Re: ipfw subnetting
can anyone suggest what i'm doing wrong here. Desired:drop everything from 180.0.0.0 to 180.255.255.255 ipfw -q add 137 deny all from 180.0.0.0/8 to any nothing wrong. all is fine. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw subnetting
In freebsd-questions Digest, Vol 416, Issue 1, Message: 26 On Mon, 21 May 2012 10:06:12 +0100 Paul Macdonald p...@ifdnrg.com wrote: can anyone suggest what i'm doing wrong here. Desired:drop everything from 180.0.0.0 to 180.255.255.255 ipfw -q add 137 deny all from 180.0.0.0/8 to any t23# ipfw -q add 137 deny all from 180.0.0.0/8 to any t23# ipfw show 137 001370 0 deny ip from 180.0.0.0/8 to any So what doesn't work? (apart from scattergun removal of small pieces of a whole lot of Asian countries, incl. Japan, Indonesia, Australia, .. :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw subnetting
On 21/05/2012 14:50, Ian Smith wrote: In freebsd-questions Digest, Vol 416, Issue 1, Message: 26 On Mon, 21 May 2012 10:06:12 +0100 Paul Macdonaldp...@ifdnrg.com wrote: can anyone suggest what i'm doing wrong here. Desired:drop everything from 180.0.0.0 to 180.255.255.255 ipfw -q add 137 deny all from 180.0.0.0/8 to any t23# ipfw -q add 137 deny all from 180.0.0.0/8 to any t23# ipfw show 137 001370 0 deny ip from 180.0.0.0/8 to any So what doesn't work? (apart from scattergun removal of small pieces of a whole lot of Asian countries, incl. Japan, Indonesia, Australia, .. :) it was intended as a required temporary measure, but even though it was listed in my ipfw list, i was/am still seeing traffic coming in via addresses such as 180.248.x.x A very open firewall test script is as follows: 00010 allow ip from any to any via lo0 00081 deny log ip from 180.0.0.0/8 to any 00100 check-state 00101 allow tcp from any to any established 00102 allow ip from any to any out keep-state 00103 allow icmp from any to any 65535 deny ip from any to any but i'm still seeing traffic from 180.149.29.102 180.234.116.61 180.234.36.44 180.234.237.119 180.234.72.115 I must be doing something wrong! Paul. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- - Paul Macdonald IFDNRG Ltd Web and video hosting - t: 0131 5548070 m: 07970339546PLEASE NOTE NEW MOBILE e: p...@ifdnrg.com w: http://www.ifdnrg.com - IFDNRG 40 Maritime Street Edinburgh EH6 6SA - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw subnetting
On Mon, May 21, 2012 at 8:30 AM, Paul Macdonald p...@ifdnrg.com wrote: A very open firewall test script is as follows: 00010 allow ip from any to any via lo0 00081 deny log ip from 180.0.0.0/8 to any 00100 check-state You don't need the following 00101 allow tcp from any to any established This may not do what you think - out does not necessarily mean out your external interface. Packets can go in and out (from the perspective of the ruleset) more than once. And you want only to start a dynamic rule for legitimate TCP traffic, which means tcpflags syn,!ack - See below 00102 allow ip from any to any out keep-state and you probably want to be selective about which ICMP you allow 00103 allow icmp from any to any 65535 deny ip from any to any It's also helpful (most of the time) to be explicit about the interface Is this ruleset just protecting this host itself, or are you using it as a firewall for an internal network? ipfw add allow ip from any to any via lo0 ifpw add allow ip from $local_net to $local_net ipfw add deny log ip from 180.0.0.0/8 to any in recv $ext_if ipfw add check-state ipfw add allow tcp from any to any out xmit $ext_if setup keep-state ipfw add allow udp from any to any out xmit $ext_if keep-state ipfw add allow icmp from any to any out xmit $ext_if keep-state ipfw add allow icmp from any to any in recv $ext_if icmptypes 3,8,11 ipfw add deny ip from any to any ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw subnetting
On 21/05/2012 16:44, Michael Sierchio wrote: On Mon, May 21, 2012 at 8:30 AM, Paul Macdonaldp...@ifdnrg.com wrote: A very open firewall test script is as follows: 00010 allow ip from any to any via lo0 00081 deny log ip from 180.0.0.0/8 to any 00100 check-state You don't need the following 00101 allow tcp from any to any established This may not do what you think - out does not necessarily mean out your external interface. Packets can go in and out (from the perspective of the ruleset) more than once. And you want only to start a dynamic rule for legitimate TCP traffic, which means tcpflags syn,!ack - See below 00102 allow ip from any to any out keep-state and you probably want to be selective about which ICMP you allow 00103 allow icmp from any to any 65535 deny ip from any to any It's also helpful (most of the time) to be explicit about the interface Is this ruleset just protecting this host itself, or