BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


BSD Firewalls: IPFW Rulesets
Pages: 1, 2, 3

Now that we've solved that one, let's see why ping isn't working, even with an IP address. If you've been following along in the series, you'll remember from Examining ICMP Packets that the ping utility uses ICMP, not TCP in its packets. Again, since I've only allowed my own TCP connections in my ruleset, I'm not going to have any luck if I try to send out ICMP packets.



Before adding any new rules to my ruleset, I'll become the superuser and see what the output of ipfw show looks like:

su
Password:
ipfw show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 check-state
00301 0 0 deny tcp from any to any in established
00302 21 15144 allow tcp from any to any out keep-state setup
65535 142 10531 deny ip from any to any
## Dynamic rules:
00302 19 15040 (T 0, # 147) ty 0 tcp, 24.141.119.162 2932 <-> 216.136.204.21 80

Note the Dynamic rules section; this is the state table. When I ran the command lynx 216.136.204.21 to connect to the http port (port 80) at www.freebsd.org, Rule 00302 allowed my setup packet out and added an entry to the state table. Now, any packets that are addressed to or from 216.136.204.21 on port 80 will be allowed to enter or leave my computer.

Also in FreeBSD Basics:

Fun with Xorg

Sharing Internet Connections

Building a Desktop Firewall

Using DesktopBSD

Using PC-BSD

You'll also note that rules 00302 and 65535 have numbers next to them that represent the number of packets followed by the number of bytes that met each rule. The packets that were denied by rule 65535 were the failed UDP and ICMP packets, as both of these protocols are part of an "ip" packet.

Before I add any more rules to my ruleset, I'll use the ipfw zero command to reset these counters. This way, when I test my new rules, I'll be able to see which rules have new packet statistics next to them.

I'll now add some rules to allow for DNS name resolution. Since DNS is using UDP, and UDP doesn't make a connection, I can't specify to only allow in valid responses to my connections. However, I can limit packets by the port number used by DNS (port 53), and I can choose to only accept these packets from the IP addresses of my provider's DNS servers. I discovered those IP addresses when I ran the more /etc.resolv.conf command. I'll add the following lines to my /etc/ipfw.rules file:

#allow DNS
add 00400 allow udp from 24.226.1.90 53 to any in recv ed0
add 00401 allow udp from 24.226.1.20 53 to any in recv ed0
add 00402 allow udp from 24.2.9.34 53 to any in recv ed0

I'll then reload my rules using killall init and see if name resolution now works:

lynx www.freebsd.org
Alert!. Unable to access document.

Wait a minute, how come I'm still not getting name resolution when I've explicitly allowed in these UDP packets? Let's do an ipfw show to see which rule has a packet count next to it:

su
Password:
ipfw show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 check-state
00301 0 0 deny tcp from any to any in established
00302 0 0 allow tcp from any to any keep-state setup
00400 0 0 allow udp from 24.226.1.90 53 to any in recv ed0
00401 0 0 allow udp from 24.226.1.20 53 to any in recv ed0
00402 0 0 allow udp from 24.2.9.34 53 to any in recv ed0
65535 30 2196 deny ip from any to any
## Dynamic rules:

The only rule that has any packet statistics associated with it is that last deny rule; note that none of my allow udp rules were used. Then it dawns on me, I've never allowed "out" any udp packets; no wonder there aren't any udp replies anxious to come back in. Let's try adding one more line to that ruleset:

add 00403 allow udp from any to any out

Here I've specified that I'm willing to allow out my own udp packets. I'll clear those statistics with ipfw zero, repeat the killall init command, and try one more time:

lynx www.freebsd.org

The main page of FreeBSD's website never looked so good. If I become the superuser, I should have a more satisfactory ipfw show output:

ipfw show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 check-state
00301 0 0 deny tcp from any to any in established
00302 20 15061 allow tcp from any to any keep-state setup
00400 10 1882 allow udp from 24.226.1.90 53 to any in recv ed0
00401 0 0 allow udp from 24.226.1.20 53 to any in recv ed0
00402 0 0 allow udp from 24.2.9.34 53 to any in recv ed0
00403 10 591 allow udp from any to any out
65535 31 2577 deny ip from any to any
## Dynamic rules:
00302 19 15017 (T 0, # 236) ty 0 tcp, 24.141.119.162 4363 <-> 216.136.204.21 80

Note that rule 00403 let out my DNS request, rule 00400 let in the DNS reply, rule 00302 set up the HTTP connection, and I now have an entry in the state table for my HTTP connection to 216.136.204.21.

I now have a working network connection, but there is still lots of room for improvement to this ruleset. In next week's article, we'll take a look at the additional rules which should be added to the ruleset, then we'll take a look at logging and console messages.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.


Read more FreeBSD Basics columns.

Return to the BSD DevCenter.





Sponsored by: