RE: please comment on my nat/ipfw rules (resent)
1. Your firewall rules are not working at all, except for the natd redirect option. This is caused by the kernel compile time option IPFIREWALL_DEFAULT_TO_ACCEPT.This option tell your firewall that any packet that does not match a rule is allowed to pass on through the firewall. Comment out that option in your kernel options source and recompile your kernel to take the default of default-to-deny and your current rules set will stop functioning. 2. You are using the simplest of the rule types 'state-less'. Using this type of rules you have to not only have a rule to allow the packet out you also have to have a rule to allow the packet in. See rules 220 230 of your posted rule set to see how it should be done. 3. There are 3 classes of rules, each class has separate packet interrogation abilities. Each proceeding class has greater packet interrogation abilities than the previous one. These are stateless, simple stateful, and advanced stateful. The advanced stateful rule class is the only class having technically advanced interrogation abilities capable of defending against the flood of different attack methods currently employed by perpetrators. Stateless and Simple Stateful IPFW firewall rules are inadequate to protect the users system in today's internet environment and leaves the user unknowingly believing they are protected when in reality they are not. 4. The advanced stateful rule option keep-state works as documented only when used in a rule set that does not use the divert rule. Simply stated the IPFW advanced stateful rule option keep-state does not function correctly when used in a IPFW firewall that also is using the IPFW built in NATD function. For the most complete keep-state protection the other FIREWALL solution (IPFILTER) that comes with FBSD should be used. Just checkout the IPFW list archives and you will see this subject discussed in detail with out any solution forthcoming. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Redmond Militante Sent: Friday, January 31, 2003 8:18 AM To: [EMAIL PROTECTED] Subject: please comment on my nat/ipfw rules (resent) hi all i have my test machine set up as a gateway box, with ipfw/natd configured on it, set up to filter/redirect packets bound for a client on my internal network. external ip of my internal client is aliased to the outside nic of the gateway box gateway machine's kernel has been recompiled with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE gateway's /etc/rc.conf looks like defaultrouter=129.x.x.1 hostname=hostname.com ifconfig_xl0=inet 129.x.x.1 netmask 255.255.255.0 #aliasing internal client's ip to the outside nic of gateway box ifconfig_xl0_alias0=inet 129.x.1.20 netmask 255.0.0.0 #inside nic of gateway box ifconfig_xl1=inet 10.0.0.1 netmask 255.0.0.0 gateway_enable=YES firewall_enable=YES #firewall_script=/etc/rc.firewall firewall_type=/etc/ipfw.rules natd_enable=YES #natd interface is outside nic natd_interface=xl0 #natd flags redirect any traffic bound for ip of www3 to internal ip of www3 natd_flags=-redirect_address 10.0.0.2 129.x.x.20 kern_securelevel_enable=NO . internal client's /etc/rc.conf looks like second machine's /etc/rc.conf: defaultrouter=10.0.0.1 ifconfig_xl0=inet 10.0.0.2 netmask 255.0.0.0 looks like this setup is working. the internal client is a basic webserver/ftp server. i am able to ftp to it, ssh to it, view webpages that it serves up, etc. with it hooked up to the internal nic of the gateway box. i am now trying to come up with a good set of firewall rules on the gateway box to filter out all unnecessary traffic to my internal network. the following is my /etc/ipfw.rules on the gateway box. -snip-- # firewall_type=/etc/ipfw.rules # enquirer ipfw.rules # NAT add 00100 divert 8668 ip from any to any via xl0 # loopback add 00210 allow ip from any to any via lo0 add 00220 deny ip from any to 127.0.0.0/8 add 00230 deny ip from 127.0.0.0/8 to any #allow tcp in for nfs shares #add 00301 allow tcp from 129.x.x.x to any in via xl0 #add 00302 allow tcp from 129.x.x.x to any in via xl0 #allow tcp in for ftp,ssh, smtp, httpd add 00303 allow tcp from any to any in 21,22,25,80,1 via xl0 #deny rest of incoming tcp add 00309 deny log tcp from any to any in established #from man 8 ipfw: allow only outbound tcp connections i've created add 00310 allow tcp from any to any out via xl0 #allow udp in for gateway for DNS add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0 #allow udp in for nfs shares #add 00401 allow udp from 129.x.x.x to any in recv xl0 #add 00402 allow udp from 129.x.x.x to any in recv xl0 #allow all udp out from machine add 00404 allow udp from any to any out via xl0 #allow some icmp types (codes not supported)
