IPFW ipfw rules

Hi!

I change a little default "workstation" rules and for me looks like good and woks but I am not sure about rule 02700. Is it on correct place or should be somewhere different. I think it doesn't work.
ipfw show:
Code:
00100    1      40 allow ip from any to any via lo0
00200    0       0 deny ip from any to 127.0.0.0/8
00300    0       0 deny ip from 127.0.0.0/8 to any
00400    0       0 deny ip from any to ::1
00500    0       0 deny ip from ::1 to any
00600    0       0 allow ipv6-icmp from :: to ff02::/16
00700    0       0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800    0       0 allow ipv6-icmp from fe80::/10 to ff02::/16
00900    0       0 allow ipv6-icmp from any to any icmp6types 1
01000    0       0 allow ipv6-icmp from any to any icmp6types 2,135,136
01050    0       0 deny ip from table(1) to any
01100    0       0 check-state :default
01200   20   20598 reass ip from any to any in
01300    0       0 allow tcp from me to any established
01400 4217 3013491 allow tcp from me to any setup keep-state :default
01500   16    1544 allow udp from me to any keep-state :default
01600    0       0 allow icmp from me to any keep-state :default
01700    0       0 allow ipv6-icmp from me to any keep-state :default
01800    0       0 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01900    0       0 allow udp from any 67 to me 68 in
02000    0       0 allow udp from any 67 to 255.255.255.255 68 in
02100    0       0 allow udp from fe80::/10 to me 546 in
02200    0       0 allow icmp from any to any icmptypes 8
02300    0       0 allow ipv6-icmp from any to any icmp6types 128,129
02400    0       0 allow icmp from any to any icmptypes 3,4,11
02500    0       0 allow ipv6-icmp from any to any icmp6types 3
02600   20   20598 count ip from any to any
02700    0       0 deny log ip from any to any out via bge0
02800    0       0 deny { tcp or udp } from any to any 135-139,445 in
02900    0       0 deny { tcp or udp } from any to any 81,113 in
03000    0       0 deny { tcp or udp } from any to any 1026,1027 in
03100    0       0 deny { tcp or udp } from any to any 1433,1434 in
03200    0       0 deny ip from any to 255.255.255.255
03300    1      36 deny ip from any to 224.0.0.0/24 in
03400    0       0 deny udp from any to any 520 in
03500   19   20562 deny tcp from any 80,443 to any 1024-65535 in
03600    0       0 deny ip from any to any frag in
65000    0       0 deny log logamount 500 ip from any to any
65535    0       0 deny ip from any to any
Thank you.
 
Hi, your rule 2700 catches packets that are outgoing on your (only) interface.
Although, most of the rules above allow outgoing traffic with the "from me to any" directive.
So your rule will work for packets that are not allowed out before they reach your rule.

Also, if you delete your rule 2700, packets that are not allowed out before they reached your rule will match rule 65000 anyway denying all traffic, in and out. So I don't really see the benefit of adding your extra rule at 2700. Maybe if you want to make the split between denied in/out packets that fall through the rule set but even then ... :).
 
Hi, your rule 2700 catches packets that are outgoing on your (only) interface.
Although, most of the rules above allow outgoing traffic with the "from me to any" directive.
So your rule will work for packets that are not allowed out before they reach your rule.

Also, if you delete your rule 2700, packets that are not allowed out before they reached your rule will match rule 65000 anyway denying all traffic, in and out. So I don't really see the benefit of adding your extra rule at 2700. Maybe if you want to make the split between denied in/out packets that fall through the rule set but even then ... :).
Does it mean that my rules are useless?
Thank you.

################ Start of IPFW rules file ###############################
#!/bin/sh
# Flush before begin
ipfw -q -f flush

# Get ip's from Spamhaus
# /etc/tables.sh
ipfw table 1 create
cat /etc/bogons | xargs -n1 ipfw table 1 add
ipfw table 2 create
cat /etc/razno | xargs -n1 ipfw table 2 add

# Set rules comand prefix
cmd="ipfw -q add"
pif="bge0"


$cmd 00100 allow ip from any to any via lo0
$cmd 00200 deny ip from any to 127.0.0.0/8
$cmd 00300 deny ip from 127.0.0.0/8 to any
$cmd 00400 deny ip from any to ::1
$cmd 00500 deny ip from ::1 to any
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
$cmd 00950 allow ipv6-icmp from any to any icmp6types 2,135,136
$cmd 01000 deny ip from 'table(1)' to any
$cmd 01000 deny ip from 'table(2)' to any

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 01010 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 01020 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 01030 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 01040 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 01050 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 01060 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 01070 deny all from 192.0.2.0/24 to any in via $pif #reserved for doc's
$cmd 01080 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 01090 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast

$cmd 01100 check-state
$cmd 01200 reass ip from any to any in

$cmd 01300 allow tcp from me to any established
$cmd 01400 allow tcp from me to any setup keep-state
$cmd 01500 allow udp from me to any keep-state
$cmd 01600 allow icmp from me to any keep-state
$cmd 01700 allow ipv6-icmp from me to any keep-state

# DHCP
$cmd 01800 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
$cmd 01900 allow udp from any 67 to me 68 in
$cmd 02000 allow udp from any 67 to 255.255.255.255 68 in
$cmd 02100 allow udp from fe80::/10 to me 546 in

# ICMP
$cmd 02200 allow icmp from any to any icmptypes 8
$cmd 02300 allow ipv6-icmp from any to any icmp6types 128,129
$cmd 02400 allow icmp from any to any icmptypes 3,4,11
$cmd 02500 allow ipv6-icmp from any to any icmp6types 3

$cmd 02600 count ip from any to any
$cmd 02700 deny log ip from any to any out via bge0
$cmd 02800 deny { tcp or udp } from any to any 135-139,445 in
$cmd 02900 deny { tcp or udp } from any to any 81,113 in
$cmd 03000 deny { tcp or udp } from any to any 1026,1027 in
$cmd 03100 deny { tcp or udp } from any to any 1433,1434 in
$cmd 03200 deny ip from any to 255.255.255.255
$cmd 03300 deny ip from any to 224.0.0.0/24 in
$cmd 03400 deny udp from any to any 520 in
$cmd 03500 deny tcp from any 80,443 to any 1024-65535 in
$cmd 03600 deny ip from any to any frag in
$cmd 65000 deny log logamount 500 ip from any to any
 
Hi fernandel, I have seen you post a few topics regarding if your IPFW syntax is correct or uncertainty around IPFW in general.
This hints me that you do not feel 100% comfortable with it, which is fine, we are here to help.
I just recommend you that if my above statement is (semi) correct, to stick to the default workstation ruleset.

What do you exactly want to achieve that the default ruleset doesn't at the moment? (to prevent an XY problem)
"Is this fine what I did", is typically harder to answer. :) If you tell me what you want to achieve, its easier to help you.

Your rules are not useless. Although, from a quick scan, rule 2700 is because rule 65000 already does what 2700 does (and more).
If your question is: "why rule 2700 never matches"; that is because in rule 1400, 1500, 1600 and 1700 all known IP protocols are allowed from your computer (me) to anywhere (any) (so also outbound) before they hit 2700.
 
Back
Top