Site Navigation

Date:      Wed, 2 Jun 2004 20:39:16 -0400
From:      "JJB" <Barbish3@adelphia.net>
To:        "Luigi Rizzo" <rizzo@icir.org>, "OpenMacNews" <freebsd-ipfw.20.openmacews@spamgourmet.com>
Cc:        freebsd-ipfw <freebsd-ipfw@freebsd.org>
Subject:   RE: does NATd _prevent_ use of stateful ipfw rules w/ keep-state?
Message-ID:  <MIEPLLIBMLEEABPDBIEGOEGNGAAA.Barbish3@adelphia.net>
In-Reply-To: <20040602154140.A17902@xorpc.icir.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Luigi, Your statement is very generic and so easy to make, when
there is no proof given to back it up. There is no documentation
that backs up your statement that says that stateful rules will work
in an nated environment. Better yet, here is an stateful rule set
that works with no lan behind the firewall machine. I would like to
see just how you would change it to get it to work in an nated
environment. I think once you start trying to get it to work you
will come to realize the problem ipfw has using stateful rules in an
nated environment first hand. The problem is the content of the
dynamic table is always different no matter where you position the
divert rule in the rule set which causes the dynamic table content
to never match.

################ Start of IPFW rules file
###############################
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="dc0"     # public interface name of Nic card
                  # facing the public internet


#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 00010 allow all from any to any via lo0

#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.
#################################################################
$cmd 00015 check-state

#################################################################
# Interface facing Public internet (Outbound Section)
# Interrogate session start requests originating from this gateway
server
# destine for the public internet.
#################################################################

# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup
keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

# Allow out access to my ISP's DHCP server for cable/DSL
configurations.
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup
keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup
keep-state

# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup
keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup
keep-state

# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state
uid root

# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup
keep-state

# Allow out nntp news (IE: news groups)
$cmd 00270 allow tcp from any to any 119 out via $pif setup
keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup
keep-state

# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup
keep-state

# deny and log everything else that's trying to get out.
# This rule enforces the block all by default logic.
$cmd 00299 deny log all from any to any out via $pif

#################################################################
# Interface facing Public internet (Inbound Section)
# Interrogate packets originating from the public internet
# destine for this gateway server
#################################################################

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif  #RFC
1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to anyin via $pif     #RFC
1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to anyin via $pif          #RFC
1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to anyin via $pif
#loopback
$cmd 00304 deny all from 0.0.0.0/8 to anyin via $pif
#loopback
$cmd 00305 deny all from 169.254.0.0/16 to anyin via $pif   #DHCP
auto-config
$cmd 00306 deny all from 192.0.2.0/24 to anyin via $pif
#reserved for doc's
$cmd 00307 deny all from 204.152.64.0/23 to anyin via $pif  #Sun
cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to anyin via $pif
#Class D & E multicast

# Deny public pings
$cmd 00310 deny icmp from any to anyin via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137in via $pif
$cmd 00321 deny tcp from any to any 138in via $pif
$cmd 00322 deny tcp from any to any 139in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit
src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit
src-addr 2

# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# internet as clear text.
$cmd 00420 allow tcp from any to me 23 in via $pif setup limit
src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any
################ End of IPFW rules file
###############################



-----Original Message-----
From: owner-freebsd-ipfw@freebsd.org
[mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Luigi Rizzo
Sent: Wednesday, June 02, 2004 6:42 PM
To: OpenMacNews
Cc: freebsd-ipfw
Subject: Re: does NATd _prevent_ use of stateful ipfw rules w/
keep-state?

On Wed, Jun 02, 2004 at 03:33:58PM -0700, OpenMacNews wrote:
> In continued digging for some guidance w.r.t. my earlier post, I
came across the following list comment ...
>
>         > The real show stopper is ipfw with stateful rules using
the 'keep state'
>         > option does not work when used with the divert/nated
legacy sub-routine.
>         > What this means is ipfw with stateful rules can only be
used if
>         > 'user ppp -nat' is how you connect to the public
internet.
>
> Is this in fact true?
> If using NATd, am I relegated to a _static_ ruleset, w/ no ability
to use stateful rules?

just about every sentence above is false.

nothing prevents you from using stateful ipfw rules with natd,
_but_ you must understand very well the packet's flow and how
addresses are transformed or you won't get what you want.

personally i see almost always only disadvantages (basically, it is
much
easier to screw up your configuration) in using both because nat is
already stateful

        cheers
        luigi
> Richard
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to
"freebsd-ipfw-unsubscribe@freebsd.org"
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to
"freebsd-ipfw-unsubscribe@freebsd.org"

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGOEGNGAAA.Barbish3>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact