Re: keep-state and divert
Victor Sudakov wrote: Colleagues, I have read some recommendations on combining a stateful firewall with divert, e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html and http://nuclight.livejournal.com/124348.html (the latter is in Russian). Do I understand correctly that it is (mathematically?) impossible to use the two together without also using skipto? If we consider a simple example below, how would you replace the 600th rule for a stateful one? 00100 divert 8668 ip from any to table(1) out via rl0 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0 00500 divert 8668 ip from table(1) to any in via rl0 00600 allow ip from table(1) to any in via rl0 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0 65535 allow ip from any to any Thank you in advance for any input. Hopefully you don't mind a response which provides a fully functioning firewall ruleset. It's by no means complete, but should give you the answer to your question. http://procacci.me/ipfw.conf This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/emaildisclaimer.aspx for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: keep-state and divert
Victor Sudakov wrote: Colleagues, I have read some recommendations on combining a stateful firewall with divert, e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html and http://nuclight.livejournal.com/124348.html (the latter is in Russian). Do I understand correctly that it is (mathematically?) impossible to use the two together without also using skipto? If we consider a simple example below, how would you replace the 600th rule for a stateful one? 00100 divert 8668 ip from any to table(1) out via rl0 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0 00500 divert 8668 ip from table(1) to any in via rl0 00600 allow ip from table(1) to any in via rl0 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0 65535 allow ip from any to any Thank you in advance for any input. I haven't used ipfw for a very long time, and haven't kept current with any changes. Below is an example (using kernel pppd) that I used to use a long time ago. For example purposes only, extract what you need for your specific configuration needs. # Firewall rules fwcmd=/sbin/ipfw $fwcmd -f flush $fwcmd add allow all from any to any via lo0 $fwcmd add allow all from any to any via xl0 $fwcmd add deny log all from any to 127.0.0.0/8 # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via ppp0 $fwcmd add deny log ip from 172.16.0.0/12 to any in via ppp0 $fwcmd add deny log ip from 10.0.0.0/8 to any in via ppp0 $fwcmd add deny log ip from any to 192.168.0.0/16 in via ppp0 $fwcmd add deny log ip from any to 172.16.0.0/12 in via ppp0 $fwcmd add deny log ip from any to 10.0.0.0/8 in via ppp0 # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via ppp0 $fwcmd add deny all from 169.254.0.0/16 to any in via ppp0 $fwcmd add deny all from 192.0.2.0/24 to any in via ppp0 $fwcmd add deny all from 224.0.0.0/4 to any in via ppp0 $fwcmd add deny all from 240.0.0.0/4 to any in via ppp0 $fwcmd add deny all from any to 0.0.0.0/8 in via ppp0 $fwcmd add deny all from any to 169.254.0.0/16 in via ppp0 $fwcmd add deny all from any to 192.0.2.0/24 in via ppp0 $fwcmd add deny all from any to 224.0.0.0/4 in via ppp0 $fwcmd add deny all from any to 240.0.0.0/4 in via ppp0 #$fwcmd add divert natd all from any to any via ppp0 $fwcmd add divert natd ip from any to me in via ppp0 $fwcmd add divert natd ip from 10.10.0.0/8 to any out via ppp0 $fwcmd add check-state $fwcmd add allow log tcp from 209.67.60.33 to any 113 via ppp0 $fwcmd add deny log udp from any to me in recv ppp0 $fwcmd add allow udp from any to any via ppp0 keep-state $fwcmd add allow log icmp from any to any icmptypes 3,4 $fwcmd add allow tcp from any to me 80 via ppp0 keep-state $fwcmd add deny log tcp from any to any in recv ppp0 setup $fwcmd add allow tcp from any to any out xmit ppp0 setup keep-state $fwcmd add allow tcp from any to any via ppp0 established keep-state $fwcmd add allow log icmp from any to any icmptypes 8 out xmit ppp0 $fwcmd add allow log icmp from any to any icmptypes 0 in recv ppp0 $fwcmd add allow log icmp from any to any icmptypes 11 in recv ppp0 $fwcmd add 65432 deny log tcp from any to any $fwcmd add 65433 deny log udp from any to any $fwcmd add 65434 deny log icmp from any to any $fwcmd add 65435 deny log ip from any to any This was used in conjunction with the natd.conf here: interface ppp0 use_sockets yes same_ports yes dynamic yes For example purposes only - this is a very very old config. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: keep-state and divert
Paul A Procacci wrote: I have read some recommendations on combining a stateful firewall with divert, e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html and http://nuclight.livejournal.com/124348.html (the latter is in Russian). Do I understand correctly that it is (mathematically?) impossible to use the two together without also using skipto? If we consider a simple example below, how would you replace the 600th rule for a stateful one? 00100 divert 8668 ip from any to table(1) out via rl0 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0 00500 divert 8668 ip from table(1) to any in via rl0 00600 allow ip from table(1) to any in via rl0 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0 65535 allow ip from any to any Thank you in advance for any input. Hopefully you don't mind a response which provides a fully functioning firewall ruleset. It's by no means complete, but should give you the answer to your question. http://procacci.me/ipfw.conf I have seen a number of such complete rulesets, some of them being very inventive and tricky. I see that your example also uses skipto with keep-state. My question was however if it was possible to do without skipto. And a simple example would be most appreciated, not a fully functional fuleset. I am also thinking about using natd -deny_incoming for keeping state, instead of keep-state rules. Is this feasible? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: keep-state and divert
