Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 3 Nov 2013 08:04:20 -0800
From:      Payam Chychi <pchychi@gmail.com>
To:        Casey Scott <casey@scottmail.org>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: NAT/ipfw blocking internal traffic
Message-ID:  <CF592C15C48942B1A7DB05E5DBE51834@gmail.com>
In-Reply-To: <1695827686.288.1383250242478.JavaMail.root@phantombsd.org>
References:  <789665157.296.1383076677766.JavaMail.root@phantombsd.org> <1695827686.288.1383250242478.JavaMail.root@phantombsd.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Fo you have logs of whats being dropped? 



-- 
Payam Chychi
Network Engineer / Security Specialist


On Thursday, October 31, 2013 at 1:10 PM, Casey Scott wrote:

> Hello,
> 
> My NAT and ipfw ruleset follow almost exactly what is given at
> http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
> 
> The problem I'm encountering is that a portion of my outbound internal
> traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so
> I'm kind of at a loss since the config matches the handbook. Any suggestions
> are appreciated.
> 
> uname -a
> ***********************************************
> FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18
> 20:06:53 PDT 2013 root@hostname:/usr/src/sys/amd64/compile/hostname
> amd64
> ***********************************************
> 
> /var/log/security:
> ***********************************************
> Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
> 192.168.1.6:61681 in via fxp0
> Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
> 192.168.1.6:61681 in via fxp0
> Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
> 192.168.1.6:61681 in via fxp0
> Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915
> 174.129.210.177:80 out via fxp0
> Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876
> 65.126.84.88:80 out via fxp0
> Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877
> 65.126.84.88:80 out via fxp0
> Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921
> 208.85.40.45:80 out via fxp0
> Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921
> 208.85.40.45:80 out via fxp0
> ***********************************************
> 
> firewall script:
> ***********************************************
> #!/bin/sh
> cmd="ipfw -q add"
> skip="skipto 500"
> pif=fxp0
> ks="keep-state"
> good_tcpo="22,25,37,43,53,80,443"
> 
> ipfw -q -f flush
> 
> $cmd 002 allow all from any to any via em0 # exclude LAN traffic
> $cmd 003 allow all from any to any via lo0 # exclude loopback traffic
> 
> $cmd 100 divert natd ip from any to any in via $pif
> $cmd 101 check-state
> 
> # Authorized outbound packets
> $cmd 136 $skip udp from any to any 53 out via $pif $ks
> $cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks
> $cmd 151 $skip icmp from any to any out via $pif $ks
> $cmd 152 $skip udp from any to any 123 out via $pif $ks
> 
> # Deny all inbound traffic from non-routable reserved address spaces
> $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private
> IP
> $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private
> IP
> $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private
> IP
> $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
> $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
> $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
> $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
> $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
> $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E
> multicast
> 
> # Authorized inbound packets
> $cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2
> $cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2
> $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2
> $cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2
> 
> $cmd 450 deny log ip from any to any
> 
> # This is skipto location for outbound stateful rules
> $cmd 500 divert natd ip from any to any out via $pif
> ***********************************************
> 
> natd run options:
> ***********************************************
> /sbin/natd -dynamic -m -n fxp0
> ***********************************************
> 
> -Casey
> 
> ----- Forwarded Message ----- 
> 
> Hello,
> 
> My NAT and ipfw ruleset follow almost exactly what is given at
> http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
> 
> The problem I'm encountering is that a portion of my outbound internal
> traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so
> I'm kind of at a loss since the config matches the handbook. Any suggestions
> are appreciated.
> 
> uname -a
> ***********************************************
> FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18
> 20:06:53 PDT 2013 root@hostname:/usr/src/sys/amd64/compile/hostname amd64
> ***********************************************
> 
> /var/log/security:
> ***********************************************
> Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
> 192.168.1.6:61681 in via fxp0
> Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
> 192.168.1.6:61681 in via fxp0
> Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
> 192.168.1.6:61681 in via fxp0
> Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915
> 174.129.210.177:80 out via fxp0
> Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876
> 65.126.84.88:80 out via fxp0
> Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877
> 65.126.84.88:80 out via fxp0
> Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921
> 208.85.40.45:80 out via fxp0
> Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921
> 208.85.40.45:80 out via fxp0
> ***********************************************
> 
> firewall script:
> ***********************************************
> #!/bin/sh
> cmd="ipfw -q add"
> skip="skipto 500"
> pif=fxp0
> ks="keep-state"
> good_tcpo="22,25,37,43,53,80,443"
> 
> ipfw -q -f flush
> 
> $cmd 002 allow all from any to any via em0 # exclude LAN traffic
> $cmd 003 allow all from any to any via lo0 # exclude loopback traffic
> 
> $cmd 100 divert natd ip from any to any in via $pif
> $cmd 101 check-state
> 
> # Authorized outbound packets
> $cmd 136 $skip udp from any to any 53 out via $pif $ks
> $cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks
> $cmd 151 $skip icmp from any to any out via $pif $ks
> $cmd 152 $skip udp from any to any 123 out via $pif $ks
> 
> # Deny all inbound traffic from non-routable reserved address spaces
> $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
> $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
> $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
> $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
> $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
> $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
> $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
> $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
> $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
> 
> # Authorized inbound packets
> $cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2
> $cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2
> $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2
> $cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2
> 
> $cmd 450 deny log ip from any to any
> 
> # This is skipto location for outbound stateful rules
> $cmd 500 divert natd ip from any to any out via $pif
> ***********************************************
> 
> natd run options:
> ***********************************************
> /sbin/natd -dynamic -m -n fxp0
> ***********************************************
> 
> -Casey
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
> 
> 





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CF592C15C48942B1A7DB05E5DBE51834>