From owner-freebsd-ipfw  Tue Apr 16 12:54:44 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from gate.killian.com (gate.killian.com [205.179.65.162])
	by hub.freebsd.org (Postfix) with ESMTP id D03BA37B400
	for <freebsd-ipfw@freebsd.org>; Tue, 16 Apr 2002 12:54:37 -0700 (PDT)
Received: (from smmsp@localhost)
	by gate.killian.com (8.11.6/8.11.6) id g3GJsWc04611
	for <freebsd-ipfw@freebsd.org>; Tue, 16 Apr 2002 12:54:32 -0700 (PDT)
	(envelope-from earl@killian.com)
Date: Tue, 16 Apr 2002 12:54:32 -0700 (PDT)
Message-Id: <200204161954.g3GJsWc04611@gate.killian.com>
X-Authentication-Warning: gate.killian.com: smmsp set sender to <earl@killian.com> using -f
Received: from sax.killian.com(199.165.155.18)
 via SMTP by gate.killian.com, id smtpdHIzO4G; Tue Apr 16 12:54:23 2002
From: "Earl A. Killian" <earl@killian.com>
To: freebsd-ipfw@freebsd.org
Subject: question about the FreeBSD 4.5-RELEASE simple entry in rc.firewall
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

At the end, for reference, I've reproduced the rules you get from
4.5-RELEASE rc.firewall with firewall_type="simple" and
natd_enable="YES", and with some comments simplified.  I tried this
firewall, and I was not able to talk to my gateway machine from the
hosts on the inside.  Looking at the rules below, I see only one rule
that is specific to iif, and that is just to prevent the inside from
pretending to be outside.  Most of the rules are via oif, or to oip
and so don't apply to an inside machine talking to iip via iif.  If I
eliminate those rules, I'm left with:

Rules that apply to inet:imask talking to iip via iif:

    deny all from any to 127.0.0.0/8
    deny ip from 127.0.0.0/8 to any
    deny all from ${onet}:${omask} to any in via ${iif}
    pass tcp from any to any established
    pass all from any to any frag
    pass tcp from any to any setup

So what about icmp and udp?  Do other sites really use this fw and
just not ping or dns/ntp to their gateway from inside?  Shouldn't the
following be added after the stop-spoofing rules or something?:

    # Allow internal hosts complete access
    allow all from ${inet}:${imask} to ${iip} in recv ${iif}
    allow all from ${iip} to ${inet}:${imask} out xmit ${iif}

I also notice there are no rules for icmp at all.  Shouldn't there be a
    # Allow pings out in the world
    pass icmp from ${oip} to any keep-state
down with the dns/ntp rules?

For reference, rc.firewall with firewall_type="simple" and
natd_enable="YES":

    # Localhost interface
    100 pass all from any to any via lo0
    200 deny all from any to 127.0.0.0/8
    300 deny ip from 127.0.0.0/8 to any

    # Stop spoofing
    deny all from ${inet}:${imask} to any in via ${oif}
    deny all from ${onet}:${omask} to any in via ${iif}

    # Stop RFC1918 nets on the outside interface
    deny all from any to 10.0.0.0/8 via ${oif}
    deny all from any to 172.16.0.0/12 via ${oif}
    deny all from any to 192.168.0.0/16 via ${oif}

    # Stop draft-manning-dsua-03.txt nets on the outside interface
    deny all from any to 0.0.0.0/8 via ${oif}
    deny all from any to 169.254.0.0/16 via ${oif}
    deny all from any to 192.0.2.0/24 via ${oif}
    deny all from any to 224.0.0.0/4 via ${oif}
    deny all from any to 240.0.0.0/4 via ${oif}

    # Network Address Translation.
    divert natd all from any to any via ${natd_interface}

    # Stop RFC1918 nets on the outside interface
    deny all from 10.0.0.0/8 to any via ${oif}
    deny all from 172.16.0.0/12 to any via ${oif}
    deny all from 192.168.0.0/16 to any via ${oif}

    # Stop draft-manning-dsua-03.txt nets on the outside interface
    deny all from 0.0.0.0/8 to any via ${oif}
    deny all from 169.254.0.0/16 to any via ${oif}
    deny all from 192.0.2.0/24 to any via ${oif}
    deny all from 224.0.0.0/4 to any via ${oif}
    deny all from 240.0.0.0/4 to any via ${oif}

    # Allow TCP through if setup succeeded
    pass tcp from any to any established

    # Allow IP fragments to pass through
    pass all from any to any frag

    # Allow setup of incoming email
    pass tcp from any to ${oip} 25 setup

    # Allow access to our DNS
    pass tcp from any to ${oip} 53 setup
    pass udp from any to ${oip} 53
    pass udp from ${oip} 53 to any

    # Allow access to our WWW
    pass tcp from any to ${oip} 80 setup

    # Reject&Log all setup of incoming connections from the outside
    deny log tcp from any to any in via ${oif} setup

    # Allow setup of any other TCP connection
    pass tcp from any to any setup

    # Allow DNS queries out in the world
    pass udp from ${oip} to any 53 keep-state

    # Allow NTP queries out in the world
    pass udp from ${oip} to any 123 keep-state

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message