Hello
Some time ago I set up a small IPFW firewall using built-in kernel NAT that is exposing a jailed web server to an outside network. Today I wanted to add some rules to allow some jails to access the internet, but while doing this I have noticed that according to my interpretation of this firewall it actually should not pass the outgoing packets sent by my web server. I have managed to strip down this firewall to some bare minimum for this server to work and I do not really comprehend how it is working. Here is my configuration after being stripped down to just expose the web server (172.16.0.3: web server, 172.16.0.2: MySQL):
Now, this is how I would expect this firewall to behave:
1. Client sends a packet to my jail host via em0 interface onto 3010 port
2. rule 01500 is matched and saved to temporary table, jump to rule 30001
3. rule 30500 is matched, destination address of the packed is set to 172.16.0.3 (nat 1 is configured to pass all traffic from 3010 to 172.16.0.3:3010)
4. rule 30600 is matched, packed is passed to 172.16.0.3:3010
5. server processes the request, a response is sent
6. rule 1400 is matched, packed is run through NAT
7. rule 1500 is not matched (wrong destination)
8. check-state matches dynamic rule crated in step 2 and executes rule 1500 skipping to 30001
9. rule 30500 is not matched (wrong destination)
10. rule 30600 is not matched (wrong destination)
11. rule 65535 is matched and web server response is dropped.
Now, what I described does not actually happen and I can connect to the web server without any problems (while other packets like ICMP, SSH, outbound server connections etc. are not passed just like expected).
I guess this behavior is not a bug, but me badly understanding how IPFW works. Would anyone be able to point out where I have made a mistake? I use FreeBSD 11.2.
Thanks in advance
Some time ago I set up a small IPFW firewall using built-in kernel NAT that is exposing a jailed web server to an outside network. Today I wanted to add some rules to allow some jails to access the internet, but while doing this I have noticed that according to my interpretation of this firewall it actually should not pass the outgoing packets sent by my web server. I have managed to strip down this firewall to some bare minimum for this server to work and I do not really comprehend how it is working. Here is my configuration after being stripped down to just expose the web server (172.16.0.3: web server, 172.16.0.2: MySQL):
Code:
01400 nat 1 tcp from 172.16.0.3 3010 to any out via em0
01500 skipto 30001 tcp from any to me 3010 in via em0 setup keep-state :default
02100 check-state :default
02900 allow tcp from 172.16.0.3 to 172.16.0.2 3308 out via lo1 setup keep-state :default
30000 deny ip from any to any
30500 nat 1 tcp from any to me 3010 in via em0
30600 allow tcp from any to 172.16.0.3 3010 in via em0
65535 deny ip from any to any
Now, this is how I would expect this firewall to behave:
1. Client sends a packet to my jail host via em0 interface onto 3010 port
2. rule 01500 is matched and saved to temporary table, jump to rule 30001
3. rule 30500 is matched, destination address of the packed is set to 172.16.0.3 (nat 1 is configured to pass all traffic from 3010 to 172.16.0.3:3010)
4. rule 30600 is matched, packed is passed to 172.16.0.3:3010
5. server processes the request, a response is sent
6. rule 1400 is matched, packed is run through NAT
7. rule 1500 is not matched (wrong destination)
8. check-state matches dynamic rule crated in step 2 and executes rule 1500 skipping to 30001
9. rule 30500 is not matched (wrong destination)
10. rule 30600 is not matched (wrong destination)
11. rule 65535 is matched and web server response is dropped.
Now, what I described does not actually happen and I can connect to the web server without any problems (while other packets like ICMP, SSH, outbound server connections etc. are not passed just like expected).
I guess this behavior is not a bug, but me badly understanding how IPFW works. Would anyone be able to point out where I have made a mistake? I use FreeBSD 11.2.
Thanks in advance