Re: IPFW Rules and Games
[EMAIL PROTECTED] wrote: So basically the ruleset should be simple: ipfw -f flush # allow lo0 stuff # block some spoofs/attacks # if you are hosting gameservers from 192.168.17.3 or whatever, # you should (manually) open server ports, in other words, add # routes to 192.168.17.3 to specific server ports ipfw add divert natd all from any to any via $outside_interface allow all from any to any # block some more spoofs/attacks :) # define services (like you did with http) Sorry, this didn't work. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Jack Barnett wrote: [EMAIL PROTECTED] wrote: So basically the ruleset should be simple: ipfw -f flush # allow lo0 stuff # block some spoofs/attacks # if you are hosting gameservers from 192.168.17.3 or whatever, # you should (manually) open server ports, in other words, add # routes to 192.168.17.3 to specific server ports ipfw add divert natd all from any to any via $outside_interface allow all from any to any # block some more spoofs/attacks :) # define services (like you did with http) Sorry, this didn't work. just without any security concerns, try this script: #!/bin/sh ipfw -f flush ipfw add divert natd via xl0 ipfw add allow all from any to any But please tell me, what kind of internet connection do you have? You said you have a Dynamic IP. Are you using connecting to the Internet via ppp? If so, replace xl0 up there with tun0 (or whatever tunnel ppp created). Here's my stuff: ::: /etc/natd.conf ::: dynamic yes same_portsyes deny_incoming yes unregistered_only yes redirect address 192.168.123.254 0.0.0.0 ::: part of /etc/rc.conf ::: # [...] ifconfig_rl0=inet 192.168.123.254 netmask 255.255.255.0 ifconfig_ed0=up # -- this is the external one # plus there is a tun0 for PPPoE firewall_enable=YES firewall_script=/etc/ipfw.rules # something like the above script gateway_enable=YES router_enable=NO natd_enable=YES natd_interface=tun0 natd_flags=-f /etc/natd.conf ppp_enable=YES # [...] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW Rules and Games
Lots of people play games here and basically a pain to keep trying to get these stupid things to work with individual rules for each. I'm running FreeBSD 6.x with IPFW/natd I get a dynamic IP from my ISP and the internal nic is 192.168.17.1 Everything inside the network is 192.168.17.xxx The setup is this: 192.168.17.x -- 192.168.17.1 [FreeBSD] Dynamic IP -- {Random Game Server on the Internets} [Internet Network(GAME)] -- [FreeBSD] -- {Internets} There are a bunch of games that send out TCP/UDP packets (and who knows what else) on different ports to different destinations and then receive data back on random ports. Basically, anything on any protocol from the internal network should be able to establish and setup connections out AND be allowed to receive data back from whomever they connected out to; but random hosts trying to connect in should be blocked. I added this for a temporary fix: ${fwcmd} add pass all from any to any I don't think that is the right answer; That allows to much in? I've tried these per the docs: ${fwcmd} add allow all from any to any out via {$iip} setup ${fwcmd} add allow all from any to any out via {$iip} established ${fwcmd} add allow all from any to any in via {$iip} established and also a bunch of others; but none of them worked. Here is my full config: # simple [Ss][Ii][Mm][Pp][Ll][Ee]) # This is a prototype setup for a simple firewall. Configure this # machine as a DNS and NTP server, and point all the machines # on the inside at this machine for those services. # set these to your outside interface network and netmask and ip oif=xl0 onet=`ifconfig xl0 | grep inet | awk '{print $6}'` omask=0xfe00 oip=`ifconfig xl0 | grep inet | awk '{print $2}'` # set these to your inside interface network and netmask and ip iif=dc1 inet=192.168.17.0 imask=0xff00 iip=192.168.17.1 setup_loopback # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. case ${natd_enable} in [Yy][Ee][Ss]) if [ -n ${natd_interface} ]; then ${fwcmd} add divert natd all from any to any via ${natd_interface} fi ;; esac # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} # Allow internal traffic ${fwcmd} add allow all from any to any via ${iif} # Allow all local traffic ${fwcmd} add allow all from ${inet}:${imask} to ${inet}:${imask} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email #${fwcmd} add pass tcp from any to ${oip} 25 setup #${fwcmd} add pass
Re: IPFW Rules and Games
