Source string Read only

(itstool) path: sect2/para
782/7820
Context English State
# Allow access to public DNS
# Replace x.x.x.x with the IP address of a public DNS server
# and repeat for each DNS server in /etc/resolv.conf
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.
# Then, uncomment the second rule, input the IP address, and delete the first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state

# Allow outbound HTTP and HTTPS connections
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow outbound email connections
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow outbound ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow outbound NTP
$cmd 00260 allow udp from any to any 123 out via $pif keep-state

# Allow outbound SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# deny and log all other outbound connections
$cmd 00299 deny log all from any to any out via $pif
The next set of rules controls connections from Internet hosts to the internal network. It starts by denying packets typically associated with attacks and then explicitly allows specific types of connections. All the authorized services that originate from the Internet use <literal>limit</literal> to prevent flooding.
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D &amp; E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios services.
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny fragments
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow traffic from ISP's DHCP server.
# Replace x.x.x.x with the same IP address used in rule 00120.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

# Allow HTTP connections to internal web server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow inbound SSH connections
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject and log all other incoming connections
$cmd 00499 deny log all from any to any in via $pif
The last rule logs all packets that do not match any of the rules in the ruleset:
# Everything else is denied and logged
$cmd 00999 deny log all from any to any
In-kernel <acronym>NAT</acronym>
<personname> <firstname>Dries</firstname> <surname>Michiels</surname> </personname> <contrib>Rewritten and updated by </contrib>
<primary>NAT</primary> <secondary>and <application>IPFW</application></secondary>
FreeBSD's <application>IPFW</application> firewall has two implementations of <acronym>NAT</acronym>: the userland implementation <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, and the more recent in-kernel <acronym>NAT</acronym> implementation. Both work in conjunction with <application>IPFW</application> to provide network address translation. This can be used to provide an Internet Connection Sharing solution so that several internal computers can connect to the Internet using a single public <acronym>IP</acronym> address.
To do this, the FreeBSD machine connected to the Internet must act as a gateway. This system must have two <acronym>NIC</acronym>s, where one is connected to the Internet and the other is connected to the internal <acronym>LAN</acronym>. Each machine connected to the <acronym>LAN</acronym> should be assigned an <acronym>IP</acronym> address in the private network space, as defined by <link xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC 1918</link>.
Some additional configuration is needed in order to enable the in-kernel <acronym>NAT</acronym> facility of <application>IPFW</application>. To enable in-kernel <acronym>NAT</acronym> support at boot time, the following must be set in <filename>/etc/rc.conf</filename>:
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
When <literal>firewall_nat_enable</literal> is set but <literal>firewall_enable</literal> is not, it will have no effect and do nothing. This is because the in-kernel <acronym>NAT</acronym> implementation is only compatible with <application>IPFW</application>.
When the ruleset contains stateful rules, the positioning of the <acronym>NAT</acronym> rule is critical and the <literal>skipto</literal> action is used. The <literal>skipto</literal> action requires a rule number so that it knows which rule to jump to. The example below builds upon the firewall ruleset shown in the previous section. It adds some additional entries and modifies some existing rules in order to configure the firewall for in-kernel <acronym>NAT</acronym>. It starts by adding some additional variables which represent the rule number to skip to, the <literal>keep-state</literal> option, and a list of <acronym>TCP</acronym> ports which will be used to reduce the number of rules.
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 1000"
pif=dc0
ks="keep-state"
good_tcpo="22,25,37,53,80,443,110"
With in-kernel <acronym>NAT</acronym> it is necessary to disable TCP segmentation offloading (<acronym>TSO</acronym>) due to the architecture of <citerefentry><refentrytitle>libalias</refentrytitle><manvolnum>3</manvolnum></citerefentry>, a library implemented as a kernel module to provide the in-kernel <acronym>NAT</acronym> facility of <application>IPFW</application>. <acronym>TSO</acronym> can be disabled on a per network interface basis using <citerefentry><refentrytitle>ifconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> or on a system wide basis using <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>. To disable <acronym>TSO</acronym> system wide, the following must be set it <filename>/etc/sysctl.conf</filename>:
net.inet.tcp.tso="0"
A <acronym>NAT</acronym> instance will also be configured. It is possible to have multiple <acronym>NAT</acronym> instances each with their own configuration. For this example only one <acronym>NAT</acronym> instance is needed, <acronym>NAT</acronym> instance number 1. The configuration can take a few options such as: <option>if</option> which indicates the public interface, <option>same_ports</option> which takes care that alliased ports and local port numbers are mapped the same, <option>unreg_only</option> will result in only unregistered (private) address spaces to be processed by the <acronym>NAT</acronym> instance, and <option>reset</option> which will help to keep a functioning <acronym>NAT</acronym> instance even when the public <acronym>IP</acronym> address of the <application>IPFW</application> machine changes. For all possible options that can be passed to a single <acronym>NAT</acronym> instance configuration consult <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>. When configuring a stateful <acronym>NAT</acronym>ing firewall, it is neseccary to allow translated packets to be reinjected in the firewall for further processing. This can be achieved by disabling <option>one_pass</option> behavior at the start of the firewall script.
