Re: IPFW Rules and Games
[EMAIL PROTECTED] wrote: So basically the ruleset should be simple: ipfw -f flush # allow lo0 stuff # block some spoofs/attacks # if you are hosting gameservers from 192.168.17.3 or whatever, # you should (manually) open server ports, in other words, add # routes to 192.168.17.3 to specific server ports ipfw add divert natd all from any to any via $outside_interface allow all from any to any # block some more spoofs/attacks :) # define services (like you did with http) Sorry, this didn't work. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Jack Barnett wrote: [EMAIL PROTECTED] wrote: So basically the ruleset should be simple: ipfw -f flush # allow lo0 stuff # block some spoofs/attacks # if you are hosting gameservers from 192.168.17.3 or whatever, # you should (manually) open server ports, in other words, add # routes to 192.168.17.3 to specific server ports ipfw add divert natd all from any to any via $outside_interface allow all from any to any # block some more spoofs/attacks :) # define services (like you did with http) Sorry, this didn't work. just without any security concerns, try this script: #!/bin/sh ipfw -f flush ipfw add divert natd via xl0 ipfw add allow all from any to any But please tell me, what kind of internet connection do you have? You said you have a Dynamic IP. Are you using connecting to the Internet via ppp? If so, replace xl0 up there with tun0 (or whatever tunnel ppp created). Here's my stuff: ::: /etc/natd.conf ::: dynamic yes same_portsyes deny_incoming yes unregistered_only yes redirect address 192.168.123.254 0.0.0.0 ::: part of /etc/rc.conf ::: # [...] ifconfig_rl0=inet 192.168.123.254 netmask 255.255.255.0 ifconfig_ed0=up # -- this is the external one # plus there is a tun0 for PPPoE firewall_enable=YES firewall_script=/etc/ipfw.rules # something like the above script gateway_enable=YES router_enable=NO natd_enable=YES natd_interface=tun0 natd_flags=-f /etc/natd.conf ppp_enable=YES # [...] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW Rules and Games
Lots of people play games here and basically a pain to keep trying to
get these stupid things to work with individual rules for each.
I'm running FreeBSD 6.x with IPFW/natd
I get a dynamic IP from my ISP and the internal nic is 192.168.17.1
Everything inside the network is 192.168.17.xxx
The setup is this:
192.168.17.x -- 192.168.17.1 [FreeBSD] Dynamic IP -- {Random Game
Server on the Internets}
[Internet Network(GAME)] -- [FreeBSD] -- {Internets}
There are a bunch of games that send out TCP/UDP packets (and who knows
what else) on different ports to different destinations and then
receive data back on random ports. Basically, anything on any
protocol from the internal network should be able to establish and setup
connections out AND be allowed to receive data back from whomever they
connected out to; but random hosts trying to connect in should be blocked.
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Here is my full config:
# simple
[Ss][Ii][Mm][Pp][Ll][Ee])
# This is a prototype setup for a simple firewall. Configure this
# machine as a DNS and NTP server, and point all the machines
# on the inside at this machine for those services.
# set these to your outside interface network and netmask and ip
oif=xl0
onet=`ifconfig xl0 | grep inet | awk '{print $6}'`
omask=0xfe00
oip=`ifconfig xl0 | grep inet | awk '{print $2}'`
# set these to your inside interface network and netmask and ip
iif=dc1
inet=192.168.17.0
imask=0xff00
iip=192.168.17.1
setup_loopback
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and
class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here
deliberately
# so that it does not interfere with the surrounding
address-checking
# rules. If for example one of your internal LAN machines had
its IP
# address set to 192.0.2.1 then an incoming packet for it after
being
# translated by natd(8) would match the `deny' rule above.
Similarly
# an outgoing packet originated from it before being translated
would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n ${natd_interface} ]; then
${fwcmd} add divert natd all from any to any via
${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and
class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow internal traffic
${fwcmd} add allow all from any to any via ${iif}
# Allow all local traffic
${fwcmd} add allow all from ${inet}:${imask} to ${inet}:${imask}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
#${fwcmd} add pass tcp from any to ${oip} 25 setup
#${fwcmd} add pass
Re: IPFW Rules and Games
Bob Hall wrote:
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
Yes.
