ipf rules problem and netstart

[Cuniek]

Hello,
I need help with ipf.rules.
After enabling new rule set (ipf -f /etc/ipf.rules)i lose connection with internet.

After hashing all quick blocks at the beginning and adding:

pass out quick on fxp0 from any to any keep state

i get VERY slow connection to internet but without DNS service (names that are cached - work).

Second problem is with /etc/netstart. To disable my rule set I use /etc/netstart but I don't understand why does it work like that because in rc.conf I have:

##IPFILTER
ipfilter_enable="YES"
ipfilter_program="/sbin/ipf -Fa -f"
#ipfilter_rules="/etc/ipf.test"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags="-E"

So netstart should load my ruleset at startup, right?


Please help me with that.



Ruleset ipf.rules

#!bin/sh

block in on fxp0 all
block in quick on fxp0 from 0.0.0.0/7 to any
block in quick on fxp0 from 2.0.0.0/8 to any
block in quick on fxp0 from 5.0.0.0/8 to any
block in quick on fxp0 from 10.0.0.0/8 to any
block in quick on fxp0 from 23.0.0.0/8 to any
block in quick on fxp0 from 27.0.0.0/8 to any
block in quick on fxp0 from 31.0.0.0/8 to any
block in quick on fxp0 from 69.0.0.0/8 to any
block in quick on fxp0 from 70.0.0.0/7 to any
block in quick on fxp0 from 72.0.0.0/5 to any
block in quick on fxp0 from 82.0.0.0/7 to any
block in quick on fxp0 from 84.0.0.0/6 to any
block in quick on fxp0 from 88.0.0.0/5 to any
block in quick on fxp0 from 96.0.0.0/3 to any
block in quick on fxp0 from 127.0.0.0/8 to any
block in quick on fxp0 from 128.0.0.0/16 to any
block in quick on fxp0 from 128.66.0.0/16 to any
block in quick on fxp0 from 169.254.0.0/16 to any
block in quick on fxp0 from 172.16.0.0/12 to any
block in quick on fxp0 from 191.255.0.0/16 to any
block in quick on fxp0 from 192.0.0.0/19 to any
block in quick on fxp0 from 192.0.48.0/20 to any
block in quick on fxp0 from 192.0.64.0/18 to any
block in quick on fxp0 from 192.0.128.0/17 to any
block in quick on fxp0 from 192.168.0.0/16 to any
block in quick on fxp0 from 197.0.0.0/8 to any
block in quick on fxp0 from 201.0.0.0/8 to any
block in quick on fxp0 from 204.152.64.0/23 to any
block in quick on fxp0 from 224.0.0.0/3 to any
block in quick on fxp0 from LAN_IP to any


#==1. Blokuje wszystko wychodzace (razem z portami bez reguły pass quick)
#==2. Blokuje quick wszystkie poza LAN
block out on fxp0 all
#block out quick on fxp0 from !LAN_IP to any
block out quick on fxp0 from LAN_IP to 0.0.0.0/7
block out quick on fxp0 from LAN_IP to 2.0.0.0/8
block out quick on fxp0 from LAN_IP to 5.0.0.0/8
block out quick on fxp0 from LAN_IP to 10.0.0.0/8
block out quick on fxp0 from LAN_IP to 23.0.0.0/8
block out quick on fxp0 from LAN_IP to 27.0.0.0/8
block out quick on fxp0 from LAN_IP to 31.0.0.0/8
block out quick on fxp0 from LAN_IP to 69.0.0.0/8
block out quick on fxp0 from LAN_IP to 70.0.0.0/7
block out quick on fxp0 from LAN_IP to 72.0.0.0/5
block out quick on fxp0 from LAN_IP to 82.0.0.0/7
block out quick on fxp0 from LAN_IP to 84.0.0.0/6
block out quick on fxp0 from LAN_IP to 88.0.0.0/5
block out quick on fxp0 from LAN_IP to 96.0.0.0/3
block out quick on fxp0 from LAN_IP to 127.0.0.0/8
block out quick on fxp0 from LAN_IP to 128.0.0.0/16
block out quick on fxp0 from LAN_IP to 128.66.0.0/16
block out quick on fxp0 from LAN_IP to 169.254.0.0/16
block out quick on fxp0 from LAN_IP to 172.16.0.0/12
block out quick on fxp0 from LAN_IP to 191.255.0.0/16
block out quick on fxp0 from LAN_IP to 192.0.0.0/19
block out quick on fxp0 from LAN_IP to 192.0.48.0/20
block out quick on fxp0 from LAN_IP to 192.0.64.0/18
block out quick on fxp0 from LAN_IP to 192.0.128.0/17
block out quick on fxp0 from LAN_IP to 192.168.0.0/16
block out quick on fxp0 from LAN_IP to 197.0.0.0/8
block out quick on fxp0 from LAN_IP to 201.0.0.0/8
block out quick on fxp0 from LAN_IP to 204.152.64.0/23
block out quick on fxp0 from LAN_IP to 224.0.0.0/3