Bob Hall wrote: On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote: I added this for a temporary fix: ${fwcmd} add pass all from any to any I don't think that is the right answer; That allows to much in? Yes. I've tried these per the docs: ${fwcmd} add allow all from any to any out via {$iip} setup ${fwcmd} add allow all from any to any out via {$iip} established ${fwcmd} add allow all from any to any in via {$iip} established and also a bunch of others; but none of them worked. Try oip instead of iip. iip is your internal IP address, so anything going out from iip is going to your lan, and anything coming in to iip is coming from your lan. You want to control packets communicating with the outside world, so you want to control them at oip. Sorry, that didn't work. I also tried this: ${fwcmd} add allow tcp from any to any via ${oip} setup ${fwcmd} add allow udp from any to any via ${oip} setup ${fwcmd} add allow tcp from any to any via ${oip} established ${fwcmd} add allow udp from any to any via ${oip} established That also blocks it. :( ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Jack Barnett wrote: Bob Hall wrote: On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote: I added this for a temporary fix: ${fwcmd} add pass all from any to any I don't think that is the right answer; That allows to much in? Yes. I've tried these per the docs: ${fwcmd} add allow all from any to any out via {$iip} setup ${fwcmd} add allow all from any to any out via {$iip} established ${fwcmd} add allow all from any to any in via {$iip} established and also a bunch of others; but none of them worked. Try oip instead of iip. iip is your internal IP address, so anything going out from iip is going to your lan, and anything coming in to iip is coming from your lan. You want to control packets communicating with the outside world, so you want to control them at oip. Sorry, that didn't work. I also tried this: ${fwcmd} add allow tcp from any to any via ${oip} setup ${fwcmd} add allow udp from any to any via ${oip} setup ${fwcmd} add allow tcp from any to any via ${oip} established ${fwcmd} add allow udp from any to any via ${oip} established That also blocks it. :( Even tried this and still doesn't work. ${fwcmd} add allow tcp from any to any via ${oip} ${fwcmd} add allow udp from any to any via ${oip} ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Jack Barnett wrote: Jack Barnett wrote: Jack Barnett wrote: Bob Hall wrote: On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote: I added this for a temporary fix: ${fwcmd} add pass all from any to any I don't think that is the right answer; That allows to much in? Yes. I've tried these per the docs: ${fwcmd} add allow all from any to any out via {$iip} setup ${fwcmd} add allow all from any to any out via {$iip} established ${fwcmd} add allow all from any to any in via {$iip} established and also a bunch of others; but none of them worked. Try oip instead of iip. iip is your internal IP address, so anything going out from iip is going to your lan, and anything coming in to iip is coming from your lan. You want to control packets communicating with the outside world, so you want to control them at oip. Sorry, that didn't work. I also tried this: ${fwcmd} add allow tcp from any to any via ${oip} setup ${fwcmd} add allow udp from any to any via ${oip} setup ${fwcmd} add allow tcp from any to any via ${oip} established ${fwcmd} add allow udp from any to any via ${oip} established That also blocks it. :( Even tried this and still doesn't work. ${fwcmd} add allow tcp from any to any via ${oip} ${fwcmd} add allow udp from any to any via ${oip} Grrr, this doesn't work either: # statefull ${fwcmd} add check-state ${fwcmd} add allow tcp from any to any established ${fwcmd} add allow all from any to any out keep-state ${fwcmd} add allow icmp from any to any This thread talks about the same problem: [1]http://lists.freebsd.org/pipermail/freebsd-ipfw/2005-December/00225 8.html You will most likely find that dynamic rules will allow this ingress traffic, without the need to explicitly allow it. But unfortunately there is no follow up reply in that archive. References 1. http://lists.freebsd.org/pipermail/freebsd-ipfw/2005-December/002258.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
