IPFW OpenVPN and IPFW rules

[satanae666]

Hello,
I cannot setup firewall for OpenVPN. I don't know where is problem. Only way to make VPN working is stop IPFW via service ipfw stop. Can someone help me to set correct IPFW rules please?

Here is OpenVPN config:

port    9066
proto   udp4
dev     tun

server  10.8.0.0        255.255.255.0
topology subnet

push "dhcp-option DNS 10.8.0.6"
push "dhcp-option DNS 10.8.0.3"
push "route 10.0.0.0 255.255.255.0"

ifconfig-pool-persist ipp.txt 0

user    nobody
group   nobody

ca      /usr/local/etc/openvpn/keys/ca.crt
cert    /usr/local/etc/openvpn/keys/openvpn-server.crt
key     /usr/local/etc/openvpn/keys/openvpn-server.key  # This file should be kept secret
dh      /usr/local/etc/openvpn/keys/dh.pem

max-clients 10
keepalive 10 120
status openvpn-status.log
;remote-cert-tls client

comp-lzo
client-to-client
persist-key
persist-tun

tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret

Here is IPFW list (OpenVPN listen on port UDP 9066):

00009 deny ip from table(1) to any
00010 allow ip from any to any via lo0
00101 check-state :default
00110 allow tcp from me to any dst-port 53 out via vmx0 setup keep-state :default
00111 allow udp from me to any dst-port 53 out via vmx0 keep-state :default
00200 allow tcp from any to any dst-port 80 out via vmx0 setup keep-state :default
00220 allow tcp from any to any dst-port 443 out via vmx0 setup keep-state :default
00230 allow tcp from any to any dst-port 25 out via vmx0 setup keep-state :default
00231 allow tcp from any to any dst-port 465 out via vmx0 setup keep-state :default
00232 allow tcp from any to any dst-port 587 out via vmx0 setup keep-state :default
00238 allow ip from any to any dst-port 9066 in via vmx0 setup keep-state :default
00239 allow ip from any to any dst-port 9066 out via vmx0 setup keep-state :default
00240 allow ip from any to any via tun0
00250 allow icmp from any to any out via vmx0 keep-state :default
00260 allow tcp from any to any dst-port 37 out via vmx0 setup keep-state :default
00270 allow udp from any to any dst-port 123 out via vmx0 keep-state :default
00299 deny log ip from any to any out via vmx0
00300 deny ip from 192.168.0.0/16 to any in via vmx0
00301 deny ip from 172.16.0.0/12 to any in via vmx0
00302 deny ip from 10.0.0.0/8 to any in via vmx0
00303 deny ip from 127.0.0.0/8 to any in via vmx0
00304 deny ip from 0.0.0.0/8 to any in via vmx0
00305 deny ip from 169.254.0.0/16 to any in via vmx0
00306 deny ip from 192.0.2.0/24 to any in via vmx0
00307 deny ip from 204.152.64.0/23 to any in via vmx0
00308 deny ip from 224.0.0.0/3 to any in via vmx0
00310 allow icmp from any to any in via vmx0
00315 deny tcp from any to any dst-port 113 in via vmx0
00320 deny tcp from any to any dst-port 137 in via vmx0
00321 deny tcp from any to any dst-port 138 in via vmx0
00322 deny tcp from any to any dst-port 139 in via vmx0
00323 deny tcp from any to any dst-port 81 in via vmx0
00330 deny ip from any to any frag in via vmx0
00332 deny tcp from any to any established in via vmx0
00400 allow tcp from any to me dst-port 80 in via vmx0 setup limit src-addr 200 :default
00410 allow tcp from any to me dst-port 443 in via vmx0 setup limit src-addr 200 :default
56420 allow tcp from any to me dst-port 9061 in via vmx0 setup limit src-addr 2 :default
56530 allow tcp from any to any dst-port 9060 in via vmx0 setup keep-state :default
56531 allow tcp from any to any dst-port 465 in via vmx0 setup keep-state :default
56532 allow tcp from any to any dst-port 587 in via vmx0 setup keep-state :default
56599 deny log ip from any to any in via vmx0
65535 deny ip from any to any

 

[SirDice]

What doesn't work? Can't connect? Can connect but no traffic going in or out? Error messages?

