IPFW Rules

danaeckel · Mar 19, 2012

Greetings,

Some of you may have noticed my previous posts about setting up a home server for the main reason of learning about networks. However, my firewall is holding things back. I am unable to wrap my mind around how to set up the rules. I tried SIMPLE, but too much is locked out other than basic net surfing, so I need to configure a rule set. I have looked it up online, but I don't quite understand those first few lines of the rule set until I get to the point where you open and deny ports with the "line numbers". Can somebody toss me a bone, or point me to a website that explains things for a rookie?

Thanks!
Dana

Anonymous · Mar 19, 2012

Can you please tell us a little bit about your setup.

- does your server use separate NICs for internet and intranet connections?
- do you have a fixed IP, or a Cable/DHCP, or a PPoE connection into the internet?
- is there already some sort of NAT software in place?
- did you already compile a custom kernel with ipfw/nat options? If yes which options?

Perhaps, you might want to inform the output of:
ifconfig
You should obfuscate the IP addresses somehow, leaving it clear what is internal and what is external address space.

This informations should be sufficient for helping you to putting together a working nat/ipfw configuration.

danaeckel · Mar 20, 2012

Hello,

Ok, a bit of information about my setup. I have DSL that provides DHCP to an interface called xl0. Right now I have my server connected to a switch on xl0 end to isolate it from the rest of the network. I assigned a temp IP of 192.168.255.252. On the intranet side of things the interface is vr0. I assigned an IP of 192.168.252.251. I have NAT in place, and IPFW is compiled in the kernel. I'm not aware of any options other than the standard stuff I found on another site. When I set the firewall to OPEN everything works great, then when I switch it to SIMPLE, my DHCP is blocked. DHCP is ran by DHCPMasq.

Here is a sample ifconfig:

Code:

xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=82009<RXCSUM,VLAN_MTU,WOL_MAGIC,LINKSTATE>
	ether 00:50:da:6b:e7:0b
	inet 192.168.255.252 netmask 0xffffff00 broadcast 192.168.255.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=82808<VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE>
	ether 00:0c:6e:e1:5b:68
	inet 192.168.254.251 netmask 0xffffff00 broadcast 192.168.254.255
	media: Ethernet autoselect (none)
	status: no carrier
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet 127.0.0.1 netmask 0xff000000

Dana

Anonymous · Mar 20, 2012

danaeckel said:
... I have DSL that provides DHCP to an interface called xl0. Right now I have my server connected to a switch on xl0 end to isolate it from the rest of the network. I assigned a temp IP of 192.168.255.252. On the intranet side of things the interface is vr0. I assigned an IP of 192.168.252.251. I have NAT in place, and IPFW is compiled in the kernel.

I understand from this, that xl0 is the WAN interface which got a public IP via DHCP, and that vr0 is the LAN interface that you set to a private IP, and that the IP's that you mentioned above are placeholders for the respective real WAN-IP and real LAN-IP. If my understanding is wrong, then please advise.

If my understanding is correct, then we are pretty much talking about the standard two NIC setup.

Code:

   internet---[DSL Modem]---[Switch]---[[FILE]xl0[/FILE]| Server (nat/ipfw/DHCP/DNS) |[FILE]vr0[/FILE]]---intranet

I assume that you setup the modern in-kernel NAT alongside ipfw, and not the legacy divert/natd combo. If this is not correct, then please advise. My kernel has been compiled after adding the following options:

Code:

# Options for a NAT enabled kernel
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=5
options         IPFIREWALL_FORWARD
options         IPFIREWALL_NAT
options         LIBALIAS

Here comes an example of an ipfw configuration shell script file that you may want to try:

Code:

#!/bin/sh
ipfw -q flush

add="ipfw -q add"

ipfw -q nat 1 config if xl0 reset

# Allow everything within the LAN
$add 10 allow ip from any to any via lo0
$add 20 allow ip from any to any via vr0

# Catch spoofing from outside
$add 90 deny ip from any to any not antispoof in

$add 100 nat 1 ip from any to any via xl0 in
$add 101 check-state

# Rules for outgoing traffic - allow everything that is not explicitely denied
$add 1000 deny ip from not me to any 25, 53 via xl0 out

# Allow all other outgoing connections
$add 2000 skipto 10000 tcp from any to any via xl0 out setup keep-state
$add 2010 skipto 10000 udp from any to any via xl0 out keep-state

# Rules for incomming traffic - deny everything that is not explicitely allowed
$add 5000 allow tcp from any to any 80, 443 via xl0 in setup limit src-addr 10

# Catch tcp/udp packets, but don't touch gre, esp, icmp traffic
$add 9998 deny tcp from any to any via xl0
$add 9999 deny udp from any to any via xl0

$add 10000 nat 1 ip from any to any via xl0 out
$add 65534 allow ip from any to any

You may need to adapt the rules 1000 and 5000 to your needs. Perhaps you need to add similar rules (eg. 1010, ..., and 5010, ...) for udp traffic.

Best regards

Rolf

danaeckel · Mar 21, 2012

Hey, thanks for the code, I'll check into it closely. I see what you mean by options..

Code:

options    IPFIREWALL
options    IPFIREWALL_VERBOSE
options    IPFIREWALL_VERBOSE_LIMIT=5
options    IPFIREWALL_DEFAULT_TO_ACCEPT
options    IPDIVERT

Dana

DutchDaemon · Mar 21, 2012

You really need to start formatting your posts now, danaeckel. Read your sign-up email.

