can I use a machine with one Eth port in a star LAN as an outgoing traffic filter for my desktop?

[Swapjim]

(I'm not sure if this belongs here or to the networking section. I think this section is more appropriate because it's a routing question first and then a firewall one.)

I have one FreeBSD machine in my local network with one Ethernet card. I'm using this machine as a torrent box, FTP server (listens to LAN and WAN), LAN Samba server, generic downloader (wget(1), curl(1), lftp(1)), and general UNIX playbox to satisfy my need for command line, and at some point it will be used as an OpenVPN server. The machine is open 24/7 and pf(4) helps me keep the private services (like Samba) private.

I have one switch that acts as the "backbone" of my home network. All the machines in the house (a desktop, the FreeBSD machine, the DSL modem, sometimes a laptop a friend might bring) connect to that switch. It's a star-shaped network.

I was wondering if I could keep this star connectivity but *also* use the FreeBSD machine as some short of gateway to block outgoing traffic to specific hosts and IPs.

Why? I'm about to upgrade into Windows 10 and the only assured way I have found to avoid the telemetry stuff is to blackhole a number of Microsoft hosts. Or if I decide to go hardcore, the whole IP range Microsoft owns (apparently I'll have to forget OS updates, Skype, and outlook.com unless I can tell my browser or the Skype client not to go through the FreeBSD machine).

So I want to redirect the traffic of my desktop to the FreeBSD machine, and then the FreeBSD machine to redirect this traffic to my DSL modem, *except* for a number of hosts and IPs that I shall provide (pf(4) is currently the firewall of my choice).

Can I use the FreeBSD machine to do this filtering without interrupting the other services it performs?

If what I want is possible then please provide me of some keywords or links.

I have already found a number of tutorials but they solve very different scenarios.

 

[da1]

It is possible. Try it out first and post back when you run into specific issues.

key words: pf, default router.

 

[Swapjim]

By setting:

gateway_enable="YES"

in /etc/rc.conf I can use the FreeBSD machine as a gateway. However, to do this, I have to disable my firewall.

I have simplified my pf.conf file and see that the core idea behind my pf rules (block all incoming traffic except the ports that server software uses) is preventing me from using the machine as gateway. It's these two lines:

block in all
pass out all keep state

I don't want to disable my firewall to use the machine as a gateway.

So how do I do it?

I've checked the route command but I can't figure out what I'm supposed to do. I can see the example in the handbook but this guy has two Ethernet adapters.

Am I supposed to tweak my PF rules? Am I supposed to add a second route? I tried adding a second route but anything that involves my modem as a gateway gives me an error, saying that this route already exists.

How do I proceed?

 

[Juha Nurmela]

Can't help with the PF rules, but...

Is it possible that the DSL modem will advertise itself in such a way, that Windows 10 sees the ruse and takes the direct route?

Juha

 

[kpa]

With just one NIC on the machine the only way to use it as a router/firewall is with VLANs and a VLAN capable switch, such system is often called "a router on a stick" because you can then take the smallest embedded PC you can find and use that.

 

[kpa]

Can't help with the pf rules, but...

Is it possible that the DSL modem will advertise itself in such a way, that Windows 10 sees the ruse and takes the direct route?

Juha

It most likely has a DHCP server running that makes the modem/router the default gateway on the network.

 

[PacketMan]

It most likely has a DHCP server running that makes the modem/router the default gateway on the network.

Agreed, and also ICMP Redirects is where machines can signal to one another to avoid using 'router A' if router A is going to turn around and use 'router B' on the same LAN broadcast domain. You might not be able to turn this off in a home router network, but then again, that feature might not exist on those types of routers either. Why not make the FreeBSD machine proxy, and point the other machines at it? Proxy can rewrite the source IP address so that the flows in/out of your home network stay between FreeBSD proxy and your router.

With just one NIC on the machine the only way to use it as a router/firewall is with VLANs and a VLAN capable switch, such system is often called "a router on a stick" because you can then take the smallest embedded PC you can find and use that.

I don' know if this is normal FreeBSD routing behavior, but that is not true for say Cisco and Juniper routers. I know of lots of routers that do 'hair-pinning' on a network without the use of vlans...and that is where ICMP Redirects can affect the outcome, desired or not.

 

[Swapjim]

Is it possible that the DSL modem will advertise itself in such a way, that Windows 10 sees the ruse and takes the direct route?Juha

All devices on LAN have a static IP, including the modem itself. However, I have instructed the modem to give an IP (through DHCP) whenever a device doesn't have a static IP.