 

[satanae666]

I'm not able connect to OpenVPN server. Only way to connect is stop IPFW service. OpenVPN client show 0b incoming traffic... It seems that IPFW rules are wrong or something missing:

00238 allow ip from any to any dst-port 9066 in via vmx0 setup keep-state :default
00239 allow ip from any to any dst-port 9066 out via vmx0 setup keep-state :default
00240 allow ip from any to any via tun0

 

[SirDice]

I don't use IPFW myself so it may not be correct but change ip to udp:

00238 allow udp from any to any dst-port 9066 in via vmx0 setup keep-state :default

 

[pboehmer]

I use ipfw exclusively, but far from an expert. In response to SirDice, I always treated "allow ip" as a combination of "allow udp" & "allow tcp" reducing the number of rules (best practice? I dunno). I'm wondering why are rules 238 and 239 are set up as dynamic rule sets when they allow any to any? If you are allowing anyone to connect to port 9066, why waste resources on an ipfw rule? In other words, just drop the rules altogether.

That being said, I think your problem is rule 239 as traffic outbound from OpenVPN will not be on port 9066, it will most likely be allocated to something other. This is assuming that you are denying any to any at some point. I think you maybe want something along the lines of:

00239 allow ip from any to any out established

 

[SirDice]

In response to SirDice, I always treated "allow ip" as a combination of "allow udp" & "allow tcp"

I wasn't sure that was the case. Some firewalls treat "ip" as a raw IP packet, i.e. not UDP, TCP or ICMP. And because OpenVPN uses UDP specifically I thought it might be the reason.

 

[driesm]

I use IPFW and have an OpenVPN (tunnel setup) installation working with the following rules:

allow ip from any to any via tun0
allow ip from any to any out via em0 setup keep-state
allow udp from any to me 1194 in via em0 limit src-addr 10

I already see a possible pitfall in your config at the following rule:

00111 allow udp from me to any dst-port 53 out via vmx0 keep-state :default

This will have to be the following one:

00111 allow udp from any to any dst-port 53 out via vmx0 keep-state :default

DNS traffic from VPN clients will be denied as it doesnt match rule 111. Client IP-addresses are not present on the machine and are thus not matched by the me directive.
In general; I have always found it easy to debug IPFW rulesets. Just put log in front of every deny rule and check the logs where traffic is being halted.

 

[VladiBG]

You have deny rule 00299 that block everything below it on vmx0. It's better to start over your entire configuration because there's too many mistakes in it.

UDP is stateless it has no SYN Flag. So in proposed rule by SirDice there's no need of SETUP option.
Why are you blocking the TCP established connections in rule 00332 ? Your rule number 0009 must be after the lo0 rule 0010 swap them.

What is your network topology?
In your rule set i see only one network interface on VMware guest called vmx0 so i assume that there's no other client behind this machine. It's easy to allow outbound traffic that is initiated from the server and filter only incoming connection. You can use the following ipfw.rule and modify it by your needs. I don't know what are you running on port 9060 and 9061 so you may want to remove them or modify the keep-state option for them.
Also check your limits of the HTTP if you expect no more of 200 connection then you can add setup limit src-addr 200 on line 2600;2700

Save ipfw.rules file in /usr/local/etc/ipfw.rules

To test it type"
sh /usr/local/etc/ipfw.rules

To permanent add it to your configuration type:
sysrc firewall_enable="YES" sysrc firewall_logging="YES" sysrc firewall_script="/usr/local/etc/ipfw.rules"

#!/bin/sh
# Flush out the list before we begin
ipfw -q -f flush

# Set rules command prefix
fwcmd="ipfw -q add"
#Fill the table1 from file
#cat /usr/local/etc/ipfw.table1 | xargs -n1 ipfw table 1 add

# Loopback address
$fwcmd 100 allow ip from any to any via lo0
#Tunnel interface of OpenVPN
$fwcmd 110 allow ip from any to any via tun0

