Need help: fwd on ipfw

On 10/5/05, Foo Ji-Haw <jhfoonexlabs.com> wrote:
> Hello Anderson,
>
> I hope you can lend me your experience and generosity
again in a follow-up
> question I have with ipfw. Basically I have much help
from the Handbook.
> It's some small things that I get stuck with.
Unfortunately I can't figure a
> way around it.
>
> Below is my firewall configuration:
> 00100 check-state
> 00300 allow ip from any to 192.168.0.4 in via dc0
> 00400 allow ip from 192.168.0.4 to any out via dc0
> 00600 allow ip from 127.0.0.1 to 127.0.0.1
> 00700 allow icmp from 10.10.0.0/16 to 10.10.0.0/16
> 00900 allow ip from 10.10.0.0/16 to 10.10.0.0/16
dst-port 67,68,80
> 01000 allow ip from 10.10.0.0/16 to 10.10.0.0/16
dst-port 53
> 01050 allow ip from 10.10.0.0/16 to 10.10.0.0/16
> 01060 allow ip from any to any MAC any
00:90:d1:00:80:00/33
> 01100 fwd 10.10.10.10,80 tcp from 10.10.0.0/16 to any
dst-port 80 in via vr0
> 01200 allow ip from any to any
> 65535 deny ip from any to any
>
> My box has 2 interfaces. dc0 is the trusted network,
vr0 is the untrusted
> network (the implementation is for a captive portal).
The server's IP on vr0
> is 10.10.10.10.
>
> Problem 1:
> My rule (900) to allow the clients on vr0 to talk to
the server's dhcpd
> service works well. But I can't get them to connect to
the DNS service (rule
> 1000). I don't understand why this is so, because the
same DNS service works
> well for clients on dc0. DNS will work if rule 1200 is
in place (of course,
> 1200 should not be there).
>
> Problem 2:
> Rule 1100 is key for captive portal setup. Any web
outgoing traffic from vr0
> will be redirected to the 'login' page at
10.10.10.10:80. And it works
> (fortunately!). But only with 1200 in place. Does this
mean that after
> processing rule 1100 the ipfw continues to process the
rest of the rules?
>
> Problem 3:
> I need to grant authenticated a client with the
specified MAC address (1060)
> full access to the Internet, thereby bypassing fwd
1100. If I replace 1060
> with:
> 01060 allow ip from 10.10.10.100 to any
> The access is ok. But I need to lock down at the MAC
level (to prevent IP
> spoofing). Can you advice me on the correct statement?
This is the most
> frustrating question I have among the 3.
>
> Appreciate your time on this. Thanks again!
>

Please, cc the mailing list unless your problem is
purely between you and me.

Before I start answering your questions, let me give
you some advice.

1. Don't do check-state, unless you really need
(and have configured) a stateful firewall

2. Use "xmit" and "recv" instead of
"via" whenever
possible. In your case rule 300 should contain
"in recv" and the next one - "out xmit".

3. A much better way to pass loopback traffic is:
"allow ip from any to any via lo0"
"deny ip from any to 127.0.0.0/8"
"deny ip from 127.0.0.0/8 to any"
(these should usually be at the very top)

4. It's a wonder that your rule 900 somehow
allows dhcp to work. It certainly shouldn't.
Dhcp requires much less restrictive rules
(including broadcasts and undefined source).

5. You must always keep in mind that any
communication between a server and a
client requires packet to go both ways,
sometimes passing firewall 2 times in
each direction. Your rule 1000 only allows
dns queries to get through to the dns server,
the corresponding answers will be blocked.
I suppose that rule 1050 or 1200 solves the
problem, but if you want to restrict traffic
you should come up with something else.
Same goes for your rule 1100: you block
all the http answers.

6. Sad, but true, you can never rely on MAC-
bindings security in a production network.
MAC address is as easily spoofed as
anything. Moreover, ipfw has not been
designed for layer-2 packet inspection, so
you'll stumble upon many problems and
unexpected results.
You'd better come up with a VPN/IPSec
solution.


Cheerz,
Andrew P.
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"