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Try oip instead of iip. iip is your internal IP address, so anything
going out from iip is going to your lan, and anything coming in to iip
is coming from your lan. You want to control packets communicating with
the outside world, so you want to control them at oip.
Sorry, that didn't work.
I also tried this:
${fwcmd} add allow tcp from any to any via ${oip} setup
${fwcmd} add allow udp from any to any via ${oip} setup
${fwcmd} add allow tcp from any to any via ${oip} established
${fwcmd} add allow udp from any to any via ${oip} established
That also blocks it. :(
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Jack Barnett wrote:
Bob Hall wrote:
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
Yes.
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Try oip instead of iip. iip is your internal IP address, so anything
going out from iip is going to your lan, and anything coming in to iip
is coming from your lan. You want to control packets communicating with
the outside world, so you want to control them at oip.
Sorry, that didn't work.
I also tried this:
${fwcmd} add allow tcp from any to any via ${oip} setup
${fwcmd} add allow udp from any to any via ${oip} setup
${fwcmd} add allow tcp from any to any via ${oip} established
${fwcmd} add allow udp from any to any via ${oip} established
That also blocks it. :(
Even tried this and still doesn't work.
${fwcmd} add allow tcp from any to any via ${oip}
${fwcmd} add allow udp from any to any via ${oip}
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Jack Barnett wrote:
Jack Barnett wrote:
Jack Barnett wrote:
Bob Hall wrote:
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
Yes.
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Try oip instead of iip. iip is your internal IP address, so anything
going out from iip is going to your lan, and anything coming in to iip
is coming from your lan. You want to control packets communicating with
the outside world, so you want to control them at oip.
Sorry, that didn't work.
I also tried this:
${fwcmd} add allow tcp from any to any via ${oip} setup
${fwcmd} add allow udp from any to any via ${oip} setup
${fwcmd} add allow tcp from any to any via ${oip} established
${fwcmd} add allow udp from any to any via ${oip} established
That also blocks it. :(
Even tried this and still doesn't work.
${fwcmd} add allow tcp from any to any via ${oip}
${fwcmd} add allow udp from any to any via ${oip}
Grrr, this doesn't work either:
# statefull
${fwcmd} add check-state
${fwcmd} add allow tcp from any to any established
${fwcmd} add allow all from any to any out keep-state
${fwcmd} add allow icmp from any to any
This thread talks about the same problem:
[1]http://lists.freebsd.org/pipermail/freebsd-ipfw/2005-December/00225
8.html
You will most likely find that dynamic rules will allow this
ingress traffic, without the need to explicitly allow it.
But unfortunately there is no follow up reply in that archive.
References
1. http://lists.freebsd.org/pipermail/freebsd-ipfw/2005-December/002258.html
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
On Fri, 02 Nov 2007 04:59:27 -0500
Jack Barnett [EMAIL PROTECTED] wrote:
Lots of people play games here and basically a pain to keep trying to
get these stupid things to work with individual rules for each.
I'm running FreeBSD 6.x with IPFW/natd
I get a dynamic IP from my ISP and the internal nic is 192.168.17.1
Everything inside the network is 192.168.17.xxx
The setup is this:
192.168.17.x -- 192.168.17.1 [FreeBSD] Dynamic IP -- {Random
Game Server on the Internets}
[Internet Network(GAME)] -- [FreeBSD] -- {Internets}
There are a bunch of games that send out TCP/UDP packets (and who
knows what else) on different ports to different destinations and then
receive data back on random ports. Basically, anything on any
protocol from the internal network should be able to establish and
setup connections out AND be allowed to receive data back from
whomever they connected out to; but random hosts trying to connect
in should be blocked.
