IPFW Good practices with IPFW

[erlonsilva]

[This topic has been edited to meet forum standards]
Hello guys! I'm new here, maybe this topic was created by another member, in advance I apologize for that. I would like some help with IPFW, I have some rules in place, but I would like to perform a "Default Drop" action, basically it's just accepting some connections from the local network and dropping everything else, what would those rules look like? By the way, I have FreeBSD13.1 + DNS Unbound on this machine.

My Rules:

# Rules of Firewall
# Accept Requisitions to DNS
$fw add allow tcp from 127.0.0.1 to me dst-port 53
$fw add allow udp from 127.0.0.1 to me dst-port 53
$fw add allow tcp from ::1 to me dst-port 53
$fw add allow udp from ::1 to me dst-port 53
$fw add allow tcp from fd00:0000:1::/48 to me dst-port 53 // Prefix used for example
$fw add allow udp from fd00:0000:1::/48 to me dst-port 53 // Prefix used for example
$fw add allow tcp from 100.65.2.0/23 to me dst-port 53
$fw add allow udp from 100.65.2.0/23 to me dst-port 53
$fw add allow tcp from 10.50.50.1 to me dst-port 53
$fw add allow udp from 10.50.50.1 to me dst-port 53
$fw add allow tcp from 192.0.2.0/24 to me dst-port 53 // Prefix used for example
$fw add allow udp from 192.0.2.0/24 to me dst-port 53 // Prefix used for example

# Accept Requisitions to SSH
$fw add allow tcp from 192.168.68.10 to me dst-port 2250
$fw add allow tcp from fd00:0000:1::/48 to me dst-port 2250 // Prefix used for example
$fw add allow tcp from 100.65.2.0/23 to me dst-port 2250
$fw add allow tcp from 10.50.50.1 to me dst-port 2250
$fw add allow tcp from 192.0.2.0/24 to me dst-port 2250 // Prefix used for example

# Discard the Others
$fw add deny tcp from any to me dst-port 53,80,443,2250,17,19,25,137-139,161,465,587,2000
$fw add deny udp from any to me dst-port 53,17,19,25,137-139,161,465,587,2000

I would like to optimize these rules if possible.

 

[SirDice]

Please don't post pictures of text. Just copy/paste the text itself.

 

[erlonsilva]

Please don't post pictures of text. Just copy/paste the text itself.

Sorry!

 

[SirDice]

# Discard the Others 
$fw add deny tcp from any to me dst-port 53,80,443,2250,17,19,25,137-139,161,465,587,2000 
$fw add deny udp from any to me dst-port 53,17,19,25,137-139,161,465,587,2000

Why are you listing a whole bunch of 'potential' ports? Just deny everything. As in $fw add deny ip from any to any. If the traffic wasn't allowed by any of the previous rules it should just be dropped. That's a good firewall policy, only allow what you want/need, deny everything else.

Oh, and don't forget that Unbound has to be able to make outgoing DNS requests too, so you will need to add some rules to allow this.

 

[D-FENS]

I have some rules in place, but I would like to perform a "Default Drop" action, basically it's just accepting some connections from the local network and dropping everything else, what would those rules look like?

Adding a default drop action is easy. Simply create one or more rules with a really high number, for example 65535. This is an example from my configurationin :

# ipfw list
...
65520 deny log ip from any to any
65535 deny ip from any to any

Also, if you are an IPFW newbie, start by reading the IPFW section of Chapter 31 in the handbook: https://docs.freebsd.org/en/books/handbook/firewalls/#firewalls-ipfw
Use the examples there, they are pretty sensible and include some basic but important attack protections. I based all my scripts on that.

 

[fernandel]

I following the rules "Repetitio est mater studiorum" and it help me a lot.

 

[smithi]

Also, if you are an IPFW newbie, start by reading the IPFW section of Chapter 31 in the handbook: https://docs.freebsd.org/en/books/handbook/firewalls/#firewalls-ipfw
Use the examples there, they are pretty sensible and include some basic but important attack protections. I based all my scripts on that.

I have to differ on that advice, as it tends to discourage use of the primary reference manual ipfw(8), and concurrent study of the primary example rulesets in /etc/rc.firewall.