#============================ LAN =======
pass out quick on xl0 all
pass in quick on xl0 all


#========================================
# No restrictions on Loopback Interface
#========================================
pass in quick on lo0 all
pass out quick on lo0 all



#========================Public DHCP=============================
pass in quick on fxp0 proto udp from 82.210.143.254 to any port = 68 keep state



#============================== DNS =============================
pass out quick on fxp0 proto udp from LAN_IP to 212.76.32.1 port = 53 keep state
pass out quick on fxp0 proto tcp/udp from LAN_IP to 212.76.39.211 port = 53 keep state
pass out quick on fxp0 proto tcp/udp from LAN_IP to 212.76.39.205 port = 53 keep state
pass out quick on fxp0 proto tcp/udp from public_IP to 212.76.39.211 port = 53 keep state
pass out quick on fxp0 proto tcp/udp from public_IP to 212.76.39.205 port = 53 keep state


#============================= DHCP =============================
#== Allow out access to my ISP's DHCP server for cable or DSL networks.
pass out log quick on fxp0 proto udp from DHCP_IP to any port = 67 keep state
#pass out quick on fxp0 proto udp from any to z.z.z.z port = 67 keep state


#============================== WWW =============================
pass out quick on fxp0 proto tcp from LAN_IP to any port = 80 flags S keep state
pass out quick on fxp0 proto tcp from LAN_IP to any port = 8080 flags S keep state


#============================ TLS SSL ===========================
pass out quick on fxp0 proto tcp from LAN_IP to any port = 443 flags S keep state
pass out quick on fxp0 proto tcp from LAN_IP to any port = 465 flags S keep state
pass out quick on fxp0 proto tcp from LAN_IP to any port = 995 flags S keep state
pass out quick on fxp0 proto tcp from LAN_IP to any port = 993 flags S keep state


#============================= MAIL =============================
pass out quick on fxp0 proto tcp from LAN_IP to any port = 110 flags S keep state
pass out quick on fxp0 proto tcp from LAN_IP to any port = 25 flags S keep state


pass out quick on fxp0 proto tcp from LAN_IP to any port = 21 flags S keep state

#== SSH/SFTP/SCP
pass out quick on fxp0 proto tcp from LAN_IP to any port = 22 flags S keep state

#== Allow out FreeBSD CVSup
pass out quick on fxp0 proto tcp from LAN_IP to any port = 5999 flags S keep state

#== PING to Internet
pass out quick on fxp0 proto icmp from LAN_IP to any icmp-type 0 keep state
pass out quick on fxp0 proto icmp from LAN_IP to any icmp-type 8 keep state
pass out quick on fxp0 proto icmp from LAN_IP to any icmp-type 11 keep state
pass out quick on fxp0 proto icmp from LAN_IP to any icmp-type 30 keep state


#== WHOIS LAN to Internet
pass out quick on fxp0 proto tcp from LAN_IP to any port = 43 flags S keep state

#==Gadu-Gadu
pass out quick on fxp0 proto tcp from LAN_IP to any port = 9000 flags S keep state
pass out quick on fxp0 proto tcp from LAN_IP to any port = 8074 flags S keep state
pass out quick on fxp0 proto udp from LAN_IP to any port = 5060 keep state
pass out quick on fxp0 proto tcp from LAN_IP to any port 35000 <> 65000 flags S keep state
pass out quick on fxp0 proto udp from LAN_IP to any port 35000 <> 65000 keep state