On Fri, 02 Nov 2007 04:59:27 -0500 Jack Barnett [EMAIL PROTECTED] wrote: Lots of people play games here and basically a pain to keep trying to get these stupid things to work with individual rules for each. I'm running FreeBSD 6.x with IPFW/natd I get a dynamic IP from my ISP and the internal nic is 192.168.17.1 Everything inside the network is 192.168.17.xxx The setup is this: 192.168.17.x -- 192.168.17.1 [FreeBSD] Dynamic IP -- {Random Game Server on the Internets} [Internet Network(GAME)] -- [FreeBSD] -- {Internets} There are a bunch of games that send out TCP/UDP packets (and who knows what else) on different ports to different destinations and then receive data back on random ports. Basically, anything on any protocol from the internal network should be able to establish and setup connections out AND be allowed to receive data back from whomever they connected out to; but random hosts trying to connect in should be blocked. You simply need to allow back traffic on the same socket connection this will happen automatically with TCP if you are passing established traffic, with UDP you will have to keep-state. You will probably find that the games also require you to open one or more incoming ports too. If you are not very confident with ipfw I would suggest you switch to pf. It's a very good firewall and generally easier to use. Also if you are playing games, you'll want to do traffic prioritisation, which is a pain with ipfw. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
RW wrote: On Fri, 02 Nov 2007 04:59:27 -0500 Jack Barnett [1][EMAIL PROTECTED] wrote: Lots of people play games here and basically a pain to keep trying to get these stupid things to work with individual rules for each. I'm running FreeBSD 6.x with IPFW/natd I get a dynamic IP from my ISP and the internal nic is 192.168.17.1 Everything inside the network is 192.168.17.xxx The setup is this: 192.168.17.x -- 192.168.17.1 [FreeBSD] Dynamic IP -- {Random Game Server on the Internets} [Internet Network(GAME)] -- [FreeBSD] -- {Internets} There are a bunch of games that send out TCP/UDP packets (and who knows what else) on different ports to different destinations and then receive data back on random ports. Basically, anything on any protocol from the internal network should be able to establish and setup connections out AND be allowed to receive data back from whomever they connected out to; but random hosts trying to connect in should be blocked. You simply need to allow back traffic on the same socket connection this will happen automatically with TCP if you are passing established traffic, with UDP you will have to keep-state. You will probably find that the games also require you to open one or more incoming ports too. If you are not very confident with ipfw I would suggest you switch to pf. It's a very good firewall and generally easier to use. Also if you are playing games, you'll want to do traffic prioritisation, which is a pain with ipfw. Thanks. Yes, generally firewalls and networking isn't my strong point. I checked out the handbook on it and it looks easy enough. I found this: [2]http://www.allard.nu/pfw/ - but appears it's not in the ports and commerical software? I also have fwbuilder installed; but don't really like that much. Are there any other GUI like interfaces that could help me in building rules for pf? I haven't read though it all yet; but I'll still need natd with pf, right? References 1. mailto:[EMAIL PROTECTED] 2. http://www.allard.nu/pfw/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote: I added this for a temporary fix: ${fwcmd} add pass all from any to any I don't think that is the right answer; That allows to much in? Yes. I've tried these per the docs: ${fwcmd} add allow all from any to any out via {$iip} setup ${fwcmd} add allow all from any to any out via {$iip} established ${fwcmd} add allow all from any to any in via {$iip} established and also a bunch of others; but none of them worked. Try oip instead of iip. iip is your internal IP address, so anything going out from iip is going to your lan, and anything coming in to iip is coming from your lan. You want to control packets communicating with the outside world, so you want to control them at oip. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Jack Barnett wrote: Jack Barnett wrote: Bob Hall wrote: On Fri, Nov 02, 2007 at 04:59:27AM -0500, Jack Barnett wrote: I added this for a temporary fix: ${fwcmd} add pass all from any to any I don't think that is the right answer; That allows to much in? Yes. I've tried these per the docs: ${fwcmd} add allow all from any to any out via {$iip} setup ${fwcmd} add allow all from any to any out via {$iip} established ${fwcmd} add allow all from any to any in via {$iip} established and also a bunch of others; but none of them worked. Try oip instead of iip. iip is your internal IP address, so anything going out from iip is going to your lan, and anything coming in to iip is coming from your lan. You want to control packets communicating with the outside world, so you want to control them at oip. Sorry, that didn't