IPFW Using OpenVPN Through IPFW

captcurrent

Member

Reaction score: 1
Messages: 68

Ok about 7 years has passed from my initial attempts a implementing OpenVPN. as documented https://forums.freebsd.org/threads/openvpn-ipfw-nat-freebsd.39496/
Since that time I believe FreeBSD 12 and IPFW. now handle NAT which was a lot my problems then.. For some reason I can not open port 1194,
My current ipfw.rules are


Code:
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 15 allow ip from any to any via tun0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

$IPF 81 allow tcp from any to any 1194 in setup keep-state
$IPF 82 allow tcp from any to any 1194 out setup keep-state
$IPF 83 allow udp from any to any 1194 in setup keep-state
$IPF 84 allow udp from any to any 1194 out setup keep-state

$IPF 85 allow tcp from any to any 9000 in setup keep-state
$IPF 86 allow tcp from any to any 9000 out setup keep-state
$IPF 100 deny log ip from "table(22)" to any
$IPF 105 deny log ip from "table(10)" to any
# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in setup keep-state
$IPF 120 allow tcp from any to any 21 out setup keep-state
$IPF 130 allow tcp from any to any 22 in setup keep-state
$IPF 140 allow tcp from any to any 22 out setup keep-state
$IPF 150 allow tcp from any to any 25 in setup keep-state
$IPF 160 allow tcp from any to any 25 out setup keep-state
$IPF 170 allow udp from any to any 53 in keep-state
$IPF 175 allow tcp from any to any 53 in setup keep-state
$IPF 180 allow udp from any to any 53 out setup keep-state
$IPF 185 allow tcp from any to any 53 out setup keep-state
$IPF 200 allow tcp from any to any 80 in setup keep-state
$IPF 210 allow tcp from any to any 80 out setup keep-state
$IPF 215 allow tcp from any to any 110 in setup keep-state
$IPF 216 allow tcp from any to any 110 out setup keep-state
$IPF 220 allow tcp from any to any 143 in setup keep-state
$IPF 225 allow tcp from any to any 143 out setup keep-state
$IPF 227 allow tcp from any to any 443 in setup keep-state
$IPF 228 allow tcp from any to any 443 out setup keep-state
$IPF 230 allow tcp from any to any 465 in setup keep-state
$IPF 235 allow tcp from any to any 465 out setup keep-state
$IPF 250 allow tcp from any to any 587 in setup keep-state
$IPF 255 allow tcp from any to any 587 out setup keep-state
$IPF 260 allow tcp from any to any 993 in setup keep-state
$IPF 265 allow tcp from any to any 993 out setup keep-state
$IPF 270 allow tcp from any to any 995 in setup keep-state
$IPF 275 allow tcp from any to any 995 out setup keep-state
$IPF 280 allow tcp from any to any 1194 in setup keep-state
$IPF 285 allow tcp from any to any 1194 out setup keep-state
$IPF 286 allow udp from any to any 1194 in setup keep-state
$IPF 287 allow udp from any to any 1194 out setup keep-state

#$IPF 290 allow tcp from any to any 9000 in setup keep-state
#$IPF 295  allow tcp from any to any 9000 out setup keep-state

# deny and log everything

$IPF 500 deny log all from any to any

I even tried twice to open the port. In checking the logs It shows that catch-all 500 is denying my OpenVPN OpenVPN

Stop IPFW and all works ....
 

obsigna

Daemon

Reaction score: 628
Messages: 1,029

It is not quite clear what you want to achieve.

How about explaining more details of your setup, e.g:
  • where are the OpenVPN endpoints located with respect to the ipfw(8) firewall?
  • why do you believe that the firewall needs to provide NAT?
  • you want ipfw to provide NAT but your ruleset is missing NAT rules, why?
Obviously you opted for a stateful firewall operation. Then, for what purpose are all these ... in ... rules good for? See: https://forums.freebsd.org/threads/ipfw-share-internet.62149/post-369231

Decide what you want. In case of a normal firewall remove all this setup keep-state directives. In case of a stateful firewall remove all the ... in ... rules. If you want to keep your ruleset stateful then note also, that UDP packets do not come with SYN flags, and therefore UDP rules with the setup modifier would never match. So, all the stateful UDP rules must not be tagged with setup keep-state but with keep-state only. A UDP rule with setup has the same effect as if the very rule would not exist.

Finally, in case you figure, that you really need a NAT’ing stateful ipfw firewall, then you need to take special care about the placement of the NAT rules. See this post for some hints: https://forums.freebsd.org/threads/ipfw-share-internet.62149/post-358758
 
OP
OP
C

captcurrent

Member

Reaction score: 1
Messages: 68

Thank you for taking the time for your detailed response.. I guess the whole idea is well above my understanding. I can't even answer your first three questions.

I was a) trying to provided a secure non public way to access my server, and b) if feasible be able to send my internet traffic through the VPN

From your input... I don't see me accomplishing that

thanks again for taking the time
 
Top