From owner-freebsd-security  Thu Aug  9 19:27:44 2001
Delivered-To: freebsd-security@freebsd.org
Received: from jdl.com (chrome.jdl.com [209.39.144.2])
	by hub.freebsd.org (Postfix) with ESMTP id 8B39037B401
	for <security@freebsd.org>; Thu,  9 Aug 2001 19:27:39 -0700 (PDT)
	(envelope-from jdl@jdl.com)
Received: from localhost ([127.0.0.1] helo=jdl.com)
	by jdl.com with esmtp (Exim 3.32 #1)
	id 15V26p-000ILM-00
	for security@freebsd.org; Thu, 09 Aug 2001 21:33:11 -0500
To: security@freebsd.org
Subject: IPFW Dynamic Rules
Clarity-Index: null
Threat-Level: none
Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code.
Net-thought: If you meet the Buddha on the net, put him in your Kill file.
Date: Thu, 09 Aug 2001 21:33:10 -0500
From: Jon Loeliger <jdl@jdl.com>
Message-Id: <E15V26p-000ILM-00@jdl.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


Hi Folks,

The late night reconfiguring and firewall building progresses
fairly nicely here these days, thanks to many here who have
helped me.

For those keeping score with my Sorry Saga, I've actually
managed to replace the compromised disk, rebuild a new one,
rebuild three new FreeBSD 4.3 released machines, turn one
into an IPFW firewall gateway, and keep my day job.

*phew*

So, I have a rudimentary set of IPFW rules in place, loosly
based off of the stock 4.3 "/etc/rc.firewall simple" set.
Naturally, there is an endless amount of tinkering to do now,
and I have some questions!

For starters, what is a "dynamic rule", really?  I mean, I've
read the man page, and I've poked some web pages, and I _think_
I know, but I'm still unclear on a point or two.  The man page
says, about the keep-state flag, which is used to introduce new
dynamic rules:

     keep-state [method]
         Upon a match, the firewall will create a dynamic rule,
         whose default behaviour is to matching bidirectional
         traffic between source and destination IP/port using the
         same protocol.  The rule has a limited lifetime (con-
         trolled by a set of sysctl(8) variables), and the life-
         time is refreshed every time a matching packet is found.

So if the dynamic rule has the same behaviour as the origination
rule on the same port with the same protocol, why can't packets
simply continue to be matched against that original base rule?
Why does the dynamic rule even need to come into existence?

How many dynamic rules do you need to allow for, roughly, based on
some simple system paramters?  Pure heuristic and guess work here?
Markov chain arrival rate rule decay rate blah blah tune it blah blah?
I filled the default 256 readily, and bumped it to 1024 on a whim.

So I think I may be doing something vaguely Not Quite Right with
some "keep-state" rules too.  I think I got to this NQR state due
to some early wrong rule tinkering.  To be concrete:

I first made the mistake of being too uni-directional and had a
rule like this, intending to mean "anything that is established
between the Big Bad Outside and my net, let it through."

    00800 allow tcp from any to MY_REAL_NET/MASK established

and this one intended to allow access to a web server:

    01200 allow tcp from any to 209.39.144.0/27 80 setup

I of course couldn't get this to work at all.  The way I
fixed it and made it work was to do change the "setup" rule
to add the "keep-state" flag as well:

    01200 allow tcp from any to MY_REAL_NET/MASK 80 setup keep-state

What this did was introduce a dynamic rule for every connection
to my web server.  (Ugh.)  What _wasn't_ happening was the
_bidirectional_ treatment required from the 800 rule, right?

The 800 rule is being used once in-bound and once out-bound, right?
and with the rule written as above, the out-flow packets were
being dropped on the floor and I _wasn't_ able to maintain the
connections that the 1200 rule was correctly establishing, right?

My stop-gap was to frob the keep-state onto that 1200 rule and
now the dynamic rule was correctly getting me bidirectional traffic.
All at the cost of introducing another unnneeded rule, right?


To make matters worse, I was seeing this effect on my mail, ssh,
http, https and DNS.  Ugh, right?  Wrong, right?

What I need to do is change the 800 rule to be:

    00800 allow tcp from any to any established

and take the keep-state off the 1200 rule again:

    01200 allow tcp from any to MY_REAL_NET/MASK 80 setup

Did I even come close here?



Now, other questions.  Easy ones.  What do you set the log-limit to?
Like, I exceed 30 hits on my main deny rule in an hour easily.
I've got script kiddies who are scanning up and down my address and
port space.  A lot.  Piss me off.  Damn good thing I've got a
firewall going, I see now.

What do people do to the log entries?  I mean, is there some
script out there that paws through /var/log/security and summarizes
who was hitting on you and a histogram of ports probed?  Do most
people reset the counters once a day and leave it at that?

Converted,
jdl

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message