Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 11 Feb 2011 22:39:51 -0800
From:      Julian Elischer <julian@freebsd.org>
To:        Jason Mattax <jmattax@storytotell.org>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Strange problem
Message-ID:  <4D562B37.7000402@freebsd.org>
In-Reply-To: <4D55F832.7010604@storytotell.org>
References:  <4D55F832.7010604@storytotell.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 2/11/11 7:02 PM, Jason Mattax wrote:
> I'm currently running 8.1-RELEASE-p2 and attempting to set up a firewall
> with natd and ipfw. I was trying a more complicated ipfw script and had
> some problems. I reduced my rule set to the smallest sets I could manage
> to find the exact rule that causes problems. xl0 is my world facing
> interface and re0 faces my internal network. The working ruleset is
>
> $ipfw list
>
> 00050 allow ip from any to any via lo0
> 00100 divert 8668 log ip from any to any in via xl0
> 10000 divert 8668 log ip from any to any out via xl0
> 10005 allow ip from any to any
> 65535 allow ip from any to any
>
> With this I get a log containing
>
> $tail ipfw.log
> Feb 10 20:37:53 stilgar kernel: ipfw: 100 Divert 8668 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
> Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
> Feb 10 20:37:54 stilgar kernel: ipfw: 10000 Divert 8668 TCP
> 192.168.0.10:22 192.168.0.15:60569 out via xl0
> Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
> Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
> Feb 10 20:37:54 stilgar kernel: ipfw: 10000 Divert 8668 TCP
> 192.168.0.10:22 192.168.0.15:60569 out via xl0
> Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
> Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
> Feb 10 20:37:54 stilgar kernel: ipfw: 10000 Divert 8668 TCP
> 192.168.0.10:22 192.168.0.15:60569 out via xl0
> Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
>
> Both of the diverts are working and machines attached to the internal nic can communicate through the computer. Now because I would like to be able to drop some packets I'm going to add a skip, since eventually that will get me where I want to be. This just adds rule 00310 which skips over no rules all the time
>
> $ipfw list
> 00050 allow ip from any to any via lo0
> 00100 divert 8668 log ip from any to any in via xl0
> 00310 skipto 9999 log ip from any to any
> 10000 divert 8668 log ip from any to any out via xl0
> 10005 allow ip from any to any
> 65535 allow ip from any to any
>
> Now the log contains
> $tail ipfw.log
> Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
> Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
> Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
> 192.168.0.10:22 192.168.0.15:60569 out via xl0
> Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
> Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
> Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
> Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
> Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
> 192.168.0.10:22 192.168.0.15:60569 out via xl0
> Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
> Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
> 192.168.0.15:60569 192.168.0.10:22 in via xl0
>
> Rules 100 and 310 are being hit, but rule 10000 is no longer triggering. This means that my outgoing packets aren't having their source address rewritten so I don't get responses (and put unrouteable traffic on the internet.) Can anyone explain to me what I'm doing wrong here?
that is rather odd..

BTW I tend to never use VIA
be explicit and say recv or xmit.

via may trigger in places you don't expect

I also always use skipto to split my rules into comletely separate 
receive and transmit sections

e.g. (very simplistic set)..


100 skipto 1000 ip from any to any in recv xl0
110 skipto  2000 ip from any to any out xmit xl0
# allow unfettered access for packets from the inside,
120 allow ip from any to any
#
# Now we handle incoming packets only
1000 drop ip from any to not $localIP
1010 divert 8668 ip from any to any
# packets here have been translated..
# make explicit rules for services on this machine
1020 allow tcp from any to me 22
1030 drip ip from any to $localIP
# assumign natd did its job allow translated packets out.
1040 allow ip from any to any

#
# Now do outgoing packets
2000 divert 8668 ip from any to any
#packets are all translated now
2010 allow ip from any to any




> Jason Mattax
>
>
>
>
>
>
>
>




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4D562B37.7000402>