work. I also tried this: ${fwcmd} add allow tcp from any to any via ${oip} setup ${fwcmd} add allow udp from any to any via ${oip} setup ${fwcmd} add allow tcp from any to any via ${oip} established ${fwcmd} add allow udp from any to any via ${oip} established That also blocks it. :( Even tried this and still doesn't work. ${fwcmd} add allow tcp from any to any via ${oip} ${fwcmd} add allow udp from any to any via ${oip} Grrr, this doesn't work either: # statefull ${fwcmd} add check-state ${fwcmd} add allow tcp from any to any established ${fwcmd} add allow all from any to any out keep-state ${fwcmd} add allow icmp from any to any ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW Rules and Games
Hi, Jack, let's see. Jack Barnett wrote: Lots of people play games here and basically a pain to keep trying to get these stupid things to work with individual rules for each. I'm running FreeBSD 6.x with IPFW/natd I get a dynamic IP from my ISP and the internal nic is 192.168.17.1 Everything inside the network is 192.168.17.xxx The setup is this: 192.168.17.x -- 192.168.17.1 [FreeBSD] Dynamic IP -- {Random Game Server on the Internets} [Internet Network(GAME)] -- [FreeBSD] -- {Internets} There are a bunch of games that send out TCP/UDP packets (and who knows what else) on different ports to different destinations and then receive data back on random ports. Basically, anything on any protocol from the internal network should be able to establish and setup connections out AND be allowed to receive data back from whomever they connected out to; but random hosts trying to connect in should be blocked. Back on random ports? That's not how it should be. Your client must send a request (ping or connect) to a server, using the game's client port as the local port, and the server port as the remote port. The reply should come back the same way, reversed. for example, a client sends a connect request: 192.168.17.7:28000 87.15.13.165 natd converts the packet to: 49.74.121.3:28000 87.15.13.165:29000 (49.74.121.3 is your public IP) and adds a dynamic rule (inside natd, not ipfw), that packet coming from 87.15.13.165, port 29000 to 49.74.121.3 port 28000 should be routed to 192.168.17.7, port 28000. So: the server replies: 87.15.13.165:29000 49.74.121.3:28000 natd converts the packet to: 87.15.13.165:29000 192.168.17.7:28000 Any unknown packets will be blocked by natd. These are the unauthorized random hosts. So basically the ruleset should be simple: ipfw -f flush # allow lo0 stuff # block some spoofs/attacks # if you are hosting gameservers from 192.168.17.3 or whatever, # you should (manually) open server ports, in other words, add # routes to 192.168.17.3 to specific server ports ipfw add divert natd all from any to any via $outside_interface allow all from any to any # block some more spoofs/attacks :) # define services (like you did with http) Correct me if I'm wrong. What games do reply back on random ports? I added this for a temporary fix: ${fwcmd} add pass all from any to any I don't think that is the right answer; That allows to much in? I've tried these per the docs: ${fwcmd} add allow all from any to any out via {$iip} setup ${fwcmd} add allow all from any to any out via {$iip} established ${fwcmd} add allow all from any to any in via {$iip} established and also a bunch of others; but none of them worked. Here is my full config: # simple [Ss][Ii][Mm][Pp][Ll][Ee]) # This is a prototype setup for a simple firewall. Configure this # machine as a DNS and NTP server, and point all the machines # on the inside at this machine for those services. # set these to your outside interface network and netmask and ip oif=xl0 onet=`ifconfig xl0 | grep inet | awk '{print $6}'` I'm not sure about this. Isn't the sixth word the broadcast address (ending with .255)? omask=0xfe00 0xfe00 wtf? oip=`ifconfig xl0 | grep inet | awk '{print $2}'` # set these to your inside interface network and netmask and ip iif=dc1 inet=192.168.17.0 imask=0xff00 iip=192.168.17.1 What kind of internet connection do you have? setup_loopback # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet
Re: IPFW Rules and Games
On Fri, Nov 02, 2007 at 10:59:04PM +0100, [EMAIL PROTECTED] wrote: onet=`ifconfig xl0 | grep inet | awk '{print $6}'` I'm not sure about this. Isn't the sixth word the broadcast address (ending with .255)? It's correct. I've been using this in my firewall file since FBSD 4.something. No problems. By default, awk uses spaces as column delimiters. The line containing inet starts with eight spaces. Try it and see what happens. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]