ip from any to 127.0.0.0/8  # deny use of localhost
> IP
> ${fwcmd} add 00155 deny  ip from 127.0.0.0/8 to any  # deny use of localhost
> IP
> 
> 
> 
> ########  outbound section  ############################################
> 
> ${fwcmd} add 00500 check-state
> 
> 
> # Allow out www function
> ${fwcmd} add 00600 allow tcp  from ${iip} to any 80      out via ${oif}
> setup keep-state
> 
> # Allow out access to my ISP's Domain name server.
> ${fwcmd} add 00610 allow tcp  from me to ${odns1} 53 out via ${oif} setup
> keep-state
> ${fwcmd} add 00611 allow udp  from me to ${odns1} 53 out via ${oif}
> keep-state
> ${fwcmd} add 00615 allow tcp  from me to ${odns2} 53 out via ${oif} setup
> keep-state
> ${fwcmd} add 00616 allow udp  from me to ${odns2} 53 out via ${oif}
> keep-state
> 
> # Allow out access to internet Domain name server.
> ${fwcmd} add 00618 allow tcp  from me to any      53 out via ${oif} setup
> keep-state
> ${fwcmd} add 00619 allow udp  from me to any      53 out via ${oif}
> keep-state
> 
> # Allow out email function
> ${fwcmd} add 00630 allow tcp  from me to any 25,110  out via ${oif} setup
> keep-state
> 
> # Allow out FBSD CVSUP function
> ${fwcmd} add 00640 allow tcp  from me to any 5999        out via ${oif}
> setup keep-state
> 
> # Allow out ping
> ${fwcmd} add 00650 allow icmp from me to any         out via ${oif}
> keep-state
> 
> # Allow out FTP
> ${fwcmd} add 00670 allow tcp  from me to any 21      out via ${oif} setup
> keep-state
> 
> # Allow out TELNET
> ${fwcmd} add 00690 allow tcp  from me to any 23      out via ${oif} setup
> keep-state
> 
> # Allow out Network Time Protocol (NTP) queries
> ${fwcmd} add 00695 allow udp  from me to any 123     out via ${oif}
> keep-state
> 
> 
> ########  inbound section  ############################################
> 
> # Allow in & Log TCP FTP login from public internet
> ${fwcmd} add 00700 allow log tcp from ${oip} to me 21 in via ${oif} setup
> keep-state
> 
> # Allow in ssh function
> ${fwcmd} add 00710 allow log tcp from ${oip} to me 22 in via ${oif} setup
> keep-state
> 
> # Allow in & Log TCP telnet login
> ${fwcmd} add 00720 allow tcp from ${oip} to me 23 in via ${oif} setup
> keep-state
> 
> # Allow in www
> ${fwcmd} add 00730 allow tcp from ${oip} to me 80 in via ${oif} setup
> keep-state
> 
> # This sends a RESET to all ident packets.
> ${fwcmd} add 00740 reset     tcp from any    to me 113   in via ${oif}
> 
> # Stop & log spoofing Attack attempts.
> # Examine incoming traffic for packets with both a source and destination
> # IP address in your local domain as per CIAC prevention alert.
> ${fwcmd} add 00745 deny log ip from me to me  in via ${oif}
> 
> # Reject & Log all setup of incoming connections from the outside
> ${fwcmd} add 00800 deny log all from any to any      in via ${oif}
> 
> # Everything else is denied by default
> # deny and log all packets that fell through to see what they are
> ${fwcmd} add 05000 deny log logamount 500 ip from any to any

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20020216043650.F36782>