From owner-freebsd-ipfw@FreeBSD.ORG  Sun Jan  4 18:01:57 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6990D16A4CE
	for <freebsd-ipfw@freebsd.org>; Sun,  4 Jan 2004 18:01:57 -0800 (PST)
Received: from exchange.wan.no (exchange.wan.no [80.86.128.88])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4A4EC43D1D
	for <freebsd-ipfw@freebsd.org>; Sun,  4 Jan 2004 18:01:51 -0800 (PST)
	(envelope-from sten.daniel.sorsdal@wan.no)
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Date: Mon, 5 Jan 2004 03:01:49 +0100
Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F5D9518@exchange.wanglobal.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: ipfw2 problem
Thread-Index: AcPSpU0PbBQzY19UScO/yi5cJk1lXAAh/zGA
From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no>
To: "Ganbold" <ganbold@micom.mng.net>, <freebsd-ipfw@freebsd.org>
Subject: RE: ipfw2 problem
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jan 2004 02:01:57 -0000


First, although this probably wont help you, this might help someone =
else optimize their ipfw2 ruleset.
I see alot of 'in via' which doesnt mean what i suspect you believe it =
means.
'in via' is two separate options.=20
'in' means it matches when packet is incoming.
'via' means it matches when packet is either received or transmitted on =
said interface.

try replacing them with 'in recv' (and 'out xmit' when it's 'out via').
Optimize your rules to do less checks;

> ${fwcmd} add 21 deny all from 10.0.0.0/8 to any via fxp0=20
> ${fwcmd} add 23 deny all from 172.16.0.0/12 to any via fxp0=20
> ${fwcmd} add 25 deny all from 192.168.0.0/16 to any via fxp0

could be written as;

${fwcmd} add 21 deny via fxp0 src-ip =
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Now it would drop packets from above nets when a packet enters or exits =
fxp0.
Also if i'm not mistaken 'via fxp0' is less expensive than 'src-ip' so =
it should go first.

A side note, you could also reorder your rules so that it looks somewhat =
like this.

add 100 allow via lo0
add 100 check-state
add 101 deny proto icmp iplen 92
add 102 skipto 1000 via fxp0
add 103 skipto 2000 via fxp1
...

add 1000 [ handle rules going in and out on fxp0 here ]
...

add 2000 [ handle rules going in and out on fxp1 here ]=20
...

This way you dont have to do via/recv/xmit checks on each rule and =
packets=20
not concerned with that interface doesnt get checked.
Also bridged packets only get checked on 'incoming', - this might have =
changed in 5.0.

Someone please correct me if i'm wrong.

