15ecb12e3SWarner Losh.\" Copyright (C) 2001 Matthew Dillon. All rights reserved. 25ecb12e3SWarner Losh.\" 35ecb12e3SWarner Losh.\" Redistribution and use in source and binary forms, with or without 45ecb12e3SWarner Losh.\" modification, are permitted provided that the following conditions 55ecb12e3SWarner Losh.\" are met: 65ecb12e3SWarner Losh.\" 1. Redistributions of source code must retain the above copyright 75ecb12e3SWarner Losh.\" notice, this list of conditions and the following disclaimer. 85ecb12e3SWarner Losh.\" 2. Redistributions in binary form must reproduce the above copyright 95ecb12e3SWarner Losh.\" notice, this list of conditions and the following disclaimer in the 105ecb12e3SWarner Losh.\" documentation and/or other materials provided with the distribution. 115ecb12e3SWarner Losh.\" 125ecb12e3SWarner Losh.\" THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND 135ecb12e3SWarner Losh.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 145ecb12e3SWarner Losh.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 155ecb12e3SWarner Losh.\" ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE 165ecb12e3SWarner Losh.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 175ecb12e3SWarner Losh.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 185ecb12e3SWarner Losh.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 195ecb12e3SWarner Losh.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 205ecb12e3SWarner Losh.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 215ecb12e3SWarner Losh.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 225ecb12e3SWarner Losh.\" SUCH DAMAGE. 23fc32c802SMatthew Dillon.\" 24fc32c802SMatthew Dillon.\" $FreeBSD$ 25fc32c802SMatthew Dillon.\" 26fc32c802SMatthew Dillon.Dd May 26, 2001 27fc32c802SMatthew Dillon.Dt FIREWALL 7 283d45e180SRuslan Ermilov.Os 29fc32c802SMatthew Dillon.Sh NAME 30fc32c802SMatthew Dillon.Nm firewall 31fc32c802SMatthew Dillon.Nd simple firewalls under FreeBSD 32fc32c802SMatthew Dillon.Sh FIREWALL BASICS 33fc32c802SMatthew DillonA Firewall is most commonly used to protect an internal network 34fc32c802SMatthew Dillonfrom an outside network by preventing the outside network from 355203edcdSRuslan Ermilovmaking arbitrary connections into the internal network. 365203edcdSRuslan ErmilovFirewalls 37fc32c802SMatthew Dillonare also used to prevent outside entities from spoofing internal 38fc32c802SMatthew DillonIP addresses and to isolate services such as NFS or SMBFS (Windows 39fc32c802SMatthew Dillonfile sharing) within LAN segments. 40fc32c802SMatthew Dillon.Pp 41fc32c802SMatthew DillonThe 42fc32c802SMatthew Dillon.Fx 43fc32c802SMatthew Dillonfirewalling system also has the capability to limit bandwidth using 44fc32c802SMatthew Dillon.Xr dummynet 4 . 457c86a74bSMike PritchardThis feature can be useful when you need to guarantee a certain 465203edcdSRuslan Ermilovamount of bandwidth for a critical purpose. 475203edcdSRuslan ErmilovFor example, if you 487c86a74bSMike Pritchardare doing video conferencing over the Internet via your 49c70d56a5SChristian Bruefferoffice T1 (1.5 MBits/s), you may wish to bandwidth-limit all other 50c70d56a5SChristian BruefferT1 traffic to 1 MBit/s in order to reserve at least 0.5 MBits 515203edcdSRuslan Ermilovfor your video conferencing connections. 525203edcdSRuslan ErmilovSimilarly if you are 53fc32c802SMatthew Dillonrunning a popular web or ftp site from a colocation facility 54c70d56a5SChristian Bruefferyou might want to limit bandwidth to prevent excessive bandwidth 55c70d56a5SChristian Brueffercharges from your provider. 56fc32c802SMatthew Dillon.Pp 57fc32c802SMatthew DillonFinally, 58fc32c802SMatthew Dillon.Fx 59fc32c802SMatthew Dillonfirewalls may be used to divert packets or change the next-hop 60fc32c802SMatthew Dillonaddress for packets to help route them to the correct destination. 