IPFW IPFW, SSH and limit option

amr

amr

Hello Everyone,
I am using IPFW to protect my web server on FreeBSD 12, my problem started after modifying the IPFW script /etc/ipfw.rules and trying to restart IPFW # service ipfw restart while I am connecting remotely to the web server using SSH I lose the connection to the server but fortunately I can reconnect again, after reading IPFW handbook and ipfw() I've found the solution not to lose the SSH session connection by adding $cmd 00102 allow tcp from any to any established after $cmd 00101 check-state, but unfortunately option setup limit src-addr 2 will not work.

As I understand from ipfw() adding $cmd 00102 allow tcp from any to any established is good with setup option.

My first question is how I can keep my ssh session connected after invoking # service ipfw restart and in the same time I can limit inbound connection with limit option?

My second question is which one is better from security perspective to use $cmd 00102 allow tcp from any to any established or $cmd 00102 deny tcp from any to any established? and not to care about SSH session.

Thanks for your continues support,
Amr
 
Why are you restarting the IPFW?
When the IPFW start it first start with default rule 65535 which is controlled by sysctl net.inet.ip.fw.default_to_accept=0 and it's deny any to any. After that the ipfw.rules script is executed which on another hand have flush at the top so it will wipe all existing rules in the sets before it load the new rules.
Instead of restarting IPFW you can insert/modify the existing rules directly and when you are happy with them to edit your ipfw.rules. There's no need to restart IPFW.

allow tcp from any to any established must be replaced with "me" instead of "any" if you are not routing any other subnets behind the machine and it will look like this

check-state
allow tcp from me to any established
allow tcp from me to any setup keep-state
allow udp from me to any keep-state
allow icmp from me to any keep-state

you can't use deny tcp from any to any because this will drop and prevent all tcp connections.
 
Hello VladiBG,
It's good idea not to restart IPFW by using ipfw add and ipfw delete because of ipfw -f -q flush but just in case I wanted to restart it while using the following, it will work.
Code: 
check-state
allow tcp from me to any established
allow tcp from me to any setup keep-state
allow udp from me to any keep-state
allow icmp from me to any keep-state
But as per handbook
The dynamic rules facility is vulnerable to resource depletion from a SYN-flood attack which would open a huge number of dynamic rules. To counter this type of attack with IPFW, use limit. This option limits the number of simultaneous sessions by checking the open dynamic rules, counting the number of times this rule and IP address combination occurred. If this count is greater than the value specified by limit, the packet is discarded.
Click to expand...

When you test limit option with above rule set, it is not taking effect.

Thanks,
Amr
 
Hello,
I made it, all I've to do is to add the next rule without setup, and now I can restart ipfw() without losing the SSH connection, plus incoming connections are limited to 2
Code: 
00450 allow tcp from any to me 22,80,443 in via vtnet0 limit src-addr 2 :default

Mr. VladiBG as per ipfw() the example was using any not me.
A first and efficient way to limit access (not using dynamic rules) is
the use of the following rules:
ipfw add allow tcp from any to any established
ipfw add allow tcp from net1 portlist1 to net2 portlist2 setup
ipfw add allow tcp from net3 portlist3 to net3 portlist3 setup
...
ipfw add deny tcp from any to any
Click to expand...
And in handbook
SRC
The from keyword must be followed by the source address or a keyword that represents the source address. An address can be represented by any, me (any address configured on an interface on this system), me6, (any IPv6 address configured on an interface on this system), or table followed by the number of a lookup table which contains a list of addresses. When specifying an IP address, it can be optionally followed by its CIDR mask or subnet mask. For example, 1.2.3.4/25 or 1.2.3.4:255.255.255.128.
Click to expand...

So technically what is the differences
 
The keyword "me" in IPFW resolve to all IP addresses that the IPFW host have on all interfaces.
The keyword "any" in IPFW match all IP addresses.
 
  • Thanks
Reactions: amr
You must log in or register to reply here.
Back
Top