IPFW ipfw and keep-state not working

Hello, guys. Can you help me, why my rule is not working with keep-state

Short version:
When i use Is not working:
Code:
${FwCMD} add allow ip from 192.168.1.0/24 to any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 out via ${LanOut} setup keep-state
If i add this one, it is fine:
Code:
${FwCMD} add allow ip from any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 to 192.168.1.0/24 in via ${LanOut}


FreeBSD gate 12.0-RELEASE-p3 FreeBSD 12.0-RELEASE-p3 ROUTER amd64

Kernel options:
Code:
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=1000
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPDIVERT
options         DUMMYNET
options         HZ="1000"
options         LIBALIAS
options         IPFIREWALL_NAT
options         MROUTING
options         ROUTETABLES=2

sysctl.conf:
Code:
sysctl net.inet.ip.forwarding=1
net.inet.ip.fw.one_pass=0
net.inet.ip.fastforwarding=1
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=1000
net.inet.ip.fw.dyn_max=1000
net.inet.ip.fw.dyn_ack_lifetime=300
net.inet.ip.fw.dyn_syn_lifetime=20
net.inet.ip.fw.dyn_fin_lifetime=1
net.inet.ip.fw.dyn_rst_lifetime=1
net.inet.ip.fw.dyn_udp_lifetime=10
net.inet.ip.fw.dyn_short_lifetime=5
net.inet.ip.dummynet.io_fast=1
net.inet.ip.dummynet.pipe_byte_limit=1048576


Scrypt:
Code:
${FwCMD} -f flush
${FwCMD} add check-state
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any

###SNORT###
${FwCMD} add 00010 deny ip from "table(2)" to any via ${LanOut}
${FwCMD} add 00011 deny ip from any to "table(1)" via ${LanOut}
###icmp-network-check###
${FwCMD} add allow icmp from ${IpOut} to 8.8.8.8
${FwCMD} add allow icmp from ${IpOut2} to 8.8.4.4
###deny-icmp-DDOS###
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut}
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny icmp from any to 255.255.255.255 in via ${LanOut}
${FwCMD} add deny icmp from any to 255.255.255.255 out via ${LanOut}
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${LanOut2}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${LanOut2}
#${FwCMD} add deny ip from any to 192.168.0.0/16 in via ${LanOut2}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${LanOut2}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${LanOut2}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${LanOut2}
${FwCMD} add deny icmp from any to 255.255.255.255 in via ${LanOut2}
${FwCMD} add deny icmp from any to 255.255.255.255 out via ${LanOut2}
${FwCMD} add reject ip from any to ${IpOut} 22,80,135,139,443,445,898,989,3127,3128,3129,3130,3131,3306,10000,10050,10051 via ${LanOut}

###Interfaces###
#${FwCMD} add allow ip from any to any via ${LanIn20}
###SQUID###
#${FwCMD} add skipto 3000 all from 192.168.7.0/24 to any #exceptions squid
${FwCMD} add allow tcp from me to any out via ${LanOut} keep-state uid squid
${FwCMD} add allow tcp from me to any out via ${LanOut2} keep-state uid squid
${FwCMD} add fwd 127.0.0.1,3129 tcp from 192.168.1.0/24 to any 80,8080 out via ${LanOut}
${FwCMD} add fwd 127.0.0.1,3129 tcp from 192.168.1.0/24 to any 80,8080 out via ${LanOut2}
${FwCMD} add fwd 127.0.0.1,3127 tcp from 192.168.1.0/24 to any 443 out via ${LanOut}
${FwCMD} add fwd 127.0.0.1,3127 tcp from 192.168.1.0/24 to any 443 out via ${LanOut2}
###IPFW-NAT###
${FwCMD} nat 1 config if ${LanOut} same_ports reset log
${FwCMD} nat 2 config if ${LanOut2} same_ports reset log
${FwCMD} add nat 1 ip4 from any to any via ${LanOut}
${FwCMD} add nat 2 ip4 from any to any via ${LanOut2}
${FwCMD} add allow ip from any to any via ${LanIn20}
${FwCMD} add allow ip from ${IpOut} to any via ${LanOut}
${FwCMD} add allow ip from ${IpOut2} to any via ${LanOut2}

