Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 30 Apr 2003 09:53:49 -0700
From:      "C_Ahlers" <freebsd@code-space.com>
To:        "'Antoine Jacoutot'" <ajacoutot@lphp.org>, <freebsd-ipfw@freebsd.org>
Subject:   RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation
Message-ID:  <000401c30f39$136f0020$0501a8c0@neptune>
In-Reply-To: <200304301424.24536.ajacoutot@lphp.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

I realize that the following info is not exactly what you have been
looking for - but it is in the spirit of building that perfect
firewall...

I would just like to point out that rules 200 and 300 that deal with
traffic to and from 127.0.0.0/8 are NOT necessary.
The reason for this is simple: FreeBSD doesn't allow that traffic,
regardless of the presence of a firewall or not.

If you take a look at some source code, specifically:

\src\sys\netinet\ip_input.c  (~ line 357)
\src\sys\netinet\ip_output.c (~ line 807)

you will see code like the following:

	/* 127/8 must not appear on wire - RFC1122 */
	if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) ==
IN_LOOPBACKNET ||
	    (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) ==
IN_LOOPBACKNET) {
		if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
			ipstat.ips_badaddr++;
			goto bad;
		}
	}

The packets are simply dropped...
So this means you have 2 less rules to worry about that just clutter
your ruleset.


C_Ahlers
freebsd@code-space.com



-----Original Message-----
From: owner-freebsd-ipfw@freebsd.org
[mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Antoine Jacoutot
Sent: Wednesday, April 30, 2003 5:24 AM
To: freebsd-ipfw@freebsd.org
Subject: Re: ipfw dynamic rule timeout --> find a solution, but
needconfirmation


Hi !

In my problem with keep-state+ipfw2+natd, I came to the following
solution 
which seems to work well.
Now, I would like to be sure that there's no security issue with that 
(expecially with the sysctl variable), so if you feel like it, please
comment 
the following configuration.
Thanks in advance.

Antoine

### Configuration ###

sysctl variables:
net.inet.ip.fw.dyn_syn_lifetime=300 # same as
net.inet.ip.fw.dyn_ack_lifetime

rc.conf:
natd_flags="-log_denied -log_facility LOG_WARNING -use_sockets
-same_ports 
-unregistered_only -dynamic"

firewall ruleset (tun0 being the outsite interface):

# Firewall Command - quiet mode (suppress rule display)
fwcmd="/sbin/ipfw -q add"

# Flush out the list before we begin.
/sbin/ipfw -q -f flush

# Setup Loopback
${fwcmd} 100 pass all from any to any via lo0
${fwcmd} 200 deny log all from any to 127.0.0.0/8
${fwcmd} 300 deny log ip from 127.0.0.0/8 to any

# Stop spoofing
${fwcmd} 400 deny all from 192.168.0.0/24 to any in via tun0 ### The
following rule is disabled since we have a dynamic @ip ### ${fwcmd} add
500 deny all from ${outside_net}:${outside_mask} to any in 
via vr0

# Stop RFC1918 nets on the outside interface
${fwcmd} 600 deny all from any to 10.0.0.0/8 via tun0
${fwcmd} 700 deny all from any to 172.16.0.0/12 via tun0 ${fwcmd} 800
deny all from any to 192.168.0.0/16 via tun0

# Stop draft-manning-dsua-03.txt nets
${fwcmd} 900 deny all from any to 0.0.0.0/8 via tun0
${fwcmd} 1000 deny all from any to 169.254.0.0/16 via tun0 ${fwcmd} 1100
deny all from any to 192.0.2.0/24 via tun0 ${fwcmd} 1200 deny all from
any to 224.0.0.0/4 via tun0 ${fwcmd} 1300 deny all from any to
240.0.0.0/4 via tun0

# Network address Translation
# This rule is placed here deliberately so that it does not interfere
with the 
surrounding address-checking rules
${fwcmd} 1400 divert natd all from any to any via tun0

# Stop RFC1918 nets on the outside interface (following of rules 600,
700 and 
800 because NAT is now on)
${fwcmd} 1500 deny all from 10.0.0.0/8 to any via tun0
${fwcmd} 1600 deny all from 172.16.0.0/12 to any via tun0 ${fwcmd} 1700
deny all from 192.168.0.0/16 to any via tun0

# From man 8 ipfw: use of dynamic rules
${fwcmd} 1800 check-state
${fwcmd} 1900 deny log tcp from any to any established
${fwcmd} 2000 allow tcp from 192.168.0.0/24 to any setup keep-state
${fwcmd} 2100 allow tcp from me to any setup keep-state ${fwcmd} 2200
allow udp from 192.168.0.0/24 to any keep-state ${fwcmd} 2300 allow udp
from me to any keep-state ${fwcmd} 2400 deny log udp from any to any

# Reset ident incoming connections
${fwcmd} 2500 reset log tcp from any to me 113 in recv tun0 setup

# Deny & log suspicious packets (like nmap scans)
$fwcmd 2600 deny log tcp from any to any in tcpflags syn,fin

# Allow some icmp
# echo reply (0), destination unreachable (3), source quench (4), echo
request 
(8), time-to-live exceeded (11), IP header bad (12)
${fwcmd} 2700 pass icmp from any to any icmptype 0,3,4,8,11,12

# Allow IP fragments to pass through
${fwcmd} 2800 pass all from any to any frag

# Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3
# find a way to allow FTP inbound
${fwcmd} 2900 pass tcp from any to me 22,25,53,80,110 in recv tun0 setup

keep-state
${fwcmd} 3000 pass udp from any to me 53 in recv tun0 keep-state

# Reject & log everything else
${fwcmd} 65000 deny log all from any to any
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?000401c30f39$136f0020$0501a8c0>