The handbook chapter was originally written by someone who preferred ipfilter, only ever used stateful rules even where inappropriate, and was originally full of outright errors. It has been greatly improved in recent years though some strange notions remain, such as a ridiculous limit on logging errors to /var/log/security based on misunderstanding how syslogd(8) works (see its -c option).

The more people study the primary documents, written by the code authors, the more likely that handbook chapter will improve.

cheers, Ian

 

[fernandel]

[This topic has been edited to meet forum standards]
Hello guys! I'm new here, maybe this topic was created by another member, in advance I apologize for that. I would like some help with IPFW, I have some rules in place, but I would like to perform a "Default Drop" action, basically it's just accepting some connections from the local network and dropping everything else, what would those rules look like? By the way, I have FreeBSD13.1 + DNS Unbound on this machine.

My Rules:

# Rules of Firewall
# Accept Requisitions to DNS
$fw add allow tcp from 127.0.0.1 to me dst-port 53
$fw add allow udp from 127.0.0.1 to me dst-port 53
$fw add allow tcp from ::1 to me dst-port 53
$fw add allow udp from ::1 to me dst-port 53
$fw add allow tcp from fd00:0000:1::/48 to me dst-port 53 // Prefix used for example
$fw add allow udp from fd00:0000:1::/48 to me dst-port 53 // Prefix used for example
$fw add allow tcp from 100.65.2.0/23 to me dst-port 53
$fw add allow udp from 100.65.2.0/23 to me dst-port 53
$fw add allow tcp from 10.50.50.1 to me dst-port 53
$fw add allow udp from 10.50.50.1 to me dst-port 53
$fw add allow tcp from 192.0.2.0/24 to me dst-port 53 // Prefix used for example
$fw add allow udp from 192.0.2.0/24 to me dst-port 53 // Prefix used for example

# Accept Requisitions to SSH
$fw add allow tcp from 192.168.68.10 to me dst-port 2250
$fw add allow tcp from fd00:0000:1::/48 to me dst-port 2250 // Prefix used for example
$fw add allow tcp from 100.65.2.0/23 to me dst-port 2250
$fw add allow tcp from 10.50.50.1 to me dst-port 2250
$fw add allow tcp from 192.0.2.0/24 to me dst-port 2250 // Prefix used for example

# Discard the Others
$fw add deny tcp from any to me dst-port 53,80,443,2250,17,19,25,137-139,161,465,587,2000
$fw add deny udp from any to me dst-port 53,17,19,25,137-139,161,465,587,2000

I would like to optimize these rules if possible.

IMO it is good for learning too:

How to implement an internet facing FreeBSD IPFW firewall — SoCruel.NU

blog.socruel.nu

 

[Thurisaz]

For security purposes you may set

$fw add deny log ip from IP.range.to.ban/mask to me via interface

and that crap'll go to /var/log/security

 

[smithi]

Re OP's:

# Discard the Others
$fw add deny tcp from any to me dst-port 53,80,443,2250,17,19,25,137-139,161,465,587,2000
$fw add deny udp from any to me dst-port 53,17,19,25,137-139,161,465,587,2000

Why are you listing a whole bunch of 'potential' ports? Just deny everything. As in $fw add deny ip from any to any. If the traffic wasn't allowed by any of the previous rules it should just be dropped. That's a good firewall policy, only allow what you want/need, deny everything else.

Yes and no, or 'it depends'

Dumping lots of commonly seen noise like most of the selection shown, if not running associated services - makes sense if you want to deny log [logamount N] other bogons than these later on to /var/log/security, to spot patterns of (attempted) abuse. Similarly you may have table/s of hosts or nets you want to just drop, but perhaps others you want to know about more specifically.

Of course that only makes sense if you're in the habit of monitoring ipfw.today and the security file .. so 'it depends' on your desired level of scrutiny.

Oh, and don't forget that Unbound has to be able to make outgoing DNS requests too, so you will need to add some rules to allow this.

Yes, and to allow some icmp too, for ping but importantly for TCP path MTU discovery. /etc/rc.firewall 'workstation' shows a safe subset of icmptypes to allow.