RE: statefull packet filter together with natd question

From: Peter Brezny (peter@sysadmin-inc.com)
Date: 01/03/01


From: "Peter Brezny" <peter@sysadmin-inc.com>
To: <darren@nighttide.net>
Date: Wed, 3 Jan 2001 13:44:35 -0800

This is very similar to what i came up with.

http://www.bsdtoday.com/2000/December/Features359.html

Peter Brezny
SysAdmin Services Inc.

-----Original Message-----
From: darren@nighttide.net [mailto:darren@nighttide.net]
Sent: Tuesday, January 02, 2001 6:09 PM
To: Steven Kehlet
Cc: Rene de Vries; Luigi Rizzo; freebsd-security@FreeBSD.ORG
Subject: Re: statefull packet filter together with natd question

On Tue, 2 Jan 2001, Steven Kehlet wrote:

> [ moved from -hackers to -security ]
>
> For whatever it's worth, I struggled with this same problem for an
> entire day before giving up and using ipfilter. It seems to me
> that there is a fundamental problem with using the ipfw stateful
> rules and natd (as I'm sure you discovered yourself): the ordering

Perhaps I'm missing the gist of the problem (not enough details here) but
I don't haven't seen any problems with this under 4.2-Stable, (haven't
used natd with a 5-Current system yet).... Sample rule set follows. Let me
know if you (or anyone for that matter) see any problems with this.

#!/bin/sh

fwcmd="/sbin/ipfw"

oif="ppp0"
oip="a.b.c.d"
iif="dc0"
iip="10.a.b.c"
imk="10.a.b.c/8"

$fwcmd -f flush

# loopback has to work
$fwcmd add allow all from any to any via lo0

# disallow spoofing of loopback
$fwcmd add deny log all from any to 127.0.0.0/8

# disallow spoofing of our address
$fwcmd add deny log ip from $oip to any in via $oif

# no private space address should cross the outside interface
$fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
$fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
$fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
$fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
$fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
$fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif

# stop draft-manning-dsua-01.txt nets on the outside interface
$fwcmd add deny log all from 0.0.0.0/8 to any in via $oif
$fwcmd add deny log all from 169.254.0.0/16 to any in via $oif
$fwcmd add deny log all from 192.0.2.0/24 to any in via $oif
$fwcmd add deny log all from 224.0.0.0/4 to any in via $oif
$fwcmd add deny log all from 240.0.0.0/4 to any in via $oif
$fwcmd add deny log all from any to 0.0.0.0/8 in via $oif
$fwcmd add deny log all from any to 169.254.0.0/16 in via $oif
$fwcmd add deny log all from any to 192.0.2.0/24 in via $oif
$fwcmd add deny log all from any to 224.0.0.0/4 in via $oif
$fwcmd add deny log all from any to 240.0.0.0/4 in via $oif

# divert the the outside interface
$fwcmd add divert natd all from any to any via $oif

# allow all established sessions
$fwcmd add allow tcp from any to any established

# we want to allow some connections to originate outside
$fwcmd add allow tcp from any to $oip 21,22,25,53,80,113 setup

# allow required ICMP
$fwcmd add allow icmp from any to any icmptypes 0,3,4,8,11,12

# allow udp dns queries
$fwcmd add allow udp from any to any 53
$fwcmd add allow udp from any 53 to any

# allow traceroute
$fwcmd add allow udp from any to $oip 33400-33499 via $oif

# allow smb traffic
$fwcmd add allow udp from any to any 137-139 via $iif

# dynamic rule set
$fwcmd add check-state

# let this machine talk to anyone
$fwcmd add allow ip from $oip to any keep-state out via $oif

# allow any traffic from the inner network to any
$fwcmd add allow ip from $imk to any keep-state via $iif

# deny everything else
$fwcmd add 65435 deny log logamount 1000 ip from any to any

______________________________________________________________________
Darren Henderson darren@nighttide.net

                   Help fight junk e-mail, visit http://www.cauce.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: statefull packet filter together with natd question
    ... numbers on established packets, etc). ... no packets ever touch the second dynamic rule. ... keep-state on the natd rule itself, ... > $fwcmd add allow all from any to any via lo0 ...
    (FreeBSD-Security)
  • RE: statefull packet filter together with natd question
    ... My main point was that the natd and dynamic rules ... > $fwcmd add allow all from any to any via lo0 ... > $fwcmd add allow udp from any to any 53 ...
    (FreeBSD-Security)
  • Re: statefull packet filter together with natd question
    ... $fwcmd add allow all from any to any via lo0 ... $fwcmd add deny log ip from $oip to any in via $oif ... # stop draft-manning-dsua-01.txt nets on the outside interface ... $fwcmd add allow udp from any to any 53 ...
    (FreeBSD-Security)
  • ipfw with four interfaces
    ... design to actually work with deny ip from any to any in the bottom of the ... $fwcmd add 100 allow all from any to any via lo0 ... addresses are passed to natd I would do that. ... # Allow http to the whole dmz from Internet: ...
    (freebsd-questions)
  • FreeBSD box as router adding latency
    ... natd is enabled with the natd interface as 208.204.x.224 ... ${fwcmd} add 50 divert natd all from any to any via $ ... $add 200 deny all from any to 127.0.0.0/8 ... Do you Yahoo!? ...
    (freebsd-questions)