1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Rule Review - First Timer

Discussion in 'Firewalls' started by markosolo, May 8, 2012.

  1. markosolo

    markosolo New Member

    Messages:
    11
    Thanks Received:
    0
    Hi all,

    I'm somewhat a first-timer when it comes to IPFW. I have been using it for about a year, but been using a stock template I bashed together after a bit of research some time ago. Anyway, I'm trying to improve my FreeBSD and IPFW knowledge, and I'm working on my rulesets. I would appreciate a review of the following ruleset and suggest better ways of doing things, or things that are wrong, or more best practices.

    Things I am not sure about are the "setup" and "keep-state" options, as well as the entire stateful inspection paragraph.

    Code:
    
    IPF="ipfw -q add"
    ipfw -q -f flush
    
    ******** BUNCH of HOST AND NETWORK VARIABLES HERE ********
    
    #loopback
    $IPF 09 deny tcp from any to 127.0.0.1 113 in
    $IPF 10 allow all from any to any via lo0
    $IPF 20 deny all from any to 127.0.0.0/8
    $IPF 30 deny all from 127.0.0.0/8 to any
    $IPF 40 deny log tcp from any to any frag
    
    # Deny Statements
    $IPF 41 deny log all from 172.16.0.0/12 to any in #RFC 1918
    $IPF 42 deny log all from 10.0.0.0/8 to any in #RFC 1918
    $IPF 43 deny log all from $******** to any in
    $IPF 44 deny log all from $******** to any in 
    
    # stateful
    $IPF 50 check-state
    $IPF 60 allow tcp from any to any established # Won't this and the rule below it be wrong?
    # The example on FreeBSD page says
    # to deny established, but I'm not sure if this means keep accepting already
    # established(connection tracked) sessions, or whether it means accept packets
    # that are ACKS wether they have a valid session in the connections table or not?
    $IPF 70 allow log all from any to any out keep-state
    
    # ICMP
    $IPF 80 allow log icmp from $******** to ******** keep-state
    $IPF 81 allow log icmp from $******** to any keep-state
    $IPF 82 allow log icmp from $******** to ******** keep-state
    $IPF 83 allow icmp from $******** to any keep-state
    $IPF 84 deny log icmp from any to any
    
    # open port ftp (20,21), ssh (22), mail (25)
    # http (80), dns (53) etc
    $IPF 100 allow log any from $******** to any in setup keep-state
    $IPF 101 allow log any from $******** to any in setup keep-state
    $IPF 102 allow log tcp from any to any 21 out setup keep-state #FTP for faster port downloads
    $IPF 110 allow log tcp from $******** to any 22 in setup keep-state # SSH MANAGEMENT 
    $IPF 111 allow log tcp from $******** to any 22 in setup keep-state
    $IPF 112 allow log tcp from $******** to any 22 in setup keep-state
    $IPF 113 allow log tcp from $******** to any 22 in setup keep-state
    $IPF 120 allow log tcp from any to any 22 out setup keep-state uid root limit src-addr 5
    $IPF 130 allow log udp from any to any 53 out setup keep-state limit src-addr 5
    $IPF 140 allow log tcp from any to any 53 out setup keep-state limit src-addr 5
    $IPF 150 allow log tcp from any to any 80 out setup keep-state limit src-addr 30
    $IPF 160 allow log tcp from any to any 443 out setup keep-state limit src-addr 30
    
    # deny and log everything
    $IPF 500 deny log all from any to any
    
    


    Thanks!

    Mark
     
  2. johnd

    johnd New Member

    Messages:
    43
    Thanks Received:
    13
    Use # ipfw show to see which packets match a specific rule.

    ipfw(8) is a "first match wins" packet filter. Your rules #120 - #160 will never win because of rule #70

    Rule #60 will pass incoming/outgoing packtes with the "ACK" bit set. You could change it to:
    Code:
    $IPF 60 allow tcp from me to any established


    Rule #09 is nonsense imho. You could build your loopback rules as follows:
    Code:
    ${IPF} 09 pass all from any to any via lo0
    ${IPF} 10 deny all from any to 127.0.0.0/8
    ${IPF} 11 deny ip from 127.0.0.0/8 to any
     
  3. markosolo

    markosolo New Member

    Messages:
    11
    Thanks Received:
    0
    Ok so I can remove rules 60 and 70 and stateful will work correctly? It will only allow what is explicitly defined and then state tracking will allow the rest to work?
     
  4. johnd

    johnd New Member

    Messages:
    43
    Thanks Received:
    13
    Yes, they can be removed or modified (see my last post). The firewall will create dynamic rules for those with the keep-state or limit option.

    Rules #110 - #113 could be redefined to a single rule if you create a table.