Re: please comment on my nat/ipfw rules (resent)
hi you've sold me :) do you have any good online tutorials to recommend for setting up a gateway/firewall/natd machine using ipfilter/ipnat? thanks redmond 1. Your firewall rules are not working at all, except for the natd redirect option. This is caused by the kernel compile time option IPFIREWALL_DEFAULT_TO_ACCEPT.This option tell your firewall that any packet that does not match a rule is allowed to pass on through the firewall. Comment out that option in your kernel options source and recompile your kernel to take the default of default-to-deny and your current rules set will stop functioning. 2. You are using the simplest of the rule types 'state-less'. Using this type of rules you have to not only have a rule to allow the packet out you also have to have a rule to allow the packet in. See rules 220 230 of your posted rule set to see how it should be done. 3. There are 3 classes of rules, each class has separate packet interrogation abilities. Each proceeding class has greater packet interrogation abilities than the previous one. These are stateless, simple stateful, and advanced stateful. The advanced stateful rule class is the only class having technically advanced interrogation abilities capable of defending against the flood of different attack methods currently employed by perpetrators. Stateless and Simple Stateful IPFW firewall rules are inadequate to protect the users system in today's internet environment and leaves the user unknowingly believing they are protected when in reality they are not. 4. The advanced stateful rule option keep-state works as documented only when used in a rule set that does not use the divert rule. Simply stated the IPFW advanced stateful rule option keep-state does not function correctly when used in a IPFW firewall that also is using the IPFW built in NATD function. For the most complete keep-state protection the other FIREWALL solution (IPFILTER) that comes with FBSD should be used. Just checkout the IPFW list archives and you will see this subject discussed in detail with out any solution forthcoming. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Redmond Militante Sent: Friday, January 31, 2003 8:18 AM To: [EMAIL PROTECTED] Subject: please comment on my nat/ipfw rules (resent) hi all i have my test machine set up as a gateway box, with ipfw/natd configured on it, set up to filter/redirect packets bound for a client on my internal network. external ip of my internal client is aliased to the outside nic of the gateway box gateway machine's kernel has been recompiled with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE gateway's /etc/rc.conf looks like defaultrouter=129.x.x.1 hostname=hostname.com ifconfig_xl0=inet 129.x.x.1 netmask 255.255.255.0 #aliasing internal client's ip to the outside nic of gateway box ifconfig_xl0_alias0=inet 129.x.1.20 netmask 255.0.0.0 #inside nic of gateway box ifconfig_xl1=inet 10.0.0.1 netmask 255.0.0.0 gateway_enable=YES firewall_enable=YES #firewall_script=/etc/rc.firewall firewall_type=/etc/ipfw.rules natd_enable=YES #natd interface is outside nic natd_interface=xl0 #natd flags redirect any traffic bound for ip of www3 to internal ip of www3 natd_flags=-redirect_address 10.0.0.2 129.x.x.20 kern_securelevel_enable=NO . internal client's /etc/rc.conf looks like second machine's /etc/rc.conf: defaultrouter=10.0.0.1 ifconfig_xl0=inet 10.0.0.2 netmask 255.0.0.0 looks like this setup is working. the internal client is a basic webserver/ftp server. i am able to ftp to it, ssh to it, view webpages that it serves up, etc. with it hooked up to the internal nic of the gateway box. i am now trying to come up with a good set of firewall rules on the gateway box to filter out all unnecessary traffic to my internal network. the following is my /etc/ipfw.rules on the gateway box. -snip-- # firewall_type=/etc/ipfw.rules # enquirer ipfw.rules # NAT add 00100 divert 8668 ip from any to any via xl0 # loopback add 00210 allow ip from any to any via lo0 add 00220 deny ip from any to 127.0.0.0/8 add 00230 deny ip from 127.0.0.0/8 to any #allow tcp in for nfs shares #add 00301 allow tcp from 129.x.x.x to any in via xl0 #add 00302 allow tcp from 129.x.x.x to any in via xl0 #allow tcp in for ftp,ssh, smtp, httpd add 00303 allow tcp from any to any in 21,22,25,80,1 via xl0 #deny rest of incoming tcp add 00309 deny log tcp from any to any in established #from man 8 ipfw: allow only outbound tcp connections i've created add 00310 allow tcp from any to any out via xl0 #allow udp in for gateway for DNS add 00300 allow udp from 10.0.0.0/24 to
