Date: Fri, 31 Jan 2003 13:10:49 -0500 From: "JoeB" <barbish@a1poweruser.com> To: "Redmond Militante" <r-militante@northwestern.edu>, <freebsd-questions@freebsd.org> Subject: RE: please comment on my nat/ipfw rules (resent) Message-ID: <MIEPLLIBMLEEABPDBIEGGEPPDEAA.barbish@a1poweruser.com> In-Reply-To: <20030131131815.GA9488@darkpossum>
next in thread | previous in thread | raw e-mail | index | archive | help
1. Your firewall rules are not working at all, except for the natd redirect option. This is caused by the kernel compile time option IPFIREWALL_DEFAULT_TO_ACCEPT. This option tell your firewall that any packet that does not match a rule is allowed to pass on through the firewall. Comment out that option in your kernel options source and recompile your kernel to take the default of default-to-deny and your current rules set will stop functioning. 2. You are using the simplest of the rule types 'state-less'. Using this type of rules you have to not only have a rule to allow the packet out you also have to have a rule to allow the packet in. See rules 220 & 230 of your posted rule set to see how it should be done. 3. There are 3 classes of rules, each class has separate packet interrogation abilities. Each proceeding class has greater packet interrogation abilities than the previous one. These are stateless, simple stateful, and advanced stateful. The advanced stateful rule class is the only class having technically advanced interrogation abilities capable of defending against the flood of different attack methods currently employed by perpetrators. Stateless and Simple Stateful IPFW firewall rules are inadequate to protect the users system in today's internet environment and leaves the user unknowingly believing they are protected when in reality they are not. 4. The advanced stateful rule option keep-state works as documented only when used in a rule set that does not use the divert rule. Simply stated the IPFW advanced stateful rule option keep-state does not function correctly when used in a IPFW firewall that also is using the IPFW built in NATD function. For the most complete keep-state protection the other FIREWALL solution (IPFILTER) that comes with FBSD should be used. Just checkout the IPFW list archives and you will see this subject discussed in detail with out any solution forthcoming. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Redmond Militante Sent: Friday, January 31, 2003 8:18 AM To: freebsd-questions@freebsd.org Subject: please comment on my nat/ipfw rules (resent) hi all i have my test machine set up as a gateway box, with ipfw/natd configured on it, set up to filter/redirect packets bound for a client on my internal network. external ip of my internal client is aliased to the outside nic of the gateway box gateway machine's kernel has been recompiled with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE gateway's /etc/rc.conf looks like defaultrouter="129.x.x.1" hostname="hostname.com" ifconfig_xl0="inet 129.x.x.1 netmask 255.255.255.0" #aliasing internal client's ip to the outside nic of gateway box ifconfig_xl0_alias0="inet 129.x.1.20 netmask 255.0.0.0" #inside nic of gateway box ifconfig_xl1="inet 10.0.0.1 netmask 255.0.0.0" gateway_enable="YES" firewall_enable="YES" #firewall_script="/etc/rc.firewall" firewall_type="/etc/ipfw.rules" natd_enable="YES" #natd interface is outside nic natd_interface="xl0" #natd flags redirect any traffic bound for ip of www3 to internal ip of www3 natd_flags="-redirect_address 10.0.0.2 129.x.x.20" kern_securelevel_enable="NO" ......... internal client's /etc/rc.conf looks like second machine's /etc/rc.conf: defaultrouter="10.0.0.1" ifconfig_xl0="inet 10.0.0.2 netmask 255.0.0.0" ................ looks like this setup is working. the internal client is a basic webserver/ftp server. i am able to ftp to it, ssh to it, view webpages that it serves up, etc. with it hooked up to the internal nic of the gateway box. i am now trying to come up with a good set of firewall rules on the gateway box to filter out all unnecessary traffic to my internal network. the following is my /etc/ipfw.rules on the gateway box. -----------------------------snip------------------------------ # firewall_type="/etc/ipfw.rules" # enquirer ipfw.rules # NAT add 00100 divert 8668 ip from any to any via xl0 # loopback add 00210 allow ip from any to any via lo0 add 00220 deny ip from any to 127.0.0.0/8 add 00230 deny ip from 127.0.0.0/8 to any #allow tcp in for nfs shares #add 00301 allow tcp from 129.x.x.x to any in via xl0 #add 00302 allow tcp from 129.x.x.x to any in via xl0 #allow tcp in for ftp,ssh, smtp, httpd add 00303 allow tcp from any to any in 21,22,25,80,10000 via xl0 #deny rest of incoming tcp add 00309 deny log tcp from any to any in established #from man 8 ipfw: allow only outbound tcp connections i've created add 00310 allow tcp from any to any out via xl0 #allow udp in for gateway for DNS add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0 #allow udp in for nfs shares #add 00401 allow udp from 129.x.x.x to any in recv xl0 #add 00402 allow udp from 129.x.x.x to any in recv xl0 #allow all udp out from machine add 00404 allow udp from any to any out via xl0 #allow some icmp types (codes not supported) ##########allow path-mtu in both directions add 00500 allow icmp from any to any icmptypes 3 ##########allow source quench in and out add 00501 allow icmp from any to any icmptypes 4 ##########allow me to ping out and receive response back add 00502 allow icmp from any to any icmptypes 8 out add 00503 allow icmp from any to any icmptypes 0 in ##########allow me to run traceroute add 00504 allow icmp from any to any icmptypes 11 in add 00600 deny log ip from any to any #--- end ipfw.rules ---# -----------------------------snip------------------------------ any comments on how i could improve this set of ipfw rules to better secure my internal client would be appreciated. thanks again redmond To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGGEPPDEAA.barbish>