// Sten


>=20
> ${fwcmd} add 34 deny all from 127.0.0.0/8 to any in via fxp0
>=20
> ################### stop Welcia/Nachi=20
> ########################### ${fwcmd} add 35 deny icmp from=20
> any to any iplen 92
>=20
> ####################### DUMMYNET config #########################
>=20
> ##################### 64KB #######################################
> #
> # selenge
> ${fwcmd} pipe 41 config bw 64kbit/s
> ${fwcmd} pipe 42 config bw 64kbit/s
> ${fwcmd} add 62 pipe 41 all from 202.179.x.x/30 to any in via=20
> fxp1 ${fwcmd} add 63 pipe 42 all from any to 202.179.x.x/30=20
> in via fxp0
>=20
> # khentii
> ${fwcmd} pipe 43 config bw 64kbit/s
> ${fwcmd} pipe 44 config bw 64kbit/s
> ${fwcmd} add 64 pipe 43 all from 202.179.x.x/30 to any in via=20
> fxp1 ${fwcmd} add 65 pipe 44 all from any to 202.179.x.x/30=20
> in via fxp0
>=20
> # arkhangai
> ${fwcmd} pipe 45 config bw 64kbit/s
> ${fwcmd} pipe 46 config bw 64kbit/s
> ${fwcmd} add 66 pipe 45 all from 202.179.x.x/30 to any in via=20
> fxp1 ${fwcmd} add 67 pipe 46 all from any to 202.179.x.x/30=20
> in via fxp0
>=20
> # traffic police
> ${fwcmd} pipe 47 config bw 64kbit/s
> ${fwcmd} pipe 48 config bw 64kbit/s
> ${fwcmd} add 68 pipe 47 all from=20
> 202.179.x.x/30,202.179.x.x/28 to any in via fxp1 ${fwcmd} add=20
> 69 pipe 48 all from any to 202.179.x.x/30,202.179.x.x/28 in via fxp0
>=20
> ##################### 128KB #######################################
> #
> # glencore
> ${fwcmd} pipe 49 config bw 128kbit/s
> ${fwcmd} pipe 50 config bw 128kbit/s
> ${fwcmd} add 70 pipe 49 all from=20
> 202.179.x.x/29,202.179.x.x/30 to any in via fxp1 ${fwcmd} add=20
> 71 pipe 50 all from any to 202.179.x.x/29,202.179.x.x/30 in via fxp0
>=20
> # ikh tenger
> ${fwcmd} pipe 51 config bw 128kbit/s
> ${fwcmd} pipe 52 config bw 128kbit/s
> ${fwcmd} add 72 pipe 51 all from 202.179.x.x/29 to any in via=20
> fxp1 ${fwcmd} add 73 pipe 52 all from any to 202.179.x.x/29=20
> in via fxp0
>=20
> # xas
> ${fwcmd} pipe 53 config bw 128kbit/s
> ${fwcmd} pipe 54 config bw 128kbit/s
> ${fwcmd} add 74 pipe 53 all from=20
> 202.179.x.x/29,202.179.x.x/30 to any in via fxp1 ${fwcmd} add=20
> 75 pipe 54 all from any to 202.179.x.x/29,202.179.x.x/30 in via fxp0
>=20
>=20
> ##################### 256KB #######################################
> #mtc
> ${fwcmd} pipe 55 config bw 256kbit/s
> ${fwcmd} pipe 56 config bw 256kbit/s
>=20
> ${fwcmd} add 76 pipe 55 all from=20
> 202.179.x.x/30,202.179.x.x/29 to any in via fxp1 ${fwcmd} add=20
> 77 pipe 56 all from any to 202.179.x.x/30,202.179.x.x/29 in via fxp0
>=20
> #gtz
> ${fwcmd} pipe 57 config bw 256kbit/s
> ${fwcmd} pipe 58 config bw 256kbit/s
>=20
> ${fwcmd} add 78 pipe 57 all from 202.179.x.x/28 to any in via=20
> fxp1 ${fwcmd} add 79 pipe 58 all from any to 202.179.x.x/28=20
> in via fxp0
>=20
> ######################### STANDARDS #########################=20
> # Allow TCP through if setup succeeded ${fwcmd} add 100 pass=20
> tcp from any to any established
>=20
> # Allowing connections through localhost.
> ${fwcmd} add 300 pass all from any to any via lo0
>=20
> # pass ARP
> ${fwcmd} add 301 allow layer2 mac-type arp
>=20
> # Allow the inside hosts to say anything they want ${fwcmd}=20
> add pass tcp from any to any in via fxp1 setup keep-state=20
> ${fwcmd} add pass udp from any to any in via fxp1 keep-state=20
> ${fwcmd} add pass ip from any to any in via fxp1
>=20
> # Allowing SSH,web connection and LOG all incoming connections.
> ${fwcmd} add pass tcp from any to any 22 in via fxp0 setup=20
> keep-state ${fwcmd} add pass tcp from any to any 80,443 in=20
> via fxp0 setup keep-state
>=20
> # Allowing and LOG all INCOMING, outgoing FTP, telnet, SMTP,=20
> POP3, ident, imap conections.
> ${fwcmd} add pass tcp from any to any 20-21,23,25,110,113,143=20
> in via fxp0  setup keep-state ${fwcmd} add pass udp from any=20
> to any 20-21,23,25,110,113,143 in via fxp0 keep-state
>=20
> # Pass the "quarantine" range
> ${fwcmd} add pass tcp from any to any 18198,18211,40000-65535=20
> in via fxp0 setup keep-state ${fwcmd} add pass udp from any=20
> to any 18198,18211,40000-65535 in via fxp0 keep-state
>=20
> # MSN, Yahoo ports
