IPFW router ruleset for dmz - help needed

I

iclis

Hello.

Trying to play with IPFW ruleset with a Freebsd box that acts as a router.
A quite steep learning curve for sure, but managed to get it working after countless hours reading forums/examples.

Network is segmented into vlans. DMZ is one of them where all public services reside.
Trying to stick with recommendations to have as few rules as possible and place arguments as CIDR's, network interfaces in tables.

Current working set:
Code: 
01001 allow ip4 from any to any via table(ifsafe) #internal vlans + lo0
01003 allow ip4 from any to table(dmz) via table(ifall) #allow all vlans to reach services in dmz
01009 allow ip4 from any to not table(netsafe) via table(ifwww) #vlan accessibility/separation
01020 allow icmp from any to any icmptypes 3,4,5,11,12 in

02001 nat 1 ip4 from any to any in recv igb0
02005 check-state :default
03001 deny tcp from any to any established in recv igb0

03004 skipto 9091 tag 999 tcp from any to any 25,587,993,5232,80,443 setup in recv igb0 keep-state :default
03005 skipto 9091 tag 999 udp from any to any 51820 in recv igb0 keep-state :default
03999 deny ip from any to any in recv igb0
05000 skipto 9010 tcp from not table(netnowww) to any setup out xmit igb0 keep-state :default
05001 skipto 9010 udp from not table(netnowww) to any out xmit igb0 keep-state :default

09010 nat 1 ip4 from any to any out xmit igb0
09011 allow ip4 from any to any via igb0

09091 nat 1 tag 999 ip4 from any to any out xmit igb0
09092 allow ip4 from any to any via igb0 tagged 999

10000 deny log ip from any to any

Dynamic rules for incoming packets on wan (igb0) are working just fine, but I'm failing to set dynamic ones up for internal vlans.
Idea would be that traffic via
Code: 
table(ifall)
would punch to DMZ and have a way back dynamically.

Any suggestions on how to achieve that? ?
 
iclis said:
Dynamic rules for incoming packets on wan (igb0) are working just fine, but I'm failing to set dynamic ones up for internal vlans.
Idea would be that traffic via
Code: 
table(ifall)
would punch to DMZ and have a way back dynamically.

Any suggestions on how to achieve that? ?
Click to expand...

Looks very clean and neat.

I think it may help others' comprehension (mine at least) to provide examples of some of your vlans - as ordinary subnet segments to avoid complication perhaps - showing which would be in which table/s, with notes describing table names and purpose in a bit more detail?
 
smithi said:
Looks very clean and neat.

I think it may help others' comprehension (mine at least) to provide examples of some of your vlans - as ordinary subnet segments to avoid complication perhaps - showing which would be in which table/s, with notes describing table names and purpose in a bit more detail?
Click to expand...

Thanks for interest and reply. I find it easy to understand for myself but rather difficult to explain to others :)
A shortened version of above vlan's I have during creation:

Code: 
table="ipfw -q table"

# internal and safe vlans - access everywhere:
$table netsafe create type addr
$table netsafe add 127.0.0.1/8
$table netsafe add 10.0.0.0/24
$table netsafe add 10.0.2.0/24

# dmz vlan:
$table dmz create type addr
$table dmz add 10.0.99.1
$table dmz add 10.0.99.50

# respectful tables for network interfaces:
$table ifsafe create type iface
$table ifsafe add lo0
$table ifsafe add igb1
$table ifsafe add igb1.2

$table ifall create type iface
$table ifall add igb1
$table ifall add igb1.2
$table ifall add igb1.99
$table ifall add lo0

Rule #01009 is just to allow some additional isolated vlans to have access to outside.

The reason I need dynamic internal rules for #01001 and #01003 is that packets coming back from dmz to internal networks are being blocked (which is expected behavior).
 
iclis said:
Dynamic rules for incoming packets on wan (igb0) are working just fine, but I'm failing to set dynamic ones up for internal vlans.
Idea would be that traffic via
Code: 
table(ifall)
would punch to DMZ and have a way back dynamically.

Any suggestions on how to achieve that? ?
Click to expand...
I am unfamiliar with the igb1.2 syntax. Did you try adding one of these VLAN's with the dot notation just as a static and see if that worked? if that doesn't work then it won't work through a dynamic table.

just trying to help.
 
Static worked just fine, but was willing to optimize and do dynamic ones to have less checks done.
Ended up with separate check-state entry right after setting up:
Code: 
...
$cmd check-state :dmz

$cmd 1008 skipto 9080 tag 888 tcp from any to table\(dmz\) in recv table\(ifall\) setup keep-state :dmz
$cmd 1009 skipto 9080 tag 888 udp from any to table\(dmz\) in recv table\(ifall\) keep-state :dmz
...
##### nat rules #####
##### ingress rules #####
##### egress rules #####
...
$cmd 9080 allow ip4 from any to any via table\(ifall\) tagged 888
...

Thanks for good intentions. Now it works.
 
You must log in or register to reply here.
Back
Top