IPFW for Jails. Is there an easy way?

[ghostcorps]

Hi Guys

I am trying to set up IPFW on a jailed server (FreeBSD 8.1), but I don't seem to have enough of a clue

This is what I have configured so far:

/etc/rc.conf

firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_type="client"

/etc/ipfw.rules

IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
#$IPF 130 allow tcp from any to any 22 in
#$IPF 140 allow tcp from any to any 22 out
#$IPF 150 allow tcp from any to any 25 in
#$IPF 160 allow tcp from any to any 25 out
#$IPF 170 allow udp from any to any 53 in
#$IPF 175 allow tcp from any to any 53 in
#$IPF 180 allow udp from any to any 53 out
#$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out

# deny and log everything
$IPF 500 deny log all from any to any

nb. I am following this guide: FreeBSD Setting up Firewall using IPFW


When I restart I get the following lines in dmesg:

ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding disabled, default to deny, logging disabled
ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding disabled, default to deny, logging disabled

But when I try to start the firewall it fails:

# sh /usr/local/etc/ipfw.rules

ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: sysctlbyname("net.inet.ip.fw.verbose_limit")

I have read that I may need to configure it from the host, but since it is a remote server I am hesitant in case I block myself.

I have found a lot of advice on the matter, but it's a little too advanced for me I think... Is there an easy way to get this done?

 

[SirDice]

With a standard jail it is never going to work. You might get it to work if you enable VIMAGE. More info can be found here: http://wiki.freebsd.org/NetworkVirtualization

 

[mecano]

I have read that I may need to configure it from the host, but since it is a remote server I am hesitant in case I block myself.

It's best practice to set it from "host", save your time.


P.-S. I guess everybody is always fearfull to block itself with firewalls, have a solid rule for your own connection and then never touch it ; you're ok to go.

 

[ghostcorps]

Thanks guys

Sounds like I'll just have to be very careful

 

[ghostcorps]

Hello again,

I am about to bite the bullet and reboot, but I was wondering if someone could cast a critical eye over my settings... the rules are at their most basic simply allowing all ssh, sql (using 8080), http and ftp traffic.

Once I know it works, I can try to get tricky with my jails.

Also, I am getting come conflicting opinions on whether I need to use NAT for ipfw w/jails. What is the consensus?

Host
/etc/rc.conf

firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_type="simple"

/etc/ipfw.rules

IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (21), ssh (22), http (80), sql (8080)
# not mail (25), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
#$IPF 150 allow tcp from any to any 25 in
#$IPF 160 allow tcp from any to any 25 out
#$IPF 170 allow udp from any to any 53 in
#$IPF 175 allow tcp from any to any 53 in
#$IPF 180 allow udp from any to any 53 out
#$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 250 allow tcp from any to any 8080 in
$IPF 260 allow tcp from any to any 8080 out


# deny and log everything
$IPF 500 deny log all from any to any

 

[mecano]

I'm not IPFW fluent but it looks ok, you can add a rule to deny "Source Routed Packets", something like

unreach host log ip from any to any ipoptions ssrr,lsrr

but check the syntax before using it. You can also block multicast "from 224.0.0.0/4 to any in". Also FTP shouldn't work with a simple port 21 rule.