Re: Dumb IPFW Question
On Wed, 26 Sep 2007 20:46:29 +0100 Chris Yocum [EMAIL PROTECTED] wrote:
Just to explain a bit, I have installed a FreeBSD 6.2 system on a
machine to act as a natd router. I turned on the firewall and set the
firewall rule script to the one from the handbook
(http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html)
(Example Ruleset #2 at the bottom).
Despite lots of useful tips, especially regarding stateful rules, there
are a number of problems with some of the information on that page, and
I wouldn't rely on it as a substitute for a thorough study of ipfw(8).
At the risk of being called on to submit a PR and diff, be particularly
wary of the sections in which the word 'mandatory' appears, and perhaps
compare those rulesets with those in /etc/rc.firewall. But anyway ..
After some investigation when I could not get www, I discovered
that somehow port 53 is blocked even when I explicitly open it. This
happens when I uncomment the rule # Reject Log all unauthorized out
going connections to the public Internet
$cmd 450 deny log all from any to any out via $pif. So essentially,
when I use that line, I loose my DNS and my www will not work anymore.
I see Chuck already caught your use of 'setup' with udp, which was the
immediate problem. In fact, the ruleset #2 you used as basis has a rule
for TCP port 53 (needed if you need to transfer zone/s with an outside
DNS server) but had entirely omitted UDP 53 (though the earlier examples
included it), which it seems you must have already noticed.
Otherwise, it all works great and I could not be happier. Thank
you in advance for any help that you may be able to provide. I am
sure that it is some small blunder on my part.
One thing lacking in that ruleset is stopping of _outbound_ spoofing of
RFC 1918 etc addresses; refer to the 'simple' section of rc.firewall,
particularly the placement of anti-spoofing rules wrt NATD diversion.
# Dup these lines if your ISP has more than one DNS server
Or use an address list in one rule, like addr1,addr2,addr3
# Get the IP addresses from /etc/resolv.conf file
$cmd 023 $skip udp from any to isp dns ip 53 out via $pif setup keep-state
$cmd 024 $skip udp from any to isp dns ip 53 out via $pif setup keep-state
$cmd 025 $skip udp from any to isp dns ip 53 out via $pif setup keep-state
As you've found, dropping 'setup' will make these work.
# Allow out ping
$cmd 080 $skip icmp from any to any out via $pif keep-state
I'm not sure if this is sufficient to allow icmptypes needed by TCP for
MTU discovery? but I allow these types specifically and not statefully.
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81 in via $pif
I've noticed other people just copying these rules from this example,
but 137 and 138 are on UDP, not TCP, while 139 is a TCP service. Still,
unless you wanted to count these individually, the 'deny everything not
specifically allowed' rule will catch these anyhow. And if you've got
windows boxes NAT'd on the inside you should block these going OUT too.
eg for TCP:
#% first take out the VAST bulk of TCP bogons / background noise:
crap=135,139,445,1433,2967,2968,4899,5900
crap=${crap},8000,8080,3128
${fwadd} deny log $afew tcp from any to any ${crap} in via ${ext_if}
setup
# RejectLog all other setup of incoming connections from the outside
${fwadd} deny log $lots tcp from any to any in via ${ext_if} setup
and for UDP:
#% first cut out most of the heavy duty noise (incl broken insiders)
junk=137,138,1433,1434
junk=${junk},3544 # XP home calls home? MS ipV6 'Toredo'
${fwadd} deny udp from any to any ${junk} via ${ext_if}
#allow in information from the ISP's DNS
$cmd 361 allow udp from ip dns ip 53 to any in via $pif keep-state
$cmd 362 allow udp from ip dns ip 53 to any in via $pif keep-state
These are not useful, since you're using outbound UDP keep-state on 53.
If you're running a public DNS server, you'd need to allow inbound DNS
in from anyone, not (just) your ISP.
HTH, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dumb IPFW Question
On Sep 26, 2007, at 12:46 PM, Chris Yocum wrote: [ ... ] I also get Sep 26 20:09:17 routy kernel: ipfw: 450 Deny UDP my router outside IP:53 my isp dns ip:53 out via sis0 in my /var/log/security file. I have appended the ipfw rules below so you can see all the changes that I made from the original. The setup keyword should only be used with TCP packets; trying to use it with UDP traffic will cause your pass-through rules (#23-25) to not match the traffic you want them to match... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Dumb IPFW Question
Hi, Yep, it was a blunder by me. Thank you very much! Chris On 9/26/07, Chuck Swiger [EMAIL PROTECTED] wrote: On Sep 26, 2007, at 12:46 PM, Chris Yocum wrote: [ ... ] I also get Sep 26 20:09:17 routy kernel: ipfw: 450 Deny UDP my router outside IP:53 my isp dns ip:53 out via sis0 in my /var/log/security file. I have appended the ipfw rules below so you can see all the changes that I made from the original. The setup keyword should only be used with TCP packets; trying to use it with UDP traffic will cause your pass-through rules (#23-25) to not match the traffic you want them to match... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Dumb IPFW Question
Hi Everyone, Just to explain a bit, I have installed a FreeBSD 6.2 system on a machine to act as a natd router. I turned on the firewall and set the firewall rule script to the one from the handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html) (Example Ruleset #2 at the bottom). After some investigation when I could not get www, I discovered that somehow port 53 is blocked even when I explicitly open it. This happens when I uncomment the rule # Reject Log all unauthorized out going connections to the public Internet $cmd 450 deny log all from any to any out via $pif. So essentially, when I use that line, I loose my DNS and my www will not work anymore. I also get Sep 26 20:09:17 routy kernel: ipfw: 450 Deny UDP my router outside IP:53 my isp dns ip:53 out via sis0 in my /var/log/security file. I have appended the ipfw rules below so you can see all the changes that I made from the original. Otherwise, it all works great and I could not be happier. Thank you in advance for any help that you may be able to provide. I am sure that it is some small blunder on my part. Thanks!, Chris #!/bin/sh cmd=ipfw -q add skip=skipto 800 pif=sis0 # public interface name of NIC # facing the public Internet # # No restrictions on Inside LAN Interface for private network # Change xl0 to your LAN NIC interface name # $cmd 005 allow all from any to any via xl0 # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 # # check if packet is inbound and nat address if it is # $cmd 014 divert natd ip from any to any in via $pif # # Allow the packet through if it has previous been added to the # the dynamic rules table by a allow keep-state statement. # $cmd 015 check-state # # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public Internet. # # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 023 $skip udp from any to isp dns ip 53 out via $pif setup keep-state $cmd 024 $skip udp from any to isp dns ip 53 out via $pif setup keep-state $cmd 025 $skip udp from any to isp dns ip 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. $cmd 030 $skip udp from any to isp dhcp 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state #for some reason this is the university's IMAP setting $cmd 062 $skip tcp from any to any 993 out via $pif setup keep-state # Allow out FreeBSD (make install CVSUP) functions # Basically give user root GOD privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (i.e. news groups) $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state # Allow ntp time server $cmd 130 $skip udp from any to any 123 out via $pif keep-state # allow out VPN $cmd 140 $skip tcp from any to any 1723 out via $pif keep-state # # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. # # Deny all inbound traffic from non-routable reserved address spaces $cmd 300
