IPFW stateful rules in FreeBSD 6.4 ?

Unixworld · #1 December 15th, 2008, 09:14

Hi all,

I would like to share some experience with IPFW.
Yesterday i switched from 7.0 RELEASE to the new
6.4 RELEASE.Installed all distributions (except ports and sources) from the DVD,copying both the generic and SMPkernel, and put XFCE 4 from an ftp-mirror. Nothing unusual till now.

After the first reboot, FreeBSD picked and booted with the SMP-kernel, me personally didn't do anything for the kernel-side.I have an old Pentium 4
"Prescott" 2.8 GHz/800 MHz/1 MB cache, S.478.

So..., dunno what happened here, but the way i used
to use IPFW in 7.0 doesn't work here - in 6.4
I've always used "firewall_type=workstation" and
"firewall_rules=/etc/ipfw.rules" in the 7.0 RELEASE,
where the rules were those provided as an example
in the handbook - they were pretty satisfying for me,being a newbie in the FreeBSD world.

Now, in 6.4, i tried same "tactics", which doesn't
work

Though the rules get loaded and IPFW gets active, it blocks the connection (i use PPPoE, so the tun0-interface in my case).

I'd like to ask for some help, leading me to the
right direction - i either make things wrong, or
the IPFW concept is different in 6.4 ?!

Thanx to all in advance !

Greetings

caligula · #2 December 15th, 2008, 12:26

Hello Unixworld,

first, why did you do that downgrade? - 7.1-RELEASE is coming soon.

The /etc/rc.firewall script from 6.4 and 7.0 are different ones:
- 6.4

Code:

/home/caligula> grep '$FreeBSD' /etc/rc.firewall
# $FreeBSD: src/etc/rc.firewall,v 1.47.10.4.2.1 2008/10/02 02:57:24 kensmith Exp $

- 7.0

Code:

/home/caligula> grep '$FreeBSD' /etc/rc.firewall
# $FreeBSD: src/etc/rc.firewall,v 1.52.4.1 2008/01/29 00:22:32 dougb Exp $

"grep 'workstation'" in /etc/rc.firewall shows that "firewall_type=workstation" is unknown in 6.4.

And if you built the kernel with "IPFIREWALL_DEFAULT_TO_DENY", then the last rule would always be "65535 deny ip from any to any".

So, either upgrade back to 7.0, or show me the output of "ipfw list" or "ipfw show" in order to find out which rule blocks your traffic.

edit:
Having read the example ruleset of the handbook, I would say that the pubilc interface "pif" isn't properly set (in your case it should be pif="tun0"), and the last rule "00999 deny log all from any to any" does its job.
Do an "ipfw show" and we will see.

bye

Unixworld · #3 December 15th, 2008, 18:26

Hailz, Caligula,

thank you for your time answering me back.
Just got home from work, so didn't have time till now
to give you that info needed.

Well, the output is (just rechecked the matter) :
FreeBSD# /etc/rc.d/ipfw start
Flushed all rules.
Line 5: bad command `ipfw'
Firewall rules loaded.
Firewall logging enabled.
net.inet.ip.fw.enable: 0 -> 1
FreeBSD# ipfw -t list
65535 Mon Dec 15 17:11:08 2008 deny ip from any to any

$ sudo ipfw show
65535 371 51665 deny ip from any to any

It just doesn't show all these rules that are in the
handbook (non-NAT) ruleset as it used to before...

IPFW always "complains" about an error in one of the
first lines, whichever rulesets i put in the ipfw.rules and try,
and whichever line i change, always murmuring:

################ Start of IPFW rules file############
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="tun0" # public interface name of NIC
# facing the public Internet

################################################## ###

I always set the PPPoE-if "tun0" in here, as mentioned - never
had any troubles in the 7.0-version

I also changed the "firewall_type="/etc/ipfw.rules" in rc.conf,
but i think these were last desperate measures before going
back to the 7.0-th colossus

Please, answer back, if you have that time, i think i would
roll back to the 7.0-release very soon

Thanx alot for your support & cheers !

caligula · #4 December 15th, 2008, 19:01

Hello Unixworld,

Quote:

$ sudo ipfw show
65535 371 51665 deny ip from any to any

Well, your ruleset isn't loaded at all, so only the default last rule 65535 (deny all rom any to any) is active.

Quote:

It just doesn't show all these rules that are in the
handbook (non-NAT) ruleset as it used to before...

because they aren't loaded.

Why is your ruleset not loaded? - Answer:

Quote:

...
[FreeBSD# /etc/rc.d/ipfw start
Flushed all rules.
Line 5: bad command `ipfw'
...
IPFW always "complains" about an error in one of the
first lines, ...

So, fix the error and your rules will be loaded.
I suppose your /etc/ipfw.rules misses a "#!/bin/sh" in the first line.
ipfw.rules is a shell-script. Put an hashbang there.
Else, replace in your ruleset each "$cmd" by "ipfw add".

Nevertheless, why did you downgrade?
"7.0-th colossus" is not a reason. => Choose "Minimal Install" in sysinstall.

Unixworld · #5 December 15th, 2008, 20:23

Hello, Caligula,

Thanx alot again for your support.

Well,the ruleset is a schellscript - the "#!/bin/sh" - thingy
is there all the time

Will try now with the cmd-thing and post back in here

P.S. What about "firewall_type=?" Was mine correct (i hihgly
doubt it was, hehe)

Greetings !

caligula · #6 December 15th, 2008, 22:22

ahh, oh yes, of course, I'm blind.

Try
firewall_script=""

see /etc/defaults/rc.conf

firewall_type="" is for the rc.firewall script.

When you secify a "type" which is not defined in rc.firewall, it will be interpreted as a ruleset.
So in that case firewall_type="/etc/ipfw.rules" should look like:

Code:

add 100 allow all from any to any via lo0
add 110 deny log all from any to 127.0.0.0/8
add 120 deny log ip from 127.0.0.0/8 to any
...

And firewall_rules="" has no effect.

komeylian · #7 December 21st, 2008, 14:29

hi,

Do you know how I can filter string on my BSD machine by ipfw alike below:

add deny string "mail.yahoo.com" ip from any to any via fxp0

thanks in advance.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
IPFW Redirect	vpeleh	Firewalls	9	March 3rd, 2011 18:26
ipfw nat on amd64	mgp	Firewalls	3	December 9th, 2008 13:56
pf firewall - antispoof rules vs. uRPF	troy	Firewalls	1	December 5th, 2008 01:10
Dynamic firewall rules	v0idnull	Firewalls	1	December 4th, 2008 00:48
ipfw nat in 7.0-stable	raVen	Firewalls	1	November 18th, 2008 04:57