61fc32c802SMatthew DillonPacket diversion is most often used to support NAT (network 62fc32c802SMatthew Dillonaddress translation), which allows an internal network using 63fc32c802SMatthew Dillona private IP space to make connections to the outside for browsing 64fc32c802SMatthew Dillonor other purposes. 65fc32c802SMatthew Dillon.Pp 66fc32c802SMatthew DillonConstructing a firewall may appear to be trivial, but most people 675203edcdSRuslan Ermilovget them wrong. 685203edcdSRuslan ErmilovThe most common mistake is to create an exclusive 695203edcdSRuslan Ermilovfirewall rather than an inclusive firewall. 705203edcdSRuslan ErmilovAn exclusive firewall 71fc32c802SMatthew Dillonallows all packets through except for those matching a set of rules. 720b6579f2SGiorgos KeramidasAn inclusive firewall allows only packets matching the ruleset 735203edcdSRuslan Ermilovthrough. 745203edcdSRuslan ErmilovInclusive firewalls are much, much safer than exclusive 755203edcdSRuslan Ermilovfirewalls but a tad more difficult to build properly. 765203edcdSRuslan ErmilovThe 77fc32c802SMatthew Dillonsecond most common mistake is to blackhole everything except the 785203edcdSRuslan Ermilovparticular port you want to let through. 795203edcdSRuslan ErmilovTCP/IP needs to be able 80fc32c802SMatthew Dillonto get certain types of ICMP errors to function properly - for 815203edcdSRuslan Ermilovexample, to implement MTU discovery. 825203edcdSRuslan ErmilovAlso, a number of common 83fc32c802SMatthew Dillonsystem daemons make reverse connections to the 84fc32c802SMatthew Dillon.Sy auth 85fc32c802SMatthew Dillonservice in an attempt to authenticate the user making a connection. 86fc32c802SMatthew DillonAuth is rather dangerous but the proper implementation is to return 877361df21SGiorgos Keramidasa TCP reset for the connection attempt rather than simply blackholing 885203edcdSRuslan Ermilovthe packet. 895203edcdSRuslan ErmilovWe cover these and other quirks involved with constructing 90fc32c802SMatthew Dillona firewall in the sample firewall section below. 91fc32c802SMatthew Dillon.Sh IPFW KERNEL CONFIGURATION 92aa2ada4eSMurray StokelyYou do not need to create a custom kernel to use the IP firewalling features. 93b895742dSMatthew DillonIf you enable firewalling in your 94b895742dSMatthew Dillon.Em /etc/rc.conf 9560eefdafSGiorgos Keramidas(see below), the ipfw kernel module will be loaded automatically 9660eefdafSGiorgos Keramidaswhen necessary. 9760eefdafSGiorgos KeramidasHowever, 98b895742dSMatthew Dillonif you are paranoid you can compile IPFW directly into the 99fc32c802SMatthew Dillon.Fx 100b895742dSMatthew Dillonkernel by using the 101fc32c802SMatthew Dillon.Sy IPFIREWALL 1025203edcdSRuslan Ermilovoption set. 1035203edcdSRuslan ErmilovIf compiled in the kernel, ipfw denies all 1046b3e3c6fSGiorgos Keramidaspackets by default, which means that, if you do not load in 105fc32c802SMatthew Dillona permissive ruleset via 106fc32c802SMatthew Dillon.Em /etc/rc.conf , 1076b3e3c6fSGiorgos Keramidasrebooting into your new kernel will take the network offline. 1086b3e3c6fSGiorgos KeramidasThis can prevent you from being able to access your system if you 1095203edcdSRuslan Ermilovare not sitting at the console. 1105203edcdSRuslan ErmilovIt is also quite common to 111fc32c802SMatthew Dillonupdate a kernel to a new release and reboot before updating 1125203edcdSRuslan Ermilovthe binaries. 1135203edcdSRuslan ErmilovThis can result in an incompatibility between 114fc32c802SMatthew Dillonthe 115fc32c802SMatthew Dillon.Xr ipfw 8 116fc32c802SMatthew Dillonprogram and the kernel which prevents it from running in the 117fc32c802SMatthew Dillonboot sequence, also resulting in an inaccessible machine. 