Date: Tue, 16 Apr 2002 12:54:32 -0700 (PDT) From: "Earl A. Killian" <earl@killian.com> To: freebsd-ipfw@freebsd.org Subject: question about the FreeBSD 4.5-RELEASE simple entry in rc.firewall Message-ID: <200204161954.g3GJsWc04611@gate.killian.com>
next in thread | raw e-mail | index | archive | help
At the end, for reference, I've reproduced the rules you get from
4.5-RELEASE rc.firewall with firewall_type="simple" and
natd_enable="YES", and with some comments simplified. I tried this
firewall, and I was not able to talk to my gateway machine from the
hosts on the inside. Looking at the rules below, I see only one rule
that is specific to iif, and that is just to prevent the inside from
pretending to be outside. Most of the rules are via oif, or to oip
and so don't apply to an inside machine talking to iip via iif. If I
eliminate those rules, I'm left with:
Rules that apply to inet:imask talking to iip via iif:
deny all from any to 127.0.0.0/8
deny ip from 127.0.0.0/8 to any
deny all from ${onet}:${omask} to any in via ${iif}
pass tcp from any to any established
pass all from any to any frag
pass tcp from any to any setup
So what about icmp and udp? Do other sites really use this fw and
just not ping or dns/ntp to their gateway from inside? Shouldn't the
following be added after the stop-spoofing rules or something?:
# Allow internal hosts complete access
allow all from ${inet}:${imask} to ${iip} in recv ${iif}
allow all from ${iip} to ${inet}:${imask} out xmit ${iif}
I also notice there are no rules for icmp at all. Shouldn't there be a
# Allow pings out in the world
pass icmp from ${oip} to any keep-state
down with the dns/ntp rules?
For reference, rc.firewall with firewall_type="simple" and
natd_enable="YES":
# Localhost interface
100 pass all from any to any via lo0
200 deny all from any to 127.0.0.0/8
300 deny ip from 127.0.0.0/8 to any
# Stop spoofing
deny all from ${inet}:${imask} to any in via ${oif}
deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
deny all from any to 10.0.0.0/8 via ${oif}
deny all from any to 172.16.0.0/12 via ${oif}
deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt nets on the outside interface
deny all from any to 0.0.0.0/8 via ${oif}
deny all from any to 169.254.0.0/16 via ${oif}
deny all from any to 192.0.2.0/24 via ${oif}
deny all from any to 224.0.0.0/4 via ${oif}
deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation.
divert natd all from any to any via ${natd_interface}
# Stop RFC1918 nets on the outside interface
deny all from 10.0.0.0/8 to any via ${oif}
deny all from 172.16.0.0/12 to any via ${oif}
deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt nets on the outside interface
deny all from 0.0.0.0/8 to any via ${oif}
deny all from 169.254.0.0/16 to any via ${oif}
deny all from 192.0.2.0/24 to any via ${oif}
deny all from 224.0.0.0/4 to any via ${oif}
deny all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeeded
pass tcp from any to any established
# Allow IP fragments to pass through
pass all from any to any frag
# Allow setup of incoming email
pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
pass tcp from any to ${oip} 53 setup
pass udp from any to ${oip} 53
pass udp from ${oip} 53 to any
# Allow access to our WWW
pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
pass tcp from any to any setup
# Allow DNS queries out in the world
pass udp from ${oip} to any 53 keep-state
# Allow NTP queries out in the world
pass udp from ${oip} to any 123 keep-state
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204161954.g3GJsWc04611>