You simply need to allow back traffic on the same socket connection
this will happen automatically with TCP if you are passing established
traffic, with UDP you will have to keep-state. You will probably find
that the games also require you to open one or more incoming ports too.
If you are not very confident with ipfw I would suggest you switch to
pf. It's a very good firewall and generally easier to use. Also if you
are playing games, you'll want to do traffic prioritisation, which is a
pain with ipfw.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
RW wrote:
On Fri, 02 Nov 2007 04:59:27 -0500
Jack Barnett [1][EMAIL PROTECTED] wrote:
Lots of people play games here and basically a pain to keep trying to
get these stupid things to work with individual rules for each.
I'm running FreeBSD 6.x with IPFW/natd
I get a dynamic IP from my ISP and the internal nic is 192.168.17.1
Everything inside the network is 192.168.17.xxx
The setup is this:
192.168.17.x -- 192.168.17.1 [FreeBSD] Dynamic IP -- {Random
Game Server on the Internets}
[Internet Network(GAME)] -- [FreeBSD] -- {Internets}
There are a bunch of games that send out TCP/UDP packets (and who
knows what else) on different ports to different destinations and then
receive data back on random ports. Basically, anything on any
protocol from the internal network should be able to establish and
setup connections out AND be allowed to receive data back from
whomever they connected out to; but random hosts trying to connect
in should be blocked.
You simply need to allow back traffic on the same socket connection
this will happen automatically with TCP if you are passing established
traffic, with UDP you will have to keep-state. You will probably find
that the games also require you to open one or more incoming ports too.
If you are not very confident with ipfw I would suggest you switch to
pf. It's a very good firewall and generally easier to use. Also if you
are playing games, you'll want to do traffic prioritisation, which is a
pain with ipfw.
Thanks. Yes, generally firewalls and networking isn't my strong
point.
I checked out the handbook on it and it looks easy enough.
I found this: [2]http://www.allard.nu/pfw/ - but appears it's not in
the ports and commerical software?
I also have fwbuilder installed; but don't really like that much.
Are there any other GUI like interfaces that could help me in building
rules for pf?
I haven't read though it all yet; but I'll still need natd with pf,
right?
References
1. mailto:[EMAIL PROTECTED]
2. http://www.allard.nu/pfw/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
Yes.
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Try oip instead of iip. iip is your internal IP address, so anything
going out from iip is going to your lan, and anything coming in to iip
is coming from your lan. You want to control packets communicating with
the outside world, so you want to control them at oip.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Jack Barnett wrote:
Jack Barnett wrote:
Bob Hall wrote:
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote:
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
Yes.
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Try oip instead of iip. iip is your internal IP address, so anything
going out from iip is going to your lan, and anything coming in to iip
is coming from your lan. You want to control packets communicating with
the outside world, so you want to control them at oip.
Sorry, that didn't work.
I also tried this:
${fwcmd} add allow tcp from any to any via ${oip} setup
${fwcmd} add allow udp from any to any via ${oip} setup
${fwcmd} add allow tcp from any to any via ${oip} established
${fwcmd} add allow udp from any to any via ${oip} established
That also blocks it. :(
Even tried this and still doesn't work.
${fwcmd} add allow tcp from any to any via ${oip}
${fwcmd} add allow udp from any to any via ${oip}
Grrr, this doesn't work either:
# statefull
${fwcmd} add check-state
${fwcmd} add allow tcp from any to any established
${fwcmd} add allow all from any to any out keep-state
${fwcmd} add allow icmp from any to any
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Hi, Jack, let's see.
Jack Barnett wrote:
Lots of people play games here and basically a pain to keep trying to
get these stupid things to work with individual rules for each.
