Rule Review - First Timer

[markosolo]

Hi all,

I'm somewhat a first-timer when it comes to IPFW. I have been using it for about a year, but been using a stock template I bashed together after a bit of research some time ago. Anyway, I'm trying to improve my FreeBSD and IPFW knowledge, and I'm working on my rulesets. I would appreciate a review of the following ruleset and suggest better ways of doing things, or things that are wrong, or more best practices.

Things I am not sure about are the "setup" and "keep-state" options, as well as the entire stateful inspection paragraph.

IPF="ipfw -q add"
ipfw -q -f flush

******** BUNCH of HOST AND NETWORK VARIABLES HERE ********

#loopback
$IPF 09 deny tcp from any to 127.0.0.1 113 in
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny log tcp from any to any frag

# Deny Statements
$IPF 41 deny log all from 172.16.0.0/12 to any in #RFC 1918
$IPF 42 deny log all from 10.0.0.0/8 to any in #RFC 1918
$IPF 43 deny log all from $******** to any in
$IPF 44 deny log all from $******** to any in 

# stateful
$IPF 50 check-state
$IPF 60 allow tcp from any to any established # Won't this and the rule below it be wrong?
# The example on FreeBSD page says
# to deny established, but I'm not sure if this means keep accepting already
# established(connection tracked) sessions, or whether it means accept packets
# that are ACKS wether they have a valid session in the connections table or not?
$IPF 70 allow log all from any to any out keep-state

# ICMP
$IPF 80 allow log icmp from $******** to ******** keep-state
$IPF 81 allow log icmp from $******** to any keep-state
$IPF 82 allow log icmp from $******** to ******** keep-state
$IPF 83 allow icmp from $******** to any keep-state
$IPF 84 deny log icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 100 allow log any from $******** to any in setup keep-state
$IPF 101 allow log any from $******** to any in setup keep-state
$IPF 102 allow log tcp from any to any 21 out setup keep-state #FTP for faster port downloads
$IPF 110 allow log tcp from $******** to any 22 in setup keep-state # SSH MANAGEMENT 
$IPF 111 allow log tcp from $******** to any 22 in setup keep-state
$IPF 112 allow log tcp from $******** to any 22 in setup keep-state
$IPF 113 allow log tcp from $******** to any 22 in setup keep-state
$IPF 120 allow log tcp from any to any 22 out setup keep-state uid root limit src-addr 5
$IPF 130 allow log udp from any to any 53 out setup keep-state limit src-addr 5
$IPF 140 allow log tcp from any to any 53 out setup keep-state limit src-addr 5
$IPF 150 allow log tcp from any to any 80 out setup keep-state limit src-addr 30
$IPF 160 allow log tcp from any to any 443 out setup keep-state limit src-addr 30

# deny and log everything
$IPF 500 deny log all from any to any

Thanks!

Mark

 

[johnd]

Use # ipfw show to see which packets match a specific rule.

ipfw(8) is a "first match wins" packet filter. Your rules #120 - #160 will never win because of rule #70

Rule #60 will pass incoming/outgoing packtes with the "ACK" bit set. You could change it to:

$IPF 60 allow tcp from [B]me[/B] to any established

Rule #09 is nonsense imho. You could build your loopback rules as follows:

${IPF} 09 pass all from any to any via lo0
${IPF} 10 deny all from any to 127.0.0.0/8
${IPF} 11 deny ip from 127.0.0.0/8 to any

 

[markosolo]

Ok so I can remove rules 60 and 70 and stateful will work correctly? It will only allow what is explicitly defined and then state tracking will allow the rest to work?

 

[johnd]

Yes, they can be removed or modified (see my last post). The firewall will create dynamic rules for those with the keep-state or limit option.

Rules #110 - #113 could be redefined to a single rule if you create a table.