118fc32c802SMatthew DillonBecause of these problems the 119fc32c802SMatthew Dillon.Sy IPFIREWALL_DEFAULT_TO_ACCEPT 120fc32c802SMatthew Dillonkernel option is also available which changes the default firewall 1215203edcdSRuslan Ermilovto pass through all packets. 1225203edcdSRuslan ErmilovNote, however, that using this option 123b895742dSMatthew Dillonmay open a small window of opportunity during booting where your 1245203edcdSRuslan Ermilovfirewall passes all packets. 1255203edcdSRuslan ErmilovStill, it's a good option to use 126b895742dSMatthew Dillonwhile getting up to speed with 127fc32c802SMatthew Dillon.Fx 1285203edcdSRuslan Ermilovfirewalling. 1295203edcdSRuslan ErmilovGet rid of it once you understand how it all works 1305203edcdSRuslan Ermilovto close the loophole, though. 1315203edcdSRuslan ErmilovThere is a third option called 132fc32c802SMatthew Dillon.Sy IPDIVERT 133fc32c802SMatthew Dillonwhich allows you to use the firewall to divert packets to a user program 134fc32c802SMatthew Dillonand is necessary if you wish to use 135fc32c802SMatthew Dillon.Xr natd 8 136fc32c802SMatthew Dillonto give private internal networks access to the outside world. 137fc32c802SMatthew DillonIf you want to be able to limit the bandwidth used by certain types of 138fc32c802SMatthew Dillontraffic, the 139fc32c802SMatthew Dillon.Sy DUMMYNET 140fc32c802SMatthew Dillonoption must be used to enable 141fc32c802SMatthew Dillon.Em ipfw pipe 142fc32c802SMatthew Dillonrules. 143fc32c802SMatthew Dillon.Sh SAMPLE IPFW-BASED FIREWALL 144fc32c802SMatthew DillonHere is an example ipfw-based firewall taken from a machine with three 1455203edcdSRuslan Ermilovinterface cards. 1465203edcdSRuslan Ermilovfxp0 is connected to the 'exposed' LAN. 1475203edcdSRuslan ErmilovMachines 1485203edcdSRuslan Ermilovon this LAN are dual-homed with both internal 10.\& IP addresses and 1495203edcdSRuslan ErmilovInternet-routed IP addresses. 1505203edcdSRuslan ErmilovIn our example, 192.100.5.x represents 1517c86a74bSMike Pritchardthe Internet-routed IP block while 10.x.x.x represents the internal 1525203edcdSRuslan Ermilovnetworks. 1535203edcdSRuslan ErmilovWhile it isn't relevant to the example, 10.0.1.x is 154fc32c802SMatthew Dillonassigned as the internal address block for the LAN on fxp0, 10.0.2.x 155fc32c802SMatthew Dillonfor the LAN on fxp1, and 10.0.3.x for the LAN on fxp2. 156fc32c802SMatthew Dillon.Pp 1577c86a74bSMike PritchardIn this example we want to isolate all three LANs from the Internet 158fc32c802SMatthew Dillonas well as isolate them from each other, and we want to give all 1597c86a74bSMike Pritchardinternal addresses access to the Internet through a NAT gateway running 1605203edcdSRuslan Ermilovon this machine. 1615203edcdSRuslan ErmilovTo make the NAT gateway work, the firewall machine 1627c86a74bSMike Pritchardis given two Internet-exposed addresses on fxp0 in addition to an 1635203edcdSRuslan Ermilovinternal 10.\& address on fxp0: one exposed address (not shown) 164fc32c802SMatthew Dillonrepresents the machine's official address, and the second exposed 165fc32c802SMatthew Dillonaddress (192.100.5.5 in our example) represents the NAT gateway 1665203edcdSRuslan Ermilovrendezvous IP. 1675203edcdSRuslan ErmilovWe make the example more complex by giving the machines 168fc32c802SMatthew Dillonon the exposed LAN internal 10.0.0.x addresses as well as exposed 1695203edcdSRuslan Ermilovaddresses. 1705203edcdSRuslan ErmilovThe idea here is that you can bind internal services 171fc32c802SMatthew Dillonto internal addresses even on exposed machines and still protect 1725203edcdSRuslan Ermilovthose services from the Internet. 