I'm running FreeBSD 6.x with IPFW/natd
I get a dynamic IP from my ISP and the internal nic is 192.168.17.1
Everything inside the network is 192.168.17.xxx
The setup is this:
192.168.17.x -- 192.168.17.1 [FreeBSD] Dynamic IP -- {Random Game
Server on the Internets}
[Internet Network(GAME)] -- [FreeBSD] -- {Internets}
There are a bunch of games that send out TCP/UDP packets (and who knows
what else) on different ports to different destinations and then
receive data back on random ports. Basically, anything on any
protocol from the internal network should be able to establish and setup
connections out AND be allowed to receive data back from whomever they
connected out to; but random hosts trying to connect in should be
blocked.
Back on random ports? That's not how it should be. Your client must
send a request (ping or connect) to a server, using the game's client
port as the local port, and the server port as the remote port. The
reply should come back the same way, reversed.
for example, a client sends a connect request:
192.168.17.7:28000 87.15.13.165
natd converts the packet to:
49.74.121.3:28000 87.15.13.165:29000
(49.74.121.3 is your public IP)
and adds a dynamic rule (inside natd, not ipfw), that packet coming from
87.15.13.165, port 29000 to 49.74.121.3 port 28000 should be routed to
192.168.17.7, port 28000. So:
the server replies:
87.15.13.165:29000 49.74.121.3:28000
natd converts the packet to:
87.15.13.165:29000 192.168.17.7:28000
Any unknown packets will be blocked by natd. These are the unauthorized
random hosts.
So basically the ruleset should be simple:
ipfw -f flush
# allow lo0 stuff
# block some spoofs/attacks
# if you are hosting gameservers from 192.168.17.3 or whatever,
# you should (manually) open server ports, in other words, add
# routes to 192.168.17.3 to specific server ports
ipfw add divert natd all from any to any via $outside_interface
allow all from any to any
# block some more spoofs/attacks :)
# define services (like you did with http)
Correct me if I'm wrong.
What games do reply back on random ports?
I added this for a temporary fix:
${fwcmd} add pass all from any to any
I don't think that is the right answer; That allows to much in?
I've tried these per the docs:
${fwcmd} add allow all from any to any out via {$iip} setup
${fwcmd} add allow all from any to any out via {$iip} established
${fwcmd} add allow all from any to any in via {$iip} established
and also a bunch of others; but none of them worked.
Here is my full config:
# simple
[Ss][Ii][Mm][Pp][Ll][Ee])
# This is a prototype setup for a simple firewall. Configure this
# machine as a DNS and NTP server, and point all the machines
# on the inside at this machine for those services.
# set these to your outside interface network and netmask and ip
oif=xl0
onet=`ifconfig xl0 | grep inet | awk '{print $6}'`
I'm not sure about this. Isn't the sixth word the broadcast address
(ending with .255)?
omask=0xfe00
0xfe00 wtf?
oip=`ifconfig xl0 | grep inet | awk '{print $2}'`
# set these to your inside interface network and netmask and ip
iif=dc1
inet=192.168.17.0
imask=0xff00
iip=192.168.17.1
What kind of internet connection do you have?
setup_loopback
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and
class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here
deliberately
# so that it does not interfere with the surrounding
address-checking
# rules. If for example one of your internal LAN machines had
its IP
# address set to 192.0.2.1 then an incoming packet for it after
being
# translated by natd(8) would match the `deny' rule above.
Similarly
# an outgoing packet
Re: IPFW Rules and Games
On Fri, Nov 02, 2007 at 10:59:04PM +0100, [EMAIL PROTECTED] wrote:
onet=`ifconfig xl0 | grep inet | awk '{print $6}'`
I'm not sure about this. Isn't the sixth word the broadcast address
(ending with .255)?
It's correct. I've been using this in my firewall file since FBSD
4.something. No problems. By default, awk uses spaces as column
delimiters. The line containing inet starts with eight spaces. Try it
and see what happens.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