Michael Powell wrote: I have read some recommendations on combining a stateful firewall with divert, e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html and http://nuclight.livejournal.com/124348.html (the latter is in Russian). Do I understand correctly that it is (mathematically?) impossible to use the two together without also using skipto? [dd] I haven't used ipfw for a very long time, and haven't kept current with any changes. Below is an example (using kernel pppd) that I used to use a long time ago. For example purposes only, extract what you need for your specific configuration needs. I have looked at your ruleset. First you have: [dd] $fwcmd add divert natd ip from any to me in via ppp0 $fwcmd add divert natd ip from 10.10.0.0/8 to any out via ppp0 $fwcmd add check-state [dd] and only later you have your keep-state rules: $fwcmd add allow udp from any to any via ppp0 keep-state $fwcmd add allow log icmp from any to any icmptypes 3,4 $fwcmd add allow tcp from any to me 80 via ppp0 keep-state $fwcmd add deny log tcp from any to any in recv ppp0 setup $fwcmd add allow tcp from any to any out xmit ppp0 setup keep-state $fwcmd add allow tcp from any to any via ppp0 established keep-state This means your dynamic rules will contain an already NAT-ted address, which is useless. With my example ruleset below, where would you put the keep-state option? 00100 divert 8668 ip from any to table(1) out via rl0 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0 00500 divert 8668 ip from table(1) to any in via rl0 00600 check-state 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0 65535 allow ip from any to any -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: keep-state and divert
Victor Sudakov wrote: [snip] I have looked at your ruleset. First you have: [dd] $fwcmd add divert natd ip from any to me in via ppp0 $fwcmd add divert natd ip from 10.10.0.0/8 to any out via ppp0 $fwcmd add check-state [dd] and only later you have your keep-state rules: $fwcmd add allow udp from any to any via ppp0 keep-state $fwcmd add allow log icmp from any to any icmptypes 3,4 $fwcmd add allow tcp from any to me 80 via ppp0 keep-state $fwcmd add deny log tcp from any to any in recv ppp0 setup $fwcmd add allow tcp from any to any out xmit ppp0 setup keep-state $fwcmd add allow tcp from any to any via ppp0 established keep-state This means your dynamic rules will contain an already NAT-ted address, which is useless. With my example ruleset below, where would you put the keep-state option? 00100 divert 8668 ip from any to table(1) out via rl0 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0 00500 divert 8668 ip from table(1) to any in via rl0 00600 check-state ^^^ Yes - the check-state line is required first in order to make use of the keep-state line later in the ruleset. 00650 allow ip from table(1) to any in via rl0 keep-state Or wherever you are intending to set up state for a rule in the state table. 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0 65535 allow ip from any to any $fwcmd add allow tcp from any to any out xmit ppp0 setup keep-state $fwcmd add allow tcp from any to any via ppp0 established keep-state Note in these two rules the setting of the SYN flag with setup. This allows the initial 3-way TCP handshake. The subsequent established line is where it will remember the traffic. It is not truly necessary to have it split between two lines like this, as a looser example: $fwcmd add allow tcp from any to me 80 via ppp0 keep-state Of course, you will need to adjust for the direction(s) of your traffic flow, that is, in order to meet your specific needs. My example rule was intended for use as an endpoint where I was mainly interested in blocking all inbound traffic with a very limited number of exceptions with state being used to allow back in from the outside all return traffic originated by me, and only me. It's been something on the order of 6-7 years since I last used ipfw. For something like 2-3 years after that I used ipfilter. When pf was imported from OpenBSD and became stable I made the move to pf. So my recall of specifics related to ipfw is dim at best. Was just hoping you could pick out some detail which may be of use to you. Your needs may be different from mine and consequently there is no real one magic copy this for plug and play ruleset. Mine was just one example where I was trying to illustrate one possibility of utilizing state. And this from a working ruleset that I used for years. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: keep-state and divert
Michael Powell wrote: With my example ruleset below, where would you put the keep-state option? 00100 divert 8668 ip from any to table(1) out via rl0 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0 00500 divert 8668 ip from table(1) to any in via rl0 00600 check-state ^^^ Yes - the check-state line is required first in order to make use of the keep-state line later in the ruleset. 00650 allow ip from table(1) to any in via rl0 keep-state It should be out here, not in, because I want to permit outbound traffic and corresponding return traffic. You might think of something like 650 allow ip from any to table(1) out via rl0 keep-state However, if we place the keep-state rule at 650, only already diverted packets will reach it, and it will be useless because the src address will already have become the public one. I need a rule which would permit return traffic to the RFC1913 hosts (i.e. after dealiasing). -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: keep-state and divert
Victor Sudakov wrote: If we consider a simple example below, how would you replace the 600th rule for a stateful one? 00100 divert 8668 ip from any to table(1) out via rl0 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0 00500 divert 8668 ip from table(1) to any in via rl0 00600 allow ip from table(1) to any in via rl0 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0 65535 allow ip from any to any It seems that the ruleset should be reordered and changed to the following: 00100 divert 8668 ip from table(1) to any in via rl0 00200 check-state 00300 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0 00300 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0 00300 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0 00400 skipto 500 ip from any to table(1) out via rl0 keep-state 00500 divert 8668 ip from any to table(1) out via rl0 00600 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 00600 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0 00600 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0 65535 allow ip from any to any It seems to work. However there is an obscure moment in it. When I look at the dynamic rules being created, for each connection I see two rules: one with the private source address and another with a NAT'ed source address. Which means the outgoing packet traverses the 400th rule twice. I don't understand how this happens. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
