Re: Dumb IPFW Question

2007-09-27 Thread Ian Smith 
On Wed, 26 Sep 2007 20:46:29 +0100 Chris Yocum [EMAIL PROTECTED] wrote:

   Just to explain a bit, I have installed a FreeBSD 6.2 system on a
  machine to act as a natd router.  I turned on the firewall and set the
  firewall rule script to the one from the handbook
  (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html)
  (Example Ruleset #2 at the bottom).

Despite lots of useful tips, especially regarding stateful rules, there
are a number of problems with some of the information on that page, and
I wouldn't rely on it as a substitute for a thorough study of ipfw(8). 
At the risk of being called on to submit a PR and diff, be particularly
wary of the sections in which the word 'mandatory' appears, and perhaps
compare those rulesets with those in /etc/rc.firewall.  But anyway ..

   After some investigation when I could not get www, I discovered
  that somehow port 53 is blocked even when I explicitly open it.  This
  happens when I uncomment the rule # Reject  Log all unauthorized out
  going connections to the public Internet
  $cmd 450 deny log all from any to any out via $pif.  So essentially,
  when I use that line, I loose my DNS and my www will not work anymore.

I see Chuck already caught your use of 'setup' with udp, which was the
immediate problem.  In fact, the ruleset #2 you used as basis has a rule
for TCP port 53 (needed if you need to transfer zone/s with an outside
DNS server) but had entirely omitted UDP 53 (though the earlier examples
included it), which it seems you must have already noticed.

   Otherwise, it all works great and I could not be happier.  Thank
  you in advance for any help that you may be able to provide.  I am
  sure that it is some small blunder on my part.

One thing lacking in that ruleset is stopping of _outbound_ spoofing of
RFC 1918 etc addresses; refer to the 'simple' section of rc.firewall,
particularly the placement of anti-spoofing rules wrt NATD diversion. 

  # Dup these lines if your ISP has more than one DNS server

Or use an address list in one rule, like addr1,addr2,addr3

  # Get the IP addresses from /etc/resolv.conf file
  $cmd 023 $skip udp from any to isp dns ip 53 out via $pif setup keep-state
  $cmd 024 $skip udp from any to isp dns ip 53 out via $pif setup keep-state
  $cmd 025 $skip udp from any to isp dns ip 53 out via $pif setup keep-state

As you've found, dropping 'setup' will make these work.

  # Allow out ping
  $cmd 080 $skip icmp from any to any out via $pif keep-state

I'm not sure if this is sufficient to allow icmptypes needed by TCP for
MTU discovery? but I allow these types specifically and not statefully. 
  
  # Deny all Netbios service. 137=name, 138=datagram, 139=session
  # Netbios is MS/Windows sharing services.
  # Block MS/Windows hosts2 name server requests 81
  $cmd 320 deny tcp from any to any 137 in via $pif
  $cmd 321 deny tcp from any to any 138 in via $pif
  $cmd 322 deny tcp from any to any 139 in via $pif
  $cmd 323 deny tcp from any to any 81  in via $pif

I've noticed other people just copying these rules from this example,
but 137 and 138 are on UDP, not TCP, while 139 is a TCP service.  Still,
unless you wanted to count these individually, the 'deny everything not
specifically allowed' rule will catch these anyhow.  And if you've got
windows boxes NAT'd on the inside you should block these going OUT too.

eg for TCP:
#% first take out the VAST bulk of TCP bogons / background noise:
crap=135,139,445,1433,2967,2968,4899,5900
crap=${crap},8000,8080,3128
${fwadd} deny log $afew tcp from any to any ${crap} in via ${ext_if} 
setup
# RejectLog all other setup of incoming connections from the outside
${fwadd} deny log $lots tcp from any to any in via ${ext_if} setup
and for UDP:
#% first cut out most of the heavy duty noise (incl broken insiders)
junk=137,138,1433,1434
junk=${junk},3544 # XP home calls home? MS ipV6 'Toredo'
${fwadd} deny udp from any to any ${junk} via ${ext_if}

  #allow in information from the ISP's DNS
  $cmd 361 allow udp from ip dns ip 53 to any in via $pif keep-state
  $cmd 362 allow udp from ip dns ip 53 to any in via $pif keep-state

These are not useful, since you're using outbound UDP keep-state on 53.
If you're running a public DNS server, you'd need to allow inbound DNS
in from anyone, not (just) your ISP.

HTH, Ian

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Dumb IPFW Question

2007-09-26 Thread Chuck Swiger 

On Sep 26, 2007, at 12:46 PM, Chris Yocum wrote:
[ ... ]

 I also get Sep 26 20:09:17 routy kernel: ipfw: 450 Deny UDP my
router outside IP:53 my isp dns ip:53 out via sis0 in my
/var/log/security file.  I have appended the ipfw rules below so you
can see all the changes that I made from the original.


The setup keyword should only be used with TCP packets; trying to use  
it with UDP traffic will cause your pass-through rules (#23-25) to  
not match the traffic you want them to match...


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Dumb IPFW Question

2007-09-26 Thread Chris Yocum 
Hi,
 Yep, it was a blunder by me.  Thank you very much!

Chris

On 9/26/07, Chuck Swiger [EMAIL PROTECTED] wrote:
 On Sep 26, 2007, at 12:46 PM, Chris Yocum wrote:
 [ ... ]
   I also get Sep 26 20:09:17 routy kernel: ipfw: 450 Deny UDP my
  router outside IP:53 my isp dns ip:53 out via sis0 in my
  /var/log/security file.  I have appended the ipfw rules below so you
  can see all the changes that I made from the original.

 The setup keyword should only be used with TCP packets; trying to use
 it with UDP traffic will cause your pass-through rules (#23-25) to
 not match the traffic you want them to match...

 --
 -Chuck


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]