RE: please comment on my nat/ipfw rules (resent)
# suggested is 32768 bytes. Change from 16384. In release 4.5 the defaults # for these values changed upwards to what they are below. net.inet.tcp.sendspace=32768 net.inet.tcp.recvspace=65536 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Redmond Militante Sent: Friday, January 31, 2003 3:37 PM To: JoeB; [EMAIL PROTECTED] Subject: Re: please comment on my nat/ipfw rules (resent) hi you've sold me :) do you have any good online tutorials to recommend for setting up a gateway/firewall/natd machine using ipfilter/ipnat? thanks redmond 1. Your firewall rules are not working at all, except for the natd redirect option. This is caused by the kernel compile time option IPFIREWALL_DEFAULT_TO_ACCEPT.This option tell your firewall that any packet that does not match a rule is allowed to pass on through the firewall. Comment out that option in your kernel options source and recompile your kernel to take the default of default-to-deny and your current rules set will stop functioning. 2. You are using the simplest of the rule types 'state-less'. Using this type of rules you have to not only have a rule to allow the packet out you also have to have a rule to allow the packet in. See rules 220 230 of your posted rule set to see how it should be done. 3. There are 3 classes of rules, each class has separate packet interrogation abilities. Each proceeding class has greater packet interrogation abilities than the previous one. These are stateless, simple stateful, and advanced stateful. The advanced stateful rule class is the only class having technically advanced interrogation abilities capable of defending against the flood of different attack methods currently employed by perpetrators. Stateless and Simple Stateful IPFW firewall rules are inadequate to protect the users system in today's internet environment and leaves the user unknowingly believing they are protected when in reality they are not. 4. The advanced stateful rule option keep-state works as documented only when used in a rule set that does not use the divert rule. Simply stated the IPFW advanced stateful rule option keep-state does not function correctly when used in a IPFW firewall that also is using the IPFW built in NATD function. For the most complete keep-state protection the other FIREWALL solution (IPFILTER) that comes with FBSD should be used. Just checkout the IPFW list archives and you will see this subject discussed in detail with out any solution forthcoming. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Redmond Militante Sent: Friday, January 31, 2003 8:18 AM To: [EMAIL PROTECTED] Subject: please comment on my nat/ipfw rules (resent) hi all i have my test machine set up as a gateway box, with ipfw/natd configured on it, set up to filter/redirect packets bound for a client on my internal network. external ip of my internal client is aliased to the outside nic of the gateway box gateway machine's kernel has been recompiled with: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE gateway's /etc/rc.conf looks like defaultrouter=129.x.x.1 hostname=hostname.com ifconfig_xl0=inet 129.x.x.1 netmask 255.255.255.0 #aliasing internal client's ip to the outside nic of gateway box ifconfig_xl0_alias0=inet 129.x.1.20 netmask 255.0.0.0 #inside nic of gateway box ifconfig_xl1=inet 10.0.0.1 netmask 255.0.0.0 gateway_enable=YES firewall_enable=YES #firewall_script=/etc/rc.firewall firewall_type=/etc/ipfw.rules natd_enable=YES #natd interface is outside nic natd_interface=xl0 #natd flags redirect any traffic bound for ip of www3 to internal ip of www3 natd_flags=-redirect_address 10.0.0.2 129.x.x.20 kern_securelevel_enable=NO . internal client's /etc/rc.conf looks like second machine's /etc/rc.conf: defaultrouter=10.0.0.1 ifconfig_xl0=inet 10.0.0.2 netmask 255.0.0.0 looks like this setup is working. the internal client is a basic webserver/ftp server. i am able to ftp to it, ssh to it, view webpages that it serves up, etc. with it hooked up to the internal nic of the gateway box. i am now trying to come up with a good set of firewall rules on the gateway box to filter out all unnecessary traffic to my internal network. the following is my /etc/ipfw.rules on the gateway box. -snip-- # firewall_type=/etc/ipfw.rules # enquirer ipfw.rules # NAT add 00100 divert 8668 ip from any to any via xl0 # loopback add 00210 allow ip from any to any via lo0 add 00220 deny ip from any to 127.0.0.0/8 add 00230 deny ip from 127.0.0.0/8 to any #allow tcp in for nfs shares #add 00301 allow tcp from 129.x.x.x to any in via xl0 #add 00302 allow tcp from 129.x.x.x to any in via xl0 #allow tcp