ipfw disable one_pass
ipfw -q nat 1 config if $pif same_ports unreg_only reset
The inbound <acronym>NAT</acronym> rule is inserted <emphasis>after</emphasis> the two rules which allow all traffic on the trusted and loopback interfaces and after the reassemble rule but <emphasis>before</emphasis> the <literal>check-state</literal> rule. It is important that the rule number selected for this <acronym>NAT</acronym> rule, in this example <literal>100</literal>, is higher than the first three rules and lower than the <literal>check-state</literal> rule. Furthermore, because of the behavior of in-kernel <acronym>NAT</acronym> it is advised to place a reassemble rule just before the first <acronym>NAT</acronym> rule and after the rules that allow traffic on trusted interface. Normally, <acronym>IP</acronym> fragmentation should not happen, but when dealing with <acronym>IPSEC/ESP/GRE</acronym> tunneling traffic it might and the reassembling of fragments is necessary before handing the complete packet over to the in-kernel <acronym>NAT</acronym> facility.
The reassemble rule was not needed with userland <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> because the internal workings of the <application>IPFW</application> <literal>divert</literal> action already takes care of reassembling packets before delivery to the socket as also stated in <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
The <acronym>NAT</acronym> instance and rule number used in this example does not match with the default <acronym>NAT</acronym> instance and rule number created by <filename>rc.firewall</filename>. <filename>rc.firewall</filename> is a script that sets up the default firewall rules present in FreeBSD.
$cmd 005 allow all from any to any via xl0 # exclude LAN traffic
$cmd 010 allow all from any to any via lo0 # exclude loopback traffic
$cmd 099 reass all from any to any in # reassemble inbound packets
$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 101 check-state
The outbound rules are modified to replace the <literal>allow</literal> action with the <literal>$skip</literal> variable, indicating that rule processing will continue at rule <literal>1000</literal>. The seven <literal>tcp</literal> rules have been replaced by rule <literal>125</literal> as the <literal>$good_tcpo</literal> variable contains the seven allowed outbound ports.
Remember that <application>IPFW</application>'s performance is largely determined by the number of rules present in the ruleset.
# Authorized outbound packets
$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks
$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
The inbound rules remain the same, except for the very last rule which removes the <literal>via $pif</literal> in order to catch both inbound and outbound rules. The <acronym>NAT</acronym> rule must follow this last outbound rule, must have a higher number than that last rule, and the rule number must be referenced by the <literal>skipto</literal> action. In this ruleset, rule number <literal>1000</literal> handles passing all packets to our configured instance for <acronym>NAT</acronym> processing. The next rule allows any packet which has undergone <acronym>NAT</acronym> processing to pass.
$cmd 999 deny log all from any to any
$cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules
$cmd 1001 allow ip from any to any
In this example, rules <literal>100</literal>, <literal>101</literal>, <literal>125</literal>, <literal>1000</literal>, and <literal>1001</literal> control the address translation of the outbound and inbound packets so that the entries in the dynamic state table always register the private <acronym>LAN</acronym> <acronym>IP</acronym> address.
Consider an internal web browser which initializes a new outbound <acronym>HTTP</acronym> session over port 80. When the first outbound packet enters the firewall, it does not match rule <literal>100</literal> because it is headed out rather than in. It passes rule <literal>101</literal> because this is the first packet and it has not been posted to the dynamic state table yet. The packet finally matches rule <literal>125</literal> as it is outbound on an allowed port and has a source <acronym>IP</acronym> address from the internal <acronym>LAN</acronym>. On matching this rule, two actions take place. First, the <literal>keep-state</literal> action adds an entry to the dynamic state table and the specified action, <literal>skipto rule 1000</literal>, is executed. Next, the packet undergoes <acronym>NAT</acronym> and is sent out to the Internet. This packet makes its way to the destination web server, where a response packet is generated and sent back. This new packet enters the top of the ruleset. It matches rule <literal>100</literal> and has its destination <acronym>IP</acronym> address mapped back to the original internal address. It then is processed by the <literal>check-state</literal> rule, is found in the table as an existing session, and is released to the <acronym>LAN</acronym>.
On the inbound side, the ruleset has to deny bad packets and allow only authorized services. A packet which matches an inbound rule is posted to the dynamic state table and the packet is released to the <acronym>LAN</acronym>. The packet generated as a response is recognized by the <literal>check-state</literal> rule as belonging to an existing session. It is then sent to rule <literal>1000</literal> to undergo <acronym>NAT</acronym> before being released to the outbound interface.

Loading…

User avatar None

New source string

FreeBSD Doc / books_handbookEnglish

New source string 8 months ago
Browse all component changes

Glossary

English English
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect2/para
Flags
read-only
Source string location
book.translate.xml:60101
String age
8 months ago
Source string age
8 months ago
Translation file
books/handbook.pot, string 9869