Hi Everyone.
I have been using FreeBSD for well over 20 years, and had considered myself reasonably competent.
I have a working device in another environment based on FreeBSD 12, with a working firewall setup.
I am trying to make a simple firewall in a new environment, based on a slightly customized version the IPFW "rc.firewall" ruleset in FreeBSD 13.1, and I appear to get stuck
The following lines are in my rc.conf
So, the WAN interface is attached to a modem/router from the ISP which has IP Address 192.168.1.1, this firewall will be protecting VMs inside my hypervisor, all of which will have IP Addresses in the 192.168.2.0/24 network. I have not enabled ip6, so those rules are not present. Below is the "SIMPLE" section of the rc.firewall
From what I was used to on FreeBSD 12 and earlier, this should allow any other VM with an IP address in 192.168.2.0/24 range to establish outgoing connections via HTTP, HTTPS, etc... but the connections time out.
Can anyone tell me what I have done wrong ?
I have been using FreeBSD for well over 20 years, and had considered myself reasonably competent.
I have a working device in another environment based on FreeBSD 12, with a working firewall setup.
I am trying to make a simple firewall in a new environment, based on a slightly customized version the IPFW "rc.firewall" ruleset in FreeBSD 13.1, and I appear to get stuck
The following lines are in my rc.conf
Code:
ifconfig_xn0="inet 192.168.1.253 netmask 255.255.255.0"
ifconfig_xn1="inet 192.168.2.253 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
#
# Adding the following lines to enable firewall/gateway/natd features
# Copy these lines from /etc/default/rc.conf and apply correct parameters
#
firewall_enable="YES"
firewall_type="SIMPLE"
firewall_simple_iif="xn1" # inside network interface for "simple" firewall
firewall_simple_oif="xn0" # Outside network interface for "simple" firewall
firewall_simple_inet="192.168.2.253/24" # inside network address
firewall_simple_onet="192.168.1.253/24" # outside network address
# UserlandNAT
natd_enable="yes"
natd_interface="xn0"
# Enable packets to go from internal to external interfaces
gateway_enable="YES" # Set to YES if this host will be a gateway.
So, the WAN interface is attached to a modem/router from the ISP which has IP Address 192.168.1.1, this firewall will be protecting VMs inside my hypervisor, all of which will have IP Addresses in the 192.168.2.0/24 network. I have not enabled ip6, so those rules are not present. Below is the "SIMPLE" section of the rc.firewall
Code:
[Ss][Ii][Mm][Pp][Ll][Ee])
BAD_ADDR_TBL=13
# set these to your outside interface network
oif="$firewall_simple_oif"
onet="$firewall_simple_onet"
# set these to your inside interface network
iif="$firewall_simple_iif"
inet="$firewall_simple_inet"
# Stop spoofing
${fwcmd} add deny all from ${inet} to any in via ${oif}
${fwcmd} add deny all from ${onet} to any in via ${iif}
# Define stuff we should never send out or receive in.
# Stop RFC1918 nets on the outside interface
${fwcmd} table ${BAD_ADDR_TBL} flush
${fwcmd} table ${BAD_ADDR_TBL} add 10.0.0.0/8
${fwcmd} table ${BAD_ADDR_TBL} add 172.16.0.0/12
# ${fwcmd} table ${BAD_ADDR_TBL} add 192.168.0.0/16
# And stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} table ${BAD_ADDR_TBL} add 0.0.0.0/8
${fwcmd} table ${BAD_ADDR_TBL} add 169.254.0.0/16
${fwcmd} table ${BAD_ADDR_TBL} add 192.0.2.0/24
${fwcmd} table ${BAD_ADDR_TBL} add 224.0.0.0/4
${fwcmd} table ${BAD_ADDR_TBL} add 240.0.0.0/4
${fwcmd} add allow all from 192.168.1.0/24 to me in via ${oif}
${fwcmd} add allow all from 192.168.2.0/24 to me in via ${iif}
${fwcmd} add deny all from any to "table($BAD_ADDR_TBL)" via ${oif}
# Network Address Translation.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd ip4 from any to any via ${natd_interface}
fi
;;
esac
${fwcmd} add deny all from "table($BAD_ADDR_TBL)" to any via ${oif}
# we want to allow ICMP (this much is working)
${fwcmd} add pass icmp from any to any via ${iif}
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 8 in via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}
# Allow TCP through if setup succeeded
# This should allow all return packets for established connections to come back in
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto tcp
# Allow setup of any other TCP connection
# This SHOULD allow all traffic from the internal network to go OUT
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from me to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from me to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
From what I was used to on FreeBSD 12 and earlier, this should allow any other VM with an IP address in 192.168.2.0/24 range to establish outgoing connections via HTTP, HTTPS, etc... but the connections time out.
Can anyone tell me what I have done wrong ?