###Speed###
${FwCMD} pipe 1 config bw 99Mbit/s
${FwCMD} pipe 11 config bw 99Mbit/s
${FwCMD} queue 1 config pipe 1 mask dst-ip 0xffffffff
${FwCMD} queue 2 config pipe 11 mask src-ip 0xffffffff
${FwCMD} add queue 1 ip from any to 192.168.1.0/24 via ${LanOut}
${FwCMD} add queue 2 ip from 192.168.1.0/24 to any via ${LanOut}
###SecondSpeed###
${FwCMD} pipe 2 config bw 9Mbit/s
${FwCMD} pipe 22 config bw 9Mbit/s
${FwCMD} queue 3 config pipe 2 mask dst-ip 0xffffffff
${FwCMD} queue 4 config pipe 22 mask src-ip 0xffffffff
${FwCMD} add queue 3 ip from any to 192.168.1.0/24 via ${LanOut2}
${FwCMD} add queue 4 ip from 192.168.1.0/24 to any via ${LanOut2}
###Na vnutrinniy interface##
#${FwCMD} add allow ip from 192.168.1.0/24 to 192.168.1.0/24 via ${LanIn20}
###LOCALNET###
${FwCMD} add allow ip from 192.168.1.0/24 to any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 out via ${LanOut} setup keep-state
${FwCMD} add allow ip from any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 to 192.168.1.0/24 in via ${LanOut}
###OpenVPN###
${FwCMD} add allow ip from any to any via tun0
${FwCMD} add allow ip from any to me 1194
###All_other_rules#######
###SKYPE###
${FwCMD} add allow udp from any to any 3478-3481, 50000-60000 via ${LanOut} keep-state
###SIP, Messenger and other###
${FwCMD} add allow tcp from any to ${IpOut} 50000-50100 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut2} 50000-50100 via ${LanOut2}
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
###PUBLIC###
#${FwCMD} add allow ip from any to ${IpOut}
#${FwCMD} add allow ip from ${IpOut} to any via ${LanOut}
#${FwCMD} add allow ip from ${IpOut2} to any out via ${LanOut2} setup keep-state
#${FwCMD} add allow ip from any to any


ipfw show:
Code:
04400         0            0 allow ip from 192.168.1.0/24 to any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 out via em0 setup keep-state :default
04500  24868326  25945864699 allow ip from any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 to 192.168.1.0/24 in via em0

Can you help to solve my problem and improve the scrypt please
 
Dummynet is a traffic shaper, bandwidth manager and delay emulator.

Dummynet does not work with stateful filtering.

If you need stateful filtering then you should use ALTQ instead which shapes outbound traffic only unlike Dummynet.
 
Dummynet is a traffic shaper, bandwidth manager and delay emulator.

Dummynet does not work with stateful filtering.

If you need stateful filtering then you should use ALTQ instead which shapes outbound traffic only unlike Dummynet.
It seems that is not working:

Code:
03000 29901 18966391 nat 1 ip4 from any to any via em0
03100    76    29841 nat 2 ip4 from any to any via em2
03300 31186 18456175 allow ip from any to any via em1.20
03600 17546 11825954 allow ip from IpOut to any via em0
03700     0        0 allow ip from IpOut2 to any via em2

04000     0        0 allow ip from 192.168.1.0/24 to any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 out via em0 setup keep-state :default
04100     2      116 allow ip from any 20,21,25,53,80,110,123,143,443,465,587,993,3389,8080,8443,9443,49152-65000 to 192.168.1.0/24 in via em0
 
Just a suggestion to improve the script:
When I tried to write ipfw for more complex designs with multiple interfaces and nat, I did not get happy until I designed some kind of "segments" or "subsets" into the ruleset. That looks like:

Code:
09999 skipto 30000 ip from any to any out
# We have moved away all the outgoing traffic and can now focus deliberately on the incoming stuff
10000 skipto 12900 ip from any to any not via lo0
# Here we put the rulesets to specifically handle incoming stuff on the lo0 interface
# (this is usually only an allow-any-to-any, but for jails some special handling may be desired
13000 skipto 13003 ip from any to any via fxp3
13001 skipto 13003 ip from any to any via fxp4
13002 skipto 13900 ip from any to any
# Here we put all the rules that concern stuff incoming on fxp3+4 (which are both treated equally)
14000 skipto 14900 ip from any to any not via tun0
# And it goes on with stuff arriving on tun0
... (and so on)

30000 skipto 32900 ip from any to any not xmit lo0
# and here we start to do exactly the same with the outgoing stuff
33000 skipto 33003 ip from any to any xmit fxp3
33001 skipto 33003 ip from any to any xmit fxp4
33002 skipto 33900 ip from any to any
... (and so on)

In this style, you will have to write a couple of rules duplicate, and it may cost a little bit of perfomance, but you get the whole stuff maintainable: no rule can catch traffic it isn't destined for, mistakes will be limited to their specific segment. Pipes and queues and nat can be put exactly into the segment that is concerned, in the appropriate sequence. And the "skipto" rules show you the whole amount of traffic that is handled, so it is easy to track things down.
Nevertheless, keepstates will continue to work over the whole ruleset.
Dummynet is a traffic shaper, bandwidth manager and delay emulator.

Dummynet does not work with stateful filtering.

This should not be an issue with such a config - it works for me.
 
Back
Top