are you using it as a firewall for an internal network? ipfw add allow ip from any to any via lo0 ifpw add allow ip from $local_net to $local_net ipfw add deny log ip from 180.0.0.0/8 to any in recv $ext_if ipfw add check-state ipfw add allow tcp from any to any out xmit $ext_if setup keep-state ipfw add allow udp from any to any out xmit $ext_if keep-state ipfw add allow icmp from any to any out xmit $ext_if keep-state ipfw add allow icmp from any to any in recv $ext_if icmptypes 3,8,11 ipfw add deny ip from any to any ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org this is for one host only, so i'm not so worried about interfaces..not worried about icmp either.. I'm still seeing this traffic coming in, can anyone help with this simpler config to keep 180.0.0.0 out? IPF=ipfw -q add ipfw -q -f flush #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag $IPF 50 check-state #$IPF 51 allow tcp from any to any established DISABLED PER SUGGESTION #$IPF 52 allow all from any to any out keep-state DISABLED PER SUGGESTION $IPF 53 allow icmp from any to any (am 0k with this) #temp wide reaching filter $IPF 137 deny all from 180.0.0.0/8 to any #Allows for ports $IPF 181 allow tcp from any to any 21 $IPF 183 allow tcp from any to any 25 #...etc #Another attempt to get rid of 180.x.x.x in case it is last match?? $IPF 450 deny all from 180.0.0.0/8 to any # deny and log everything $IPF 499 deny udp from any to any $IPF 5000 deny log all from any to any $IPF 5010 deny icmp from any to any -- - Paul Macdonald IFDNRG Ltd Web and video hosting - t: 0131 5548070 m: 07970339546PLEASE NOTE NEW MOBILE e: p...@ifdnrg.com w: http://www.ifdnrg.com - IFDNRG 40 Maritime Street Edinburgh EH6 6SA - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw subnetting
Paul Macdonald wrote: [snip] It has been many years since I used IPFW as I moved on to IPFILTER, and then on to PF which is what I use now. I don't even recall exactly why I chose to utilize both setting directionality of flow per specific interface. I suspect that somehow there is some rule occurring prior to your block rule that is somehow allowing the traffic to pass. Bear in mind the following ruleset (specified in /etc/rc.conf via firewall_script=/etc/firewall/fwrules is for a tributary end-point using a ppp dialup modem connection. It may not be suitable for a proper network to network firewall. I used it for years, and as far as I know it worked well (I am not an expert). It is also doing NAT which you may not be doing (that would just be one line difference in any case the DIVERT line). # Firewall rules fwcmd=/sbin/ipfw $fwcmd -f flush $fwcmd add allow all from any to any via lo0 $fwcmd add allow all from any to any via xl0 $fwcmd add deny log all from any to 127.0.0.0/8 # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via ppp0 $fwcmd add deny log ip from 172.16.0.0/12 to any in via ppp0 $fwcmd add deny log ip from 10.0.0.0/8 to any in via ppp0 $fwcmd add deny log ip from any to 192.168.0.0/16 in via ppp0 $fwcmd add deny log ip from any to 172.16.0.0/12 in via ppp0 $fwcmd add deny log ip from any to 10.0.0.0/8 in via ppp0 # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via ppp0 $fwcmd add deny all from 169.254.0.0/16 to any in via ppp0 $fwcmd add deny all from 192.0.2.0/24 to any in via ppp0 $fwcmd add deny all from 224.0.0.0/4 to any in via ppp0 $fwcmd add deny all from 240.0.0.0/4 to any in via ppp0 $fwcmd add deny all from any to 0.0.0.0/8 in via ppp0 $fwcmd add deny all from any to 169.254.0.0/16 in via ppp0 $fwcmd add deny all from any to 192.0.2.0/24 in via ppp0 $fwcmd add deny all from any to 224.0.0.0/4 in via ppp0 $fwcmd add deny all from any to 240.0.0.0/4 in via ppp0 $fwcmd add divert natd all from any to any via ppp0 $fwcmd add check-state $fwcmd add allow tcp from any to any 80 via ppp0 #port opened for web server - tcp_drop_synfin was removed $fwcmd add deny log udp from any to me in recv ppp0 $fwcmd add allow udp from any to any via ppp0 keep-state $fwcmd add allow log icmp from any to any icmptypes 3,4 $fwcmd add deny log tcp from any to any in recv ppp0 setup $fwcmd add allow tcp from any to any out xmit ppp0 setup keep-state $fwcmd add allow tcp from any to any via ppp0 established keep-state $fwcmd add allow log icmp from any to any icmptypes 8 out xmit ppp0 $fwcmd add allow log icmp from any to any icmptypes 0 in recv ppp0 $fwcmd add allow log icmp from any to any icmptypes 11 in recv ppp0 $fwcmd add 65432 deny log tcp from any to any $fwcmd add 65433 deny log udp from any to any $fwcmd add 65434 deny log icmp from any to any $fwcmd add 65435 deny log ip from any to any The main thing that would change for you immediately would be to alter the interface of ppp0 to the exterior interface on your box that is facing the outside Internet. And '$fwcmd add allow all from any to any via xl0' - here xl0 would be whichever is your interior LAN facing interface. Perhaps this example may be useful to you. If you can get something that works and others can find flaws in my approach it can be improved further. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw subnetting
