IPFW iptables to ipfw

[Sethox]

Greetings, I want to know if I can translate some of these rules and if it's possible to translate them. Any help would be appreciated !

   iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
   iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
   iptables -A INPUT -m state --state INVALID -j DROP
   iptables -A INPUT -p TCP --tcp-flags ALL NONE -j DROP
   iptables -A INPUT -p TCP --tcp-flags ALL ALL -j DROP
   iptables -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
   iptables -A INPUT -f -j DROP
   iptables -A INPUT -p ICMP -m state --state NEW --icmp-type 8 -j ACCEPT
   iptables -A INPUT -p icmp -m limit --limit 1/second -j ACCEPT
   iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
   iptables -A INPUT -p tcp --dport 2525 -m state --state NEW -m recent ! --rcheck --seconds 300 --hitcount 4 --name ssh --rsource -j ACCEPT
   iptables -A INPUT -p TCP --dport 2525 -j LOG --log-prefix "Unauthorize SSH ** (special port) "
   iptables -A INPUT -p TCP --dport 22 -j LOG --log-prefix "Unauthorize SSH ** (standard port) " # Log the attempt
   iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
   iptables -A FORWARD -m state --state INVALID -j DROP
   iptables -A FORWARD -p ALL -j DROP
   iptables -A OUTPUT -m state --state INVALID -j DROP

I manged to translate:

ipwf add 300 deny icmp from any to any icmptypes 17
ipwf add 310 deny icmp from any to any icmptypes 13
ipwf add 310 deny all from any to any out recv ${card} keep-state :FORWARD

This last line I am very uncertain though.

 

[D-FENS]

Yes, you can translate them. A good starting point would be the IPFW docs page: https://docs.freebsd.org/doc/7.4-RELEASE/usr/share/doc/handbook/firewalls-ipfw.html

Here are some hints:

• the INPUT chain means packets sent from the outside to the box, so it would roughly mean in IPFW syntax "from not me to me".
• FORWARD means coming and going, so IPFW: "from not me to not me".
• OUTPUT: "from me to not me"
• You could also use "from any to me", "from any to any" and "from me to any", but take into account that "any" includes the box also.
• DROP translates to "deny" and REJECT - ipfw(8) writes "reject (Deprecated). Synonym for unreach host." host, protocol, net, port, ...
• For TCP flags, there is a keyword "tcpflags syn,ack" ... etc.
• For RELATED,ESTABLISHED you need to use a stateful firewall. This is done by adding "setup keep-state" to the rule. setup will match packets that establish TCP connections and keep-state will create a dynamic rule. Then you need a check-state rule to allow the following packets for that connection.

For more info, see the docs and the man page: ipfw(8).

 

[linux->bsd]

Something I found useful during my transition from iptables to ipfw was reading through portions of /etc/rc.firewall. Some of your rules are part of the workstation firewall type you can specify in rc.conf:

Edit: this might be more useful than my previous quote:

[root ~] sed -n '423,547p' /etc/rc.firewall                  
[Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn])                            
        # Configuration:                                   
        #  firewall_myservices:         List of ports/protocols on which this
        #                                host offers services.    
        #  firewall_allowservices:      List of IPv4 and/or IPv6 addresses
        #                                that have access to
        #                                $firewall_myservices.       
        #  firewall_trusted:            List of IPv4 and/or IPv6 addresses
        #                                that have full access to this host.
        #                                Be very careful when setting this.
        #                                This option can seriously degrade
        #                                the level of protection provided by
        #                                the firewall.             
        #  firewall_logdeny:            Boolean (YES/NO) specifying if the
        #                                default denied packets should be
        #                                logged (in /var/log/security).
        #  firewall_nologports:         List of TCP/UDP ports for which   
        #                                denied incoming packets are not  
        #                                logged.
                                 
        # Allow packets for which a state has been built.                 
        ${fwcmd} add check-state                           
                                                                       
        # For services permitted below.                             
        ${fwcmd} add pass tcp  from me to any established  
                                                                       
        # Allow any connection out, adding state for each.               
        ${fwcmd} add pass tcp  from me to any setup keep-state          
        ${fwcmd} add pass udp  from me to any       keep-state             
        ${fwcmd} add pass icmp from me to any       keep-state             
        if [ $ipv6_available -eq 0 ]; then                     
                ${fwcmd} add pass ipv6-icmp from me to any keep-state     
        fi                                                     
                                                                       
        # Allow DHCP.                                       
        ${fwcmd} add pass udp  from 0.0.0.0 68 to 255.255.255.255 67 out
        ${fwcmd} add pass udp  from any 67     to me 68 in             
        ${fwcmd} add pass udp  from any 67     to 255.255.255.255 68 in  
        if [ $ipv6_available -eq 0 ]; then                              
                ${fwcmd} add pass udp from fe80::/10 to me 546 in      
        fi                                                               
        # Some servers will ping the IP while trying to decide if it's
        # still in use.
        ${fwcmd} add pass icmp from any to any icmptype 8
        if [ $ipv6_available -eq 0 ]; then
                ${fwcmd} add pass ipv6-icmp from any to any icmp6type 128,129
        fi