$fwcmd 200 deny ip from any to 127.0.0.0/8
$fwcmd 300 deny ip from 127.0.0.0/8 to any
$fwcmd 400 deny ip from any to ::1
$fwcmd 500 deny ip from ::1 to any


# Deny table 1 list of ip addresses for fail2ban
$fwcmd 550 deny tcp from 'table(1)' to any

# ipv6 ND DAD
$fwcmd 600 allow ipv6-icmp from :: to ff02::/16

# ipv6 RS, RA, NS, NA, redirect
$fwcmd 700 allow ipv6-icmp from fe80::/10 to fe80::/10
$fwcmd 800 allow ipv6-icmp from fe80::/10 to ff02::/16

# Allow ICMPv6 destination unreachable
$fwcmd 900 allow ipv6-icmp from any to any ip6 icmp6types 1

# Allow NS/NA/toobig (don't filter it out)
$fwcmd 1000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
# Allow packets for which a state has been build
$fwcmd 1100 check-state

# For services permitted below
$fwcmd 1200 allow tcp from me to any established

# Allow any connection out, adding state for each
$fwcmd 1300 allow tcp from me to any setup keep-state
$fwcmd 1400 allow udp from me to any keep-state
$fwcmd 1500 allow icmp from me to any keep-state
$fwcmd 1600 allow ipv6-icmp from me to any keep-state

# Allow DHCP
$fwcmd 1700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
$fwcmd 1800 allow udp from any 67 to me dst-port 68 in
$fwcmd 1900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
$fwcmd 2000 allow udp from fe80::/10 to me dst-port 546 in

# ICMP echo8,DestUnreacable3,SourcheQuench4,TimeExceeded11
$fwcmd 2100 allow icmp from any to any icmptypes 8
$fwcmd 2200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
$fwcmd 2300 allow icmp from any to any icmptypes 3,4,11
$fwcmd 2400 allow ipv6-icmp from any to any ip6 icmp6types 3

# MyServices Accept
# Don't use keep-state to prevent DoS of the statetable.
# You can add 'keep-state' for a better performance

#$fwcmd 2500 allow log logamount 100 tcp from any to me dst-port 22 setup keep-state
$fwcmd 2510 allow tcp from any to me dst-port 22 setup keep-state

$fwcmd 2600 allow tcp from any to me dst-port 80
$fwcmd 2700 allow tcp from any to me dst-port 443
$fwcmd 2800 allow tcp from any to me dst-port 25
$fwcmd 2900 allow tcp from any to me dst-port 465
$fwcmd 3000 allow tcp from any to me dst-port 587
$fwcmd 3100 allow tcp from any to me dst-port 9060 setup keep-state
$fwcmd 3200 allow tcp from any to me dst-port 9061 setup keep-state

#OpenVPN over udp
$fwcmd 3300 allow udp from any to me dst-port 9066

# Accounting
$fwcmd 65000 count ip from any to any

# Drop Packets to ports where we don't want logging
#$fwcmd 65100 deny { tcp or udp } from any to any dst-port 23,135-139,445 in
#$fwcmd 65200 deny { tcp or udp } from any to any dst-port 1026,1027 in
#$fwcmd 65300 deny { tcp or udp } from any to any dst-port 1433,1434 in

# Broadcasts and multicasts
#$fwcmd 65400 deny ip from any to 255.255.255.255
#$fwcmd 65500 deny ip from any to 224.0.0.0/24 in

# Noise from routers
#$fwcmd 65510 deny udp from any to any dst-port 520 in

# Noise from webbrowsing
#$fwcmd 65520 deny tcp from any 80,443 to any dst-port 1024-65535 in

# Log and drop all other ports
#$fwcmd 65530 deny log logamount 500 ip from any to any

# Default rule DROP, this is set by default and it's not needed
#$fwcmd 65535 deny ip from any to any

To know what are you doing it's better first to read:
https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
https://www.freebsd.org/cgi/man.cgi?ipfw(8)