Anonymous · Mar 21, 2012

danaeckel said:
Hey, thanks for the code, I'll check into it closely. I see what you mean by options..

Code:

options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=5 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT

Dana

In /etc/rc.conf you have quite possible something like the following:

Code:

natd_enable="YES"
natd_interface="xl0"
natd_flags="-dynamic"

For divert/natd, the ipfw configuration shell script example would look like this:

Code:

#!/bin/sh
ipfw -q flush

add="ipfw -q add"

# Allow everything within the LAN
$add 10 allow ip from any to any via lo0
$add 20 allow ip from any to any via vr0

# Catch spoofing from outside
$add 90 deny ip from any to any not antispoof in

$add 100 divert natd ip from any to any via xl0 in
$add 101 check-state

# Rules for outgoing traffic - allow everything that is not explicitely denied
$add 1000 deny ip from not me to any 25, 53 via xl0 out

# Allow all other outgoing connections
$add 2000 skipto 10000 tcp from any to any via xl0 out setup keep-state
$add 2010 skipto 10000 udp from any to any via xl0 out keep-state

# Rules for incomming traffic - deny everything that is not explicitely allowed
$add 5000 allow tcp from any to any 80, 443 via xl0 in setup limit src-addr 10

# Catch tcp/udp packets, but don't touch gre, esp, icmp traffic
$add 9998 deny tcp from any to any via xl0
$add 9999 deny udp from any to any via xl0

$add 10000 divert natd ip from any to any via xl0 out
$add 65534 allow ip from any to any

Best regards

Rolf

danaeckel · Mar 22, 2012

Well, everything is a go. Thank you for your help, this is exactly what I needed. This firewall is simple, works great, and will be a great learning tool to build from.

Dana

donduq · Apr 12, 2012

rolfheinrich said:
I assume that you set up the modern in-kernel NAT alongside ipfw, and not the legacy divert/natd combo. If this is not correct, then please advise. My kernel has been compiled after adding the following options:

Code:

# Options for a NAT enabled kernel options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=5 options IPFIREWALL_FORWARD options IPFIREWALL_NAT options LIBALIAS

As the issue of OP has been solved but my question is relevant to this also, I'll post it here.

Can you please tell me where I can read about "the modern in-kernel NAT?" The handbook does not seem to mention it.

My "pebkac-issue" with natd is that I became very confused about how I can solve the following issue. Maybe you can help me.

So, ethernet xn0 has multiple IP aliases (reachable from the Internet), say 203.0.113.10, 203.0.113.11, 203.0.113.12. Then there is a bridge0 with a few epairs, the other ends are in jails and have 192.168.1.10-20.

Now my questions are these:

how do you handle it when you want 192.168.1.10-15 to use 203.0.113.10 for outgoing traffic;
192.168.1.10-15 to use 203.0.113.11 for outgoing traffic;
incoming traffic destined for 203.0.113.10 port 80 to go to 192.168.1.16;
the rest of the incoming traffic to go to the host (not internally forwarded);
incoming traffic destined for 203.0.113.11 to go to 192.168.1.17;
except for port 80 which must go to the host (not internally forwarded)

and must you do this with natd or can it be done without natd as the above quote seems to suggest?

Thank you very much if you can explain this to me, my brain feels like spaghetti!

donduq · Apr 14, 2012

I hate to beg. So I'm not going to... yet. If you're reading this and know the answer to my questions, please provide me with some insight...

Anonymous · Apr 15, 2012

donduq said:
... Can you please tell me where I can read about "the modern in-kernel NAT"? ...

For my objectives, I found the documentation on IN-KERNEL NAT in ipfw(8)() being sufficient.

donduq said:
... So, ethernet xn0 has multiple IP aliases (reachable from the Internet), say 203.0.113.10, 203.0.113.11, 203.0.113.12. Then there is a bridge0 with a few epairs, the other ends are in jails and have 192.168.1.10-20. ...

This is quite a sophisticated setup which goes beyond my knowledge.

Best regards

Rolf

donduq · Apr 16, 2012

Well I have at least part of my problem solved!

I thought that I was misconfiguring natd and ipfw. And so NAT was very slow and this was very annoying. This is on a Xen VM by the way. I think the Xen backend is a bit old, and I have no control over that because it is a rented VPS.

But it turns out that the issue that caused this was unrelated to natd. After I disabled LSO on my interface the speed went up dramatically. What a relief! All I had to do was disable LSO!

Now I can use natd without problems and take some more time to figure out answers to the questions I posted in the earlier post.

Thanks for commenting Rolf

-DD

donduq · Apr 16, 2012

Well I have at least part of my problem solved!

I thought that I was misconfiguring natd and ipfw. And so NAT was very slow and this was very annoying. This is on a Xen VM by the way. I think the Xen backend is a bit old, and I have no control over that because it is a rented VPS.

But it turns out that the issue that caused this was unrelated to natd. After I disabled LSO on my interface the speed went up dramatically. What a relief! All I had to do was disable LSO!

Now I can use natd without problems and take some more time to figure out answers to the questions I posted in the earlier post.

Thanks for commenting Rolf

-DD

IPFW Rules

danaeckel

Anonymous

Guest

danaeckel

Anonymous

Guest

danaeckel

DutchDaemon

Administrator

Anonymous

Guest

danaeckel

donduq

donduq

Anonymous

Guest

donduq

donduq