I have a server in hetzner and firewall is not working as sould be.

icinemagr

New Member


Messages: 5

Hi all.

In hetzner they say I should allow the follow rule in their firewall.

  • Name: TCP_Out
  • Source IP: 0.0.0.0/0
  • Destination IP: 0.0.0.0/0
  • Destination port: 32768-65535
  • Protocol: tcp
  • TCP flags: ack
  • Action: accept

But when I activated the FreeBSD 12 has no internet access.
All other os like CentOS, windows works okey the problem is only with FreeBSD.

In my system I don't run ipfw and I don't understand why the problem exists.
If I deactivate Hetzner firewall everything looks okey.
With firewall enabled I can not even ping 8.8.8.8.

I understand must be something with kernel port range but I don't know where to configure it.
Also it is strange that even Midnight Commander doesn't start like he is trying to get a webpage or communicate with a port to outside.

Thank You.
 

wolffnx

Aspiring Daemon

Reaction score: 211
Messages: 645

Im not familiar with cloud hosting , but they give you one ethernet interface right? I mean you have LAN and WAN ?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,683
Messages: 36,456

In hetzner they say I should allow the follow rule in their firewall.
That rule, on its own, doesn't make sense. I'm pretty sure you didn't understand what they told you. That rule would only allow ACK packets (those are responses to other packets). It doesn't allow SYN (the start of a TCP session) or UDP (DNS uses UDP and TCP). So it would never work correctly. Not on FreeBSD or any of the other OSes you use.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,683
Messages: 36,456

That's completely wrong. That rule allows responses to incoming connections. It does NOT allow outgoing connections. Network packets with the ACK bit set are always a response. The destination ports don't make sense either. How is this supposed to allow an outgoing SYN packet going to port 80 for example?

The rule is corect
It's not. The rule doesn't do what the explanation says it does. Either the explanation is wrong or the rule. Either way it's not correct.
 
OP
I

icinemagr

New Member


Messages: 5

Well here is the screen shot from "Their" predefined Firewall Rules and as i said it works to all other servers only Freebsd has the problem i call them they told my Freebsd is not supported on Hetzner servers.

In phone they told me that maybe i run a firewall inside the OS.
I disabled ipfw on rc.conf and i rebooted.
No luck I just ask here because maybe someone has a freebsd server at hetzner and he knwos what is the problem.

also here https://docs.hetzner.com/robot/dedicated-server/firewall/ it says it clear


Out-going TCP connections​

A static firewall only makes decisions about packets by inspecting individual packets. Therefore, the firewall doesn't "keep track of" whether or not an incoming packet belongs to an out-going connection from the server. For this reason, unless you enter an additional rule, all out-going connections from the server will not work. Server services (for example, enabling webservers for port 80) are not affected.

You can use the following rule to generally allow all responses to TCP connections:

Source IP: No entry
Destination IP: No entry
Source port: No entry
Destination port: 32768-65535 (Ephemeral Port Range)
Protocol: tcp
TCP flags: ack
Action: accept
By entering IP addresses and TCP ports, you can, of course, make this rule more restrictive.
 

Attachments

  • hetzner.PNG
    hetzner.PNG
    52.6 KB · Views: 116

Kristof Provost

Active Member
Developer

Reaction score: 64
Messages: 105

It's not. The rule doesn't do what the explanation says it does. Either the explanation is wrong or the rule. Either way it's not correct.
I suspect the intent of that rule is to allow packets from the ephemeral port range. That may be a useful thing to do on a non-stateful firewall, as part of a larger ruleset (but honestly, non-stateful firewalls? In 2020?), but in isolation it makes no sense at all.

Hetzner machines work just fine with FreeBSD. They may not officially support it, but it does work. (And they have FreeBSD rescue images, so it's not totally unsupported either.) I have two machines of my own there.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,683
Messages: 36,456

Well here is the screen shot from "Their" predefined Firewall Rules and as i said it works to all other servers only Freebsd has the problem i call them they told my Freebsd is not supported on Hetzner servers.
Has nothing to do with FreeBSD. It's wrong for any OS because it's the wrong thing to do for TCP/IP in general. The OS has nothing to do with it.

A static firewall only makes decisions about packets by inspecting individual packets. Therefore, the firewall doesn't "keep track of" whether or not an incoming packet belongs to an out-going connection from the server. For this reason, unless you enter an additional rule, all out-going connections from the server will not work.
The wording is rather wonky here. It's not a static firewall, it's called stateless. And they're mixing up incoming and outgoing in various places. I understand what they're trying to say but the explanation is pretty bad so I certainly understand the confusion on your side.

Server services (for example, enabling webservers for port 80) are not affected.
This refers to incoming connections to a webserver running on your Hertzner host. Apparently they have some implied rules already in place to allow this. However, this has nothing to do with outgoing connections that are initiated on the Hertzner host.

