The FreeBSD Diary |
(TM) | Providing practical examples since 1998If you buy from Amazon USA, please support us by using this link. |
Firewalls / ipfw - protect your subnet
20 October 1998
|
||||||
see also Firewall rules - some more work. A firewall is a good line of defense against external intruders. It can allow precisely what you want and exclude everything you don't want. I'm using ipfw which [I think] means Internet Packet FireWall. This section will deal mostly with how to configure ipfw. For details on to install ipfw, see Firewalls, filtering, ipfw, and FTP clients. |
||||||
Deny everything. Accept nothing.
|
||||||
My first step was to try invoking the simple firewall by telneting to my box and
typing sh /etc/rc.firewall. That worked. But it also terminated my
telnet session! <grin> Then, from the console, I did sh
/etc/rc.firewall simple. That worked but it also stopped IRC from working.
It must be something in the rules. The existing rules did not allow me to ping other machines from my FreeBSD box. That's because, by default, everything is denied. That's a good thing because it means you aren't allowing things you don't want. It also means you must explicitly state what you do want. |
||||||
Getting ping to work
|
||||||
I received the following message. This applied to local machines and to those in
the outside world.
|
||||||
What is denying?
|
||||||
But I have bigger problems. I can access my local webserver via internal address
and by external address. But I cannot access an external website. I can access
my local POP3 server but not my ISP. Something in the rules is preventing this.
I think I must explicitly allow these things. I tried removing some of the deny rules, but that didn't achieve anything. Here is the firewall rules you get if you don't specify which model you want: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 divert 8668 ip from any to any via ed0 65000 allow ip from any to any 65535 deny ip from any to any The above rule set allows me me to do whatever I need to do. So these rules within the simple rule set aren't the problem. It must be the other rules. |
||||||
Found!
|
||||||
I've done some testing. By removing rules one at a time and trying connections
to the outside world, I've found that the rules which prevent the connections. Here are the rules and the connections they prevented:
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out
$fwcmd add deny log tcp from any to any in via ${oif} setup |
||||||
IRC
|
||||||
I spent some time talking to virus on Undernet #FreeBSD. He suggested I
add some rules to allow these two rules to allow IRC:# allow IRC $fwcmd add allow tcp from any to ${oip} 194 $fwcmd add allow udp from any to ${oip} 194 By doing that, I could reinstate rule 01300 listed above |
||||||
A temporary fix
|
||||||
This rule sets seems fine now:01800 allow ip from any to any Now I've started to get rid of rule 1800 above. It's not very secure. |
||||||
21 October 1998
|
||||||
I've replaced:$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} with $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out I'm not sure what's at fault. It's either the rule or it's ipfw. I'm undecided. I've posted a message to the questions mailing list. I've also noticed that it takes much longer to connect via IRC with the simple firewall model than with the open model. I have no idea why.
Something is definitely wrong somewhere. I'll find out where. |
||||||
ipfw version
|
||||||
I've discovered which version of ipfw I'm running (as taken from /usr/src/sbin/ipfw/ipfw.c)* $Id: firewall.php,v 1.26 2007-08-27 16:34:46 dan Exp $ |
||||||
Speeding things up
|
||||||
In attempt at speeding up the connection time, I decided to remove some rules.
After a few tests, I found this rule was the culprit:$fwcmd add deny log tcp from any to any in via ${oif} setup This was the bottleneck. For whatever reason, this causes the connection time to become unacceptable long. Without this rule, the connect time is < 2s. With this rule, the time required to connect is > 1:30. Interesting! Perhaps I need other rules before this in order to speed things up. After some talk in #nz, I was told that I was probably blocking ident. So I added the following two rules: # allow IDENT $fwcmd add allow tcp from any to ${oip} 113 $fwcmd add allow udp from any to ${oip} 113 With this rule in placed, I removed the following rule which I added earlier:
|
||||||
ipfw with DHCP etc
8 August 2000
| ||||||
Ernie wrote in with these tips:
onet=`ifconfig ep0 |grep "inet " |awk '{print $6}'`
onet=255.255.255.x
oip=`onet=`ifconfig ep0 |grep "inet " |awk '{print $2}'`
Thanks Ernie. |
||||||