        # Allow "mandatory" ICMP in.
        ${fwcmd} add pass icmp from any to any icmptype 3,4,11
        if [ $ipv6_available -eq 0 ]; then
                ${fwcmd} add pass ipv6-icmp from any to any icmp6type 3
        fi

        # Add permits for this workstations published services below
        # Only IPs and nets in firewall_allowservices is allowed in.
        # If you really wish to let anyone use services on your
        # workstation, then set "firewall_allowservices='any'" in /etc/rc.conf
        #
        # Note: We don't use keep-state as that would allow DoS of
        #       our statetable.
        #       You can add 'keep-state' to the lines for slightly
        #       better performance if you fell that DoS of your
        #       workstation won't be a problem.
        #
        for i in ${firewall_allowservices} ; do
          for j in ${firewall_myservices} ; do
            case $j in
            [0-9A-Za-z]*/[Pp][Rr][Oo][Tt][Oo])
              ${fwcmd} add pass ${j%/[Pp][Rr][Oo][Tt][Oo]} from $i to me
            ;;
            [0-9A-Za-z]*/[Tt][Cc][Pp])
              ${fwcmd} add pass tcp from $i to me ${j%/[Tt][Cc][Pp]}
            ;;
            [0-9A-Za-z]*/[Uu][Dd][Pp])
              ${fwcmd} add pass udp from $i to me ${j%/[Uu][Dd][Pp]}
            ;;
            *[0-9A-Za-z])
              echo "Consider using ${j}/tcp in firewall_myservices." \
                      /dev/stderr
              ${fwcmd} add pass tcp from $i to me $j
            ;;
            *)
              echo "Invalid port in firewall_myservices: $j" > /dev/stderr
            ;;
            esac
          done
        done

        # Allow all connections from trusted IPs.
        # Playing with the content of firewall_trusted could seriously
        # degrade the level of protection provided by the firewall.
        for i in ${firewall_trusted} ; do
          ${fwcmd} add pass ip from $i to me
        done

        ${fwcmd} add 65000 count ip from any to any

        # Drop packets to ports where we don't want logging

       for i in ${firewall_nologports} ; do
          ${fwcmd} add deny { tcp or udp } from any to any $i in
        done

        # Broadcasts and multicasts
        ${fwcmd} add deny ip  from any to 255.255.255.255
        ${fwcmd} add deny ip  from any to 224.0.0.0/24 in       # XXX

        # Noise from routers
        ${fwcmd} add deny udp from any to any 520 in

        # Noise from webbrowsing.
        # The stateful filter is a bit aggressive, and will cause some
        #  connection teardowns to be logged.
        ${fwcmd} add deny tcp from any 80,443 to any 1024-65535 in

        # Deny and (if wanted) log the rest unconditionally.
        log=""
        if [ ${firewall_logdeny:-x} = "YES" -o ${firewall_logdeny:-x} = "yes" ] ; then
          log="log logamount 500"       # The default of 100 is too low.
          sysctl net.inet.ip.fw.verbose=1 >/dev/null
        fi
        ${fwcmd} add deny $log ip from any to any
        ;;

[Cc][Ll][Oo][Ss][Ee][Dd])

 

[D-FENS]

Edit: this might be more useful than my previous quote:

Nice. You might want to put the code in a QUOTE CODE to make it collapse to a smaller box when not expanded.

 

[SirDice]

You might want to put the code in a QUOTE to make it collapse to a smaller box when not expanded.

Please use [code] for this.

Formatting: The Short Form

Please help us keep these forums consistent and readable by formatting posts. Here we look at the most important formatting. Use tags. They can be typed by hand, or the "Full Editor" allows highlighting with the mouse and clicking a button to add the tags. There are three really important...

forums.freebsd.org

 

[Sethox]

I am curious though, in relation to a transparent bridge (2 connections). How would that look like?
The

"from not me to me".

in my mind does not work, since "me" is the machine and since it's a bridge there is no "me".

Edit: Found this - https://www.freebsd.org/doc/en/articles/filtering-bridges/article.html
Interesting stuff indeed.

 

[D-FENS]

"me" refers to an IP address. So if the host has the IP address configured on an interface, then it matches with "me".

addr: [not] {any | me | me6 | table(name[,value]) | addr-list | addr-set}

any matches any IP address.

me matches any IP address configured on an interface in the
system.

A bridge is an interface and if it has an IP address configured, it would match with "me".

 

[Sethox]

For future reference (and for myself when I google), I finished with these examples (on my post):

ipfw add deny icmp from any to any icmptypes 17
ipfw add deny icmp from any to any icmptypes 13
ipfw add deny tcp from any to any tcpflags !syn,!ack
ipfw add deny tcp from any to any tcpflags !ack,!fin,!psh,!rst,!syn,!urg
ipfw add deny tcp from any to any tcpflags ack,fin,psh,rst,syn,urg
ipfw add deny all from any to any frag

I could never find when a packet is invalid, to quote myself:

iptables -A INPUT -m state --state INVALID -j DROP

Also thanks for everyone involved, much appreciated.

 

[D-FENS]

The INVALID macro has a specific meaning. I think, for example if you receive an ACK but never sent a SYNC in first place.
Just extract from the iptables documentation what exactly INVALID matches, and then use tcpoptions and tcpflags in ipfw to implement it.

B.t.w. in all deny rules it's probably a good idea to add "log".