On Mon, 21 May 2012 16:30:59 +0100, Paul Macdonald wrote: On 21/05/2012 14:50, Ian Smith wrote: In freebsd-questions Digest, Vol 416, Issue 1, Message: 26 On Mon, 21 May 2012 10:06:12 +0100 Paul Macdonaldp...@ifdnrg.com wrote: can anyone suggest what i'm doing wrong here. Desired:drop everything from 180.0.0.0 to 180.255.255.255 ipfw -q add 137 deny all from 180.0.0.0/8 to any t23# ipfw -q add 137 deny all from 180.0.0.0/8 to any t23# ipfw show 137 001370 0 deny ip from 180.0.0.0/8 to any So what doesn't work? (apart from scattergun removal of small pieces of a whole lot of Asian countries, incl. Japan, Indonesia, Australia, .. :) it was intended as a required temporary measure, but even though it was listed in my ipfw list, i was/am still seeing traffic coming in via addresses such as 180.248.x.x Ok. Coming in to what service/s? A very open firewall test script is as follows: 00010 allow ip from any to any via lo0 00081 deny log ip from 180.0.0.0/8 to any 00100 check-state 00101 allow tcp from any to any established 00102 allow ip from any to any out keep-state 00103 allow icmp from any to any 65535 deny ip from any to any but i'm still seeing traffic from 180.149.29.102 Banglalion Communications Ltd. WiMAX Operator. Bangladesh. 180.234.116.61 180.234.36.44 180.234.237.119 180.234.72.115 Augere Wireless Broadband Bangladesh Limited. (FWIW) I must be doing something wrong! If you're using just that order, denying 180/8 BEFORE the check-state, then incoming traffic from 180/8 not being dropped (and logged) at rule 81 would represent a serious bug in ipfw, worthy of a PR. But this may not be quite as it seems .. for example, even when dropped you'll see such packets from tcpdump, which are hooked before the firewall. Where and how, past the firewall, are you detecting this traffic? What sort of traffic? Are you sure sysctl net.inet.ip.fw.enable=1 ? Seeing `ipfw show` over a period, even better `ipfw -t show` with timestamps, could convince us the firewall was actually otherwise working .. In your later post to Michael you had that rule 137 AFTER check-state, which means that packets from 180/8 - in response to outbound requests by you (or your rootkit :) to those addresses - might indeed pass. 00102 allow ip from any to any out keep-state keep-state for 'ip' or 'all' traffic (rather than specifying tcp, udp or icmp) doesn't make much sense, and could have dangerous consequences of allowing any sort of return traffic from (say) 180/8 initiated from your end, but only if check-state were BEFORE you've denied 180/8 traffic. Rather than show the script, please post results from ipfw show, and a few of the log entries of denied packets (with your addresses obscured if need be). And some logging from where you're detecting those hosts? cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw subnetting
On 21/05/2012 17:01, Paul Macdonald wrote: On 21/05/2012 16:44, Michael Sierchio wrote: On Mon, May 21, 2012 at 8:30 AM, Paul Macdonaldp...@ifdnrg.com wrote: A very open firewall test script is as follows: this is now resolved, i hadn't realised (embarrassingly) that ipfw list will show rules if if the fw is disabled. at some point during debugging i think i'd disabled the firewall and not re-enabled, and on seeing rules listed assumed it was actually on this was web traffic, coming in from 5-6 very wide ranges, with a referrer of http://bdsclickcenter.com/en/surf/view/75967 Not sure why they've become interested in one of my clients sites, but they have probably hit the server from several 100k ip's. mod_rewrite has been serving them 403's for over 24 hrs, but that doesn't seem to bother them! thanks to those who took the time to help. -- - Paul Macdonald IFDNRG Ltd Web and video hosting - t: 0131 5548070 m: 07970339546PLEASE NOTE NEW MOBILE e: p...@ifdnrg.com w: http://www.ifdnrg.com - IFDNRG 40 Maritime Street Edinburgh EH6 6SA - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw subnetting
On Mon, May 21, 2012 at 10:19 AM, Paul Macdonald p...@ifdnrg.com wrote: this is now resolved, i hadn't realised (embarrassingly) that ipfw list will show rules if if the fw is disabled. You should consider using tables, which allow you to add ad hoc nets, etc. and you can swap rulesets atomically so you can manipulate tables and then deploy them. ipfw add deny ip from table\(1\) to any etc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org