#== Default OUT BLOCK
block out log first quick on fxp0 all



##### Block a bunch of different nasty things. ############


#== Block frags
#block in quick on fxp0 all with frags

#== Block short tcp packets
#block in quick on fxp0 proto tcp all with short
#================================================================



#== Block LSRR i SSRR
block in quick on fxp0 all with opt lsrr
block in quick on fxp0 all with opt ssrr

#== Block NMAP
block in log first quick on fxp0 proto tcp from any to any flags FUP

#== Block anything with special options
block in quick on fxp0 all with ipopts

#== Block public pings
block in quick on fxp0 proto icmp all icmp-type 8

#== Block ident
block in quick on fxp0 proto tcp from any to any port = 113

#== Block Netbios service. 137=name, 138=datagram, 139=session
#== Block MS/Windows hosts2 name server requests 81
block in log first quick on fxp0 proto tcp/udp from any to any port = 137
block in log first quick on fxp0 proto tcp/udp from any to any port = 138
block in log first quick on fxp0 proto tcp/udp from any to any port = 139
block in log first quick on fxp0 proto tcp/udp from any to any port = 81


#== Allow in secure FTP, Telnet, and SCP from public Internet
#== This function is using SSH (secure shell)
pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep state


#=============[size=200][/size]==== PRZEKIEROWANIE PORTOW=================
#Najpierw robisz przekierowanie w nacie z adresi Public:AA na LAN:BB
#Obie sa konieczne:
#pass in quick on fxp0 proto tcp from any to Public/32 port = AA flags S keep state
#pass in quick on fxp0 proto tcp from any to LAN/32 port = BB flags S keep state



#== Default IN BLOCK
block in log first quick on fxp0 all


################### End of rules file #####################################[/size]

 

[Cuniek]

Update:
I made simple rule set

# Let clients behind the firewall send out to the internet, and replies to come back in by keeping state
pass out quick on fxp0 proto tcp all keep state
pass out quick on fxp0 proto udp all keep state
pass out quick on fxp0 proto icmp all keep state

# Since nothing should be coming from these address ranges, block them
block in quick on fxp0 from 192.168.0.0/16 to any
block in quick on fxp0 from 172.16.0.0/12 to any
block in quick on fxp0 from 10.0.0.0/8 to any
block in quick on fxp0 from 127.0.0.0/8 to any
block in quick on fxp0 from 192.0.2.0/24 to any

# Let's let people access the services running on this system
pass in quick on fxp0 proto tcp from any to any port 49100 >< 49110 flags S keep state #PASV FTP
pass in quick on xl0 proto tcp from any to any port = 21 #FTP
pass in quick on xl0 proto tcp from any to any port = 22 #SSH
pass in quick on xl0 proto tcp/udp from any to any port = 53 #DNS
pass in quick on xl0 proto tcp from any to any port = 80 #WWW

# Block everything else
block in quick on fxp0 all

After applaing with ipf -f rules_set - connection to internet (www, skype) works only for ~30-60 sec. then it's lost. Please help

 

[quintessence]

Hello,

Do not edit /etc/netstart

# This file is NOT called by any of the other scripts - it has been
# obsoleted by /etc/rc.d/* and is provided here only for user
# convenience (if you're sitting in single user mode and wish to start
# the network by hand, this script will do it for you).

Put only

ipfilter_enable="YES"

in your rc.conf and restart ipf ( or better your PC/server )

# /etc/rc.d/ipfilter restart

without editing any other files , with your simple ruleset

 

[Cuniek]

Ok. I will try that but in every tutorial there is a describtion of modifing rc.conf with something like that:

##IPFILTER
ipfilter_enable="YES"
ipfilter_program="/sbin/ipf -Fa -f"
#ipfilter_rules="/etc/ipf.test"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags="-E"

Shouldn't I leave rules file:

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"

 

[DutchDaemon]

You only need

ipfilter_enable="YES"

because

ipfilter_rules="/etc/ipf.rules"

is already present (see /etc/defaults/rc.conf).