IPFW Need advice on how to sort rules right

[r00ty]

Greetings,

Currently I'm playing with ipfw nat and so far I have following:

00100     45667     44263816 allow ip from any to any via lo0
00200         0            0 deny ip from any to 127.0.0.0/8
00300         0            0 deny ip from 127.0.0.0/8 to any
00400         5          211 nat 1 ip from table(20) to not table(21) via re0
00500    420236     19127471 nat 1 ip from any to aaa.bbb.ccc.ddd via re0
00600         0            0 allow tcp from any to me dst-port 22322
00700    752810    925661279 allow ip from me to any
00800         0            0 deny ip from table(10) to any
00900         0            0 deny tcp from table(11) to any
01000     66986      7542295 allow tcp from any to me established
01100        58         4762 allow udp from any 53 to me dst-port 1024-65535
01200         0            0 allow udp from any 123 to me in
01300         0            0 allow udp from me to any dst-port 123 out
01400         0            0 allow tcp from any to aaa.bbb.ccc.ddd dst-port 80,443 in setup limit src-addr 30
01500        50         2920 allow tcp from any to ddd.sss.bbb.nnn dst-port 80 in setup limit src-addr 30
01600      4914       260252 allow tcp from any to kkk.www.qqq dst-port 80
01700         0            0 allow tcp from any to me dst-port 3388,7835
01800         0            0 allow tcp from any to me dst-port 2112
01900         0            0 allow tcp from any to me dst-port 49900-50000
02000         1           52 allow tcp from any to me dst-port 25,465,587
02100         0            0 allow tcp from any to me dst-port 143,993
02200         0            0 allow tcp from any to aaa.bbb.ccc.ddd dst-port 3309
02300         0            0 allow tcp from any to aaa.bbb.ccc.ddd dst-port 7777,7778,6666,6667,8000,8001,8010,8011 setup
02400         0            0 allow tcp from any to kkk.www.qqq dst-port 6942
02500         0            0 allow udp from any to kkk.www.qqq dst-port 6942
02600         0            0 allow ip from any to any via tun0
02700         0            0 allow udp from any to aaa.bbb.ccc.ddd dst-port 27018
02800         0            0 allow udp from me 27018 to any
02900        20         1680 allow icmp from any to me in icmptypes 8
03000        26         1795 allow icmp from any to me in icmptypes 0,3,11
03100        17         1184 deny log logamount 1000 ip from any to any
65535 160915463 103891083883 allow ip from any to any

aaa.bbb.ccc.ddd - primary external routable IP address
ddd.sss.bbb.nnn and kkk.www.qqq - aliases (external routable IP addresses)
table(20) - for now it's just 192.168.0.1 - loopback for jail
table(21) - aaa.bbb.ccc.ddd, ddd.sss.bbb.nnn and kkk.www.qqq

So now when I have rule #00500 in ipfw - rules like #01400, #02200 or #02300 are not working anymore

I'm trying to understand how I can avoid this behavior. I mean how to swap rules in right position to use all of them.

I will appreciate any advice, thanks!

 

[Matthew Dresden]

There is a GUI tool called fwbuilder.

I don't use it because I don't specifically like how it generates config scripts, but it would probably catch some things being out of order for you and other issues as well.

You could mock this up there, just compile the firewall rules, make the fixes, and then fix your script by hand.

 

[r00ty]

Seems like fwbuilder doesn't fully support ipfw

 

[Matthew Dresden]

So, I wasn't recommending you write the rules with fwbuilder and use the script it generates. I was only recommending you organize your rules there as it will help you sort them.

With fwbuilder when you create and organize your rules the front end looks the same whether you IPtables of PF for example.

After you enter the rules and compile them, it will complain about mistakes you made and give you the change to fix them.

Once the order and scope of your rules are fixed, you can just consider the order and layout your sudo code and then convert them to ipfw.

You don't even initially have to set the firewall back end, it convert your rules to all that it supports.

Just pick PF and layout your rules. It will help you.

Also, something else to consider:

Someone can correct me if I am wrong but ipfw was deprecated in favor of PF anyways and PF is supported on FreeBSD and also used on Mac now to I believe.

 

[Matthew Dresden]

IF you can’t import them and have no other option to help your sort, just enter them by hand.