Solved Why my IPFW blocking updating Freebsd and downloading data for ports and packets

N

nikolay

Good day. A while ago i tried to update my freebsd to a newer version and it failed, gave some error like

"Looking up update.FreeBSD.org mirrors... none found. Fetching public key from update.FreeBSD.org... failed.
No mirrors remaining, giving up".

Then I tried to install some programs from ports or packets, both failed just the same way. After some thought I turned off my firewall and all started working. But I don't understand what rules I should add so the system can upgrade and download anything from FreeBSD servers. Turning off firewall is a bad thing because of security. Here are my rules:

I replaced real IPs with * because they are public but that does not matter much.

Code: 
add 1000 allow icmp from any to any

add 1010 allow tcp from *.*.*.* to me 22 via igb0 keep-state
add 1020 allow tcp from *.*.*.* to me 22 via igb0 keep-state
add 1030 allow tcp from *.*.*.0/24 to me 22 via igb0 keep-state
add 1040 allow tcp from *.*.*.0/24 to me 22 via igb0 keep-state
add 1050 allow tcp from *.*.*.* to me 22 via igb0 keep-state
add 1060 allow tcp from any to me 22 via igb1 keep-state

add 1070 allow tcp from any to me 80 via igb0 keep-state
add 1080 allow tcp from any to me 443 via igb0 keep-state

add 1090 allow all from me to any

add 65000 deny ip from any to any

I tried to google the problem but didn't find a clear answer about what ports and sockets FreeBSD uses to download what it needs so I can add a rule for that to my ipfw. I am sorry if my answer is stupid, I am still learning this OS, it is not easy for me.
 
How is it supposed to do a DNS query if outgoing TCP and UDP port 53 isn't allowed? Also note that updates (or distfiles) are usually downloaded from 80 or 443. So you need to allow outgoing connections to 80/443 too.
 
Rule "1090" should be separated into protocols (tcp,udp,icmp...) so for the tcp you get "setup keep-state" and for udp to have "keep-state"

example:
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
Click to expand...

In your case check-state should be before rule 1000 (900-1000)

For "trusted" IP only to your SSH port on TCP use setup keep-state
For "untrusted" IP for HTTP and HTTPS don't use keep-state your outgoing packets will be handled via another static rule like example above 01200 or via your rule 1090. Do not create dynamic states for those sessions as it can be used for ddos.
 
SirDice said:
How is it supposed to do a DNS query if outgoing TCP and UDP port 53 isn't allowed? Also note that updates (or distfiles) are usually downloaded from 80 or 443. So you need to allow outgoing connections to 80/443 too.
Click to expand...
got it. Thanks. I am very grateful.
 
VladiBG said:
Rule "1090" should be separated into protocols (tcp,udp,icmp...) so for the tcp you get "setup keep-state" and for udp to have "keep-state"

example:


In your case check-state should be before rule 1000 (900-1000)

For "trusted" IP only to your SSH port on TCP use setup keep-state
For "untrusted" IP for HTTP and HTTPS don't use keep-state your outgoing packets will be handled via another static rule like example above 01200 or via your rule 1090. Do not create dynamic states for those sessions as it can be used for ddos.
Click to expand...
Sorry to bother you. Your reply helped understand a few things about IPFW rules but one this i dont understand. What does "established" mean?
I found this
"established Matches TCP packets that have the RST or ACK bits set"

But still dont understand how to use it
 
TCP connections have a so-called "three-way handshake". That's a SYN packet, a SYN/ACK response and again an ACK. If this three-way handshake is successful we say the connection is "established".
 
I see why it's causing you a confusion. The rule 01200 allow tcp from me to any established is part of another rule which allow incoming TCP connections on services that we provide to outside and for those services we do not create another dynamic rule into the stateful table so we need this rule 1200 so we can response back on high random port without creating a state (rule 2600).

Here's a small example:

Code: 
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01500 allow icmp from me to any keep-state :default
...
02560 allow tcp from 203.0.113.0/24 to me 22 setup keep-state :default
02600 allow tcp from any to me 80
...
65535 deny ip from any to any
 
You must log in or register to reply here.
Back
Top