> ${fwcmd} add pass tcp from any to any
> 1863,2001-2120,6801,6891-6901,7801-7825 in via fxp0 setup=20
> keep-state ${fwcmd} add pass udp from any to any
> 1863,2001-2120,6801,6891-6901,7801-7825 in via fxp0 keep-state
>=20
> # additional h323,yahoo,remote admin,vnc ports ${fwcmd} add=20
> pass tcp from any to any 1719-1725,2082,5000-6000,8010,8100=20
> in via fxp0 setup keep-state ${fwcmd} add pass udp from any=20
> to any 1719-1725,2082,5000-6000,8010,8100 in via fxp0 keep-state
>=20
> # Allowing mysql,Jabber,IRC,chat.
> ${fwcmd} add pass tcp from any to any=20
> 3306,4899,6155,6502,6667,8000 in via fxp0  setup keep-state=20
> ${fwcmd} add pass udp from any to any=20
> 3306,4899,6155,6502,6667,8000 in via fxp0 keep-state
>=20
> # allow radius
> ${fwcmd} add pass tcp from any to any=20
> 1645,1646,1812,1813,9000-9002 in via fxp0  setup keep-state=20
> ${fwcmd} add pass udp from any to any=20
> 1645,1646,1812,1813,9000-9002 in via fxp0 keep-state
>=20
> # additional eMule ports
> ${fwcmd} add pass tcp from any to any=20
> 2323,4242,4243,4661-4672,7700-7800 in via fxp0 setup=20
> keep-state ${fwcmd} add pass udp from any to any=20
> 2323,4242,4243,4661-4672,7700-7800 in via fxp0 keep-state
>=20
> # Allowing DNS lookups.
> ${fwcmd} add pass tcp from any to any 53 in via fxp0 setup=20
> keep-state ${fwcmd} add pass udp from any to any 53 in via=20
> fxp0 keep-state ${fwcmd} add pass udp from any 53 to any in=20
> via fxp0 keep-state
>=20
> ${fwcmd} add pass icmp from 202.179.x.x/19 to any icmptypes=20
> 0,3,4,8,11,12 ${fwcmd} add pass icmp from not 202.179.x.x/19=20
> to 202.179.x.x/19 icmptypes
> 0,3,4,11,12
>=20
> # Allowing SOCKS,HTTP proxy to outside only ${fwcmd} add pass=20
> tcp from 202.179.x.x/19 to any 1080,8080 in via fxp0  setup=20
> keep-state ${fwcmd} add pass udp from 202.179.x.x/19 to any=20
> 1080,8080 in via fxp0 keep-state
>=20
> # Allow the bridge machine to say anything it wants ${fwcmd}=20
> add pass tcp from 202.179.x.x to any setup keep-state=20
> ${fwcmd} add pass udp from  202.179.x.x  to any keep-state=20
> ${fwcmd} add pass ip from  202.179.x.x  to any
>=20
> ${fwcmd} add pass tcp from any to any in via fxp2 setup=20
> keep-state ${fwcmd} add pass udp from any to any in via fxp2=20
> keep-state ${fwcmd} add pass ip from any to any in via fxp2
>=20
> # Allow NTP queries out in the world
> ${fwcmd} add pass udp from any to any 123 in via fxp0 keep-state
>=20
> # allow multicast
> ${fwcmd} add pass all from 202.179.x.x/19 to 224.0.0.0/4 via=20
> fxp0 ${fwcmd} add pass all from 224.0.0.0/4 to 202.179.x.x/19 via fxp0
>=20
> # Allowing OSPF
> ${fwcmd} add pass ospf from any to any
>=20
> # Allowing GRE
> ${fwcmd} add pass gre from any to any
>=20
> # Allowing IP fragments to pass through.
> ${fwcmd} add 65001 pass all from any to any frag
>=20
> # Everything else is suspect
> ${fwcmd} add drop log ip from any to any ...
> --------------------------------------------------------------
> ---------------------------------------------------------------
>=20
> /etc/sysctl.conf file.
> --------------------------------------------------------------
> ---------------------------------------------------------------
> net.link.ether.bridge_cfg=3Dfxp0:0,fxp1:0
> net.link.ether.bridge_ipfw=3D1
> net.link.ether.bridge.enable=3D1
>=20
> net.inet.ip.fw.one_pass=3D0
> security.bsd.see_other_uids=3D0
> net.link.ether.inet.max_age=3D1200
> kern.ipc.somaxconn=3D1024
> net.inet.tcp.sendspace=3D32768
> net.inet.tcp.recvspace=3D32768
>=20
> net.inet.ip.sourceroute=3D0
> net.inet.ip.accept_sourceroute=3D0
>=20
> # Stop broadcast ECHO response
> net.inet.icmp.bmcastecho=3D0
>=20
> # Stop other broadcast probes
> net.inet.icmp.maskrepl=3D0
>=20
> net.inet.tcp.blackhole=3D2
> net.inet.udp.blackhole=3D1
>=20
> net.inet.ip.fw.dyn_max=3D8192
> net.inet.ip.fw.dyn_ack_lifetime=3D3600
> net.inet.ip.fw.dyn_udp_lifetime=3D10
> net.inet.ip.fw.dyn_buckets=3D1024
>=20
> --------------------------------------------------------------
> ---------------------------------------------------------------
>=20
> tia,
>=20
> Ganbold
>=20
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to=20
> "freebsd-ipfw-unsubscribe@freebsd.org"
>=20