Re: Policy routing with IPFW

From: Crist J. Clark (cristjc_at_comcast.net)
Date: 04/16/04

  • Next message: Jason Stone: "Re: recommended SSL-friendly crypto accelerator"
    Date: Fri, 16 Apr 2004 13:30:40 -0700
    To: Stephen Gill <gillsr@yahoo.com>
    
    

    On Thu, Apr 15, 2004 at 03:39:45PM -0700, Stephen Gill wrote:
    > Hi David,
    >
    > Well, that might be a half a step closer... I just tried this
    > combination with a 50% success rate :). Inbound connections work quite
    > well, but connections originating from the box itself do not work.
    > Any ideas as to how to make this rulebase work with policy routing for
    > outbound connections as well?
    >
    > I think it is interfering with the dynamic rules. ICMP appears to
    > work, but that is all. I would like to still use the dynamic
    > capabilites of stateful filtering if possible.

    That is a problem with your setup since 'fwd' rules match and exit.
    So what happens is,

    > # POLICY ROUTING
    > ${fwcmd} add 095 allow ip from ${IP1} to ${IP1-NET}
    > ${fwcmd} add 100 fwd ${IP1-GW} ip from ${IP1} to any

    Packets match here and go out.

    > ${fwcmd} add 110 allow ip from ${IP2} to ${IP2-NET}
    > ${fwcmd} add 115 fwd ${IP2-FW} ip from ${IP2} to any

    Or match here and go out.

    Which means they never reached these:

    > # Allow from me to anywhere
    > ${fwcmd} add 240 allow tcp from me to any setup keep-state
    > ${fwcmd} add 260 allow udp from me to any keep-state
    > ${fwcmd} add 280 allow icmp from me to any

    This also will mess with stateful connections (TCP) coming in since
    the responses never get seen by the dynamic rules.

    For incoming connections, using dynamic rules is actually bad for
    security in the first place, so dropping that is not a problem.

    For the outgoing traffic... problem.

      $fwcmd add fwd ${IP1-GW} tcp from me to any setup keep-state

    Won't work since applying a 'fwd' to the returning traffic is
    a bad idea (routing loop).

    -- 
    Crist J. Clark                     |     cjclark@alum.mit.edu
                                       |     cjclark@jhu.edu
    http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Jason Stone: "Re: recommended SSL-friendly crypto accelerator"

    Relevant Pages

    • Re: ipfw: Too many dynamic rules
      ... let's see, a client connects to your web-server and you immediately should create a new dynamic rule, therefore you participate in this DoS attack as well as attacker. ... I usually use keep-state rules only for outgoing connections and try to keep number of such rules as few as possible. ... but I think that using dynamic rules to filter out web-server answers is not as good practice as it seems. ...
      (freebsd-stable)
    • Re: Unexpected keep state behaviour in ipfw
      ... > is that the connections are being dropped after less than ... > problem is that ipfw dynamic rules don't work with ipnat. ... > I don't understand why - ipnat should be invisible to ipfw). ...
      (FreeBSD-Security)
    • Re: Unexpected keep state behaviour in ipfw
      ... >to a number you think appropriate for idle established connections to ... net.inet.ip.fw.dyn_ack_lifetime seconds of idle time. ... problem is that ipfw dynamic rules don't work with ipnat. ...
      (FreeBSD-Security)
    • Re: ipfw limit src-addr woes
      ... 80 in via if0 setup limit src-addr 10 ... Use the command "ipfw -d show" to see what connections are matching ... Why is it that only 20 connections have been accounted for by ipfw's dynamic rules but there are actually 113 active connections from that IP at the moment? ... The limit src-addr is 75. ...
      (freebsd-net)
    • Re: ipfw limit src-addr woes
      ... 80 in via if0 setup limit src-addr 10 ... Use the command "ipfw -d show" to see what connections are matching ... Why is it that only 20 connections have been accounted for by ipfw's dynamic rules but there are actually 113 active connections from that IP at the moment? ... The limit src-addr is 75. ...
      (freebsd-questions)