IPs set by me, manually, are inside the range 10.0.0.2 to 10.0.0.30, with 10.0.0.1 being the modem. DHCP-given IPs are inside the range 10.0.0.31 to 10.0.0.60.

Agreed, and also ICMP Redirects is where machines can signal to one another to avoid using 'router A' if router A is going to turn around and use 'router B' on the same LAN broadcast domain. You might not be able to turn this off in a home router network, but then again, that feature might not exist on those types of routers either. Why not make the FreeBSD machine proxy, and point the other machines at it? Proxy can rewrite the source IP address so that the flows in/out of your home network stay between FreeBSD proxy and your router.

The proxy idea sounds promising! I can just point any device to the proxy and bam, have a set or hosts and IPs blocked.

I'm going to check how I can turn a fbsdFreeBSD machine into a proxy.

 

[Swapjim]

I have not tried to enable a proxy but played a bit on the gateway solution.

I tried to add these rules in my existing set of PF rules:

# block Microsoft IP range
pass in proto tcp from $lan_subnet to any
pass in proto udp from $lan_subnet to any
table <microsoft> persist file "/tmp/pf.blocked.microsoft"
block in quick on $eth from <microsoft> to any

(you can see my whole pf rulset at the end of the post) and it failed to do what I want it to do. From the FreeBSD machine, I could not ping an IP inside the <microsoft> table but I could from my desktop. The exact reverse of what I wanted to do!

At this point, I have a question.

It's very easy for me to buy a refurbished x86_64 machine with two NICs and install FreeBSD in it.

If I had such a machine in this fashion:

modem ---> refurbished PC ---> switch ---... (the rest of the devices)

would things be straightforward?

And since I'll be doing that, I can install pfSense and have a proper full blown firewall between my private network and my modem.

My full PF ruleset follows.

Spoiler

lan_services_tcp = "{ 22, 6887, 2101, 5012:5023, 2775, 137:139, 445 }"
lan_services_udp = "{ 137:139, 445 }"

common_services_tcp = "{ 65535 }" # pf complaines if it's empty
common_services_udp = "{ 65535 }" # pf complaines if it's empty

wan_services_tcp = "{ 2100, 5000:5011 }"
wan_services_udp = "{ 65535 }" # pf complaines if it's empty

eth="em0"

lan_subnet="10.0.0.0/24"

gateway="10.0.0.1"
filtered_devices = "{ 10.0.0.2 }"

# ---

set skip on lo0

set block-policy drop

# if you enable antispoof you can't call Samba machine nicknames
# so you have to use //10.0.0.3/tmp instead of //freebsd/tmp
antispoof quick for $eth

# block Microsoft IP range
pass in proto tcp from $lan_subnet to any
pass in proto udp from $lan_subnet to any
table <microsoft> persist file "/tmp/pf.blocked.microsoft"
block in quick on $eth from <microsoft> to any

#
# LAN
#

# ports open only to LAN
pass in proto tcp from $lan_subnet to any port $lan_services_tcp
pass in proto tcp from $lan_subnet to any port $lan_services_udp

#
# WAN
#

# block WAN ports on LAN
block in proto tcp from $lan_subnet to any port $wan_services_tcp
block in proto tcp from $lan_subnet to any port $wan_services_udp

# blocklist in common and WAN ports, for every anyone who breaks the conn limits

table <wan_abuse> persist

block in quick proto tcp from <wan_abuse> to any port $wan_services_tcp
block in quick proto tcp from <wan_abuse> to any port $wan_services_udp

block in quick proto tcp from <wan_abuse> to any port $common_services_tcp
block in quick proto tcp from <wan_abuse> to any port $common_services_udp


pass in proto tcp from any to any port $wan_services_tcp flags S/SA keep state (source-track rule, max-src-conn 5, max-src-conn-rate 5/60, overload <wan_abuse> flush)

pass in proto udp from any to any port $wan_services_udp keep state (source-track rule, max-src-conn 5, max-src-conn-rate 5/60, overload <wan_abuse> flush)


pass in proto tcp from any to any port $common_services_tcp flags S/SA keep state (source-track rule, max-src-conn 5, max-src-conn-rate 5/60, overload <wan_abuse> flush)

pass in proto udp from any to any port $common_services_udp keep state (source-track rule, max-src-conn 5, max-src-conn-rate 5/60, overload <wan_abuse> flush)

 

[tingo]

Yes, things would be much easier then. I run a setup like this for my personal network at home (except that I use ipfw and I replaced the second-hand machine with a new one).