You can use the following rule to generally allow all responses to TCP connections:
That should have said: "You can use the following rule to generally allow all responses to incoming TCP connections"

With firewalls (regardless if it's stateful or stateless) it's very important to understand the difference between incoming and outgoing connections. In other words, which side initiates the connection. Generally speaking incoming connections come from somewhere else (the internet for example) to your host, outgoing connections are from the host to elsewhere (i.e. the internet or some other host on the network).
 
OP
I

icinemagr

New Member


Messages: 5

I know that hetzner servers work fine because i use FreeBSD as a production Proxy server But my problem is that i use the IPFW firewell.
it has to be something with net.inet.ip.portrange because as soon as i enable it i lost connectivity on internet.

how can i force Freebsd fot each Request to Outside world to use a Local Port in range 32768-65535 ?????

i try sysctl net.inet.ip.portrange.first=32768 i get response
net.inet.ip.portrange.first: 10000 -> 32768

Sould I restart is it that setting permenent now?


edit

problem fixed.

i add 4 l Rules in ipfw.rules
Code:
$cmd 00110 allow tcp from any to me 53 in via $pif setup keep-state
$cmd 00111 allow UDP from any to me 53 in via $pof setup keep-state

$cmd 00112 allow tcp from me to any 53 out via $pif setup keep-state
$cmd 00113 allow UDP from me to any 53 out via $pof setup keep-state
then in hetzner firewall I did The follow


Allowed TCP 53 for Incoming to Me
Allowed UDP 53 for Incoming to Me

Allowed TCP 53 from me to out
Allowed UDP 53 from me to out

and After 2 YEARS with no SSH but only from LAN problem fixed.

Thank YOU !!!!!!!
the problem was the port 53 but strange that in other OS works without to enable this rule.
But i do not care about other os as i Love Freebsd :))))))))))


Thank You all.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,683
Messages: 36,456

I add 4 l Rules in ipfw.rules
Code:
$cmd 00110 allow tcp from any to me 53 in via $pif setup keep-state
$cmd 00111 allow UDP from any to me 53 in via $pof setup keep-state
Are you hosting an authoritative DNS server? If not, then remove those. You don't want external connections to your DNS server, if you have a DNS server at all. I assume you don't have one. Then you certainly don't need to allow incoming connections to port 53.

Code:
$cmd 00112 allow tcp from me to any 53 out via $pif setup keep-state
$cmd 00113 allow UDP from me to any 53 out via $pof setup keep-state
These rules look correct. They allow your host to do DNS queries, you usually want to allow those so it's able to resolve hostnames to IP addresses and vice versa.

IPFW is a stateful firewall, as opposed to the stateless firewall Hertzner has. This means the FreeBSD firewall does keep track of responses and will automatically allow them.
 
OP
I

icinemagr

New Member


Messages: 5

Are you hosting an authoritative DNS server? If not, then remove those. You don't want external connections to your DNS server, if you have a DNS server at all. I assume you don't have one. Then you certainly don't need to allow incoming connections to port 53.

Code:
$cmd 00112 allow tcp from me to any 53 out via $pif setup keep-state
$cmd 00113 allow UDP from me to any 53 out via $pof setup keep-state
These rules look correct. They allow your host to do DNS queries, you usually want to allow those so it's able to resolve hostnames to IP addresses and vice versa.

IPFW is a stateful firewall, as opposed to the stateless firewall Hertzner has. This means the FreeBSD firewall does keep track of responses and will automatically allow them.

I remove them thank you!
 

PMc

Daemon

Reaction score: 553
Messages: 1,125

With firewalls (regardless if it's stateful or stateless) it's very important to understand the difference between incoming and outgoing connections. In other words, which side initiates the connection.

Yes, the misunderstandings come from mixing two different things: "incoming connections" and "incoming packets". I do usually advise to use a different wording here: we have incoming and outgoing packets, while we have originating and responding peers of a flow:

Where your machine acts as a client, you have outgoing-originate and incoming-response.
Where your machine acts as a server, you have incoming-originate and outgoing-response.

In the firewalls the packet direction is usually coined as "in" and "out", while the originate/response decision is coded in things like "ACK", "setup/established", "keepstate" etc. - and is somehow dependent on the protocol used.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,683
Messages: 36,456

I probably could have used better wording myself but I tried to keep it fairly simple and understandable. I certainly hope it was better than the explanation Hertzner gave because theirs made my brain hurt ;)
 

Jose

Aspiring Daemon

Reaction score: 689
Messages: 795

Where your machine acts as a client, you have outgoing-originate and incoming-response.
Where your machine acts as a server, you have incoming-originate and outgoing-response.
This is an accurate, simple, and succinct explanation. I'm going to use it from now on.
 

Geezer

Active Member

Reaction score: 75
Messages: 160

You don't have to use their firewall. I have got a server with Hetzner and I have ipfw running on it. You can install it with thier KVM in case you make any mistakes in ipfw.
 
Top