1735203edcdSRuslan ErmilovThe only services you run on 174fc32c802SMatthew Dillonexposed IP addresses would be the ones you wish to expose to the 1757c86a74bSMike PritchardInternet. 176fc32c802SMatthew Dillon.Pp 177fc32c802SMatthew DillonIt is important to note that the 10.0.0.x network in our example 1785203edcdSRuslan Ermilovis not protected by our firewall. 1795203edcdSRuslan ErmilovYou must make sure that your 1807c86a74bSMike PritchardInternet router protects this network from outside spoofing. 181fc32c802SMatthew DillonAlso, in our example, we pretty much give the exposed hosts free 182fc32c802SMatthew Dillonreign on our internal network when operating services through 1835203edcdSRuslan Ermilovinternal IP addresses (10.0.0.x). 1845203edcdSRuslan ErmilovThis is somewhat of security 1855203edcdSRuslan Ermilovrisk: what if an exposed host is compromised? 1865203edcdSRuslan ErmilovTo remove the 187fc32c802SMatthew Dillonrisk and force everything coming in via LAN0 to go through 188fc32c802SMatthew Dillonthe firewall, remove rules 01010 and 01011. 189fc32c802SMatthew Dillon.Pp 190fc32c802SMatthew DillonFinally, note that the use of internal addresses represents a 1915203edcdSRuslan Ermilovbig piece of our firewall protection mechanism. 1925203edcdSRuslan ErmilovWith proper 193fc32c802SMatthew Dillonspoofing safeguards in place, nothing outside can directly 194fc32c802SMatthew Dillonaccess an internal (LAN1 or LAN2) host. 195fc32c802SMatthew Dillon.Bd -literal 196fc32c802SMatthew Dillon# /etc/rc.conf 197fc32c802SMatthew Dillon# 198fc32c802SMatthew Dillonfirewall_enable="YES" 199fc32c802SMatthew Dillonfirewall_type="/etc/ipfw.conf" 200fc32c802SMatthew Dillon 201fc32c802SMatthew Dillon# temporary port binding range let 202fc32c802SMatthew Dillon# through the firewall. 203fc32c802SMatthew Dillon# 204fc32c802SMatthew Dillon# NOTE: heavily loaded services running through the firewall may require 205fc32c802SMatthew Dillon# a larger port range for local-size binding. 4000-10000 or 4000-30000 206fc32c802SMatthew Dillon# might be a better choice. 207fc32c802SMatthew Dillonip_portrange_first=4000 208fc32c802SMatthew Dillonip_portrange_last=5000 20963b2f772SRuslan Ermilov\&... 210fc32c802SMatthew Dillon.Ed 211fc32c802SMatthew Dillon.Pp 212fc32c802SMatthew Dillon.Bd -literal 213fc32c802SMatthew Dillon# /etc/ipfw.conf 214fc32c802SMatthew Dillon# 215fc32c802SMatthew Dillon# FIREWALL: the firewall machine / nat gateway 216fc32c802SMatthew Dillon# LAN0 10.0.0.X and 192.100.5.X (dual homed) 217fc32c802SMatthew Dillon# LAN1 10.0.1.X 218fc32c802SMatthew Dillon# LAN2 10.0.2.X 219fc32c802SMatthew Dillon# sw: ethernet switch (unmanaged) 220fc32c802SMatthew Dillon# 2217c86a74bSMike Pritchard# 192.100.5.x represents IP addresses exposed to the Internet 2227c86a74bSMike Pritchard# (i.e. Internet routeable). 10.x.x.x represent internal IPs 223fc32c802SMatthew Dillon# (not exposed) 224fc32c802SMatthew Dillon# 225fc32c802SMatthew Dillon# [LAN1] 226fc32c802SMatthew Dillon# ^ 227fc32c802SMatthew Dillon# | 228fc32c802SMatthew Dillon# FIREWALL -->[LAN2] 229fc32c802SMatthew Dillon# | 230fc32c802SMatthew Dillon# [LAN0] 231fc32c802SMatthew Dillon# | 232fc32c802SMatthew Dillon# +--> exposed host A 233fc32c802SMatthew Dillon# +--> exposed host B 234fc32c802SMatthew Dillon# +--> exposed host C 235fc32c802SMatthew Dillon# | 236fc32c802SMatthew Dillon# INTERNET (secondary firewall) 237fc32c802SMatthew Dillon# ROUTER 238fc32c802SMatthew Dillon# | 2397c86a74bSMike Pritchard# [Internet] 240fc32c802SMatthew Dillon# 241fc32c802SMatthew Dillon# NOT SHOWN: The INTERNET ROUTER must contain rules to disallow 242fc32c802SMatthew Dillon# all packets with source IP addresses in the 10. block in order 243fc32c802SMatthew Dillon# to protect the dual-homed 10.0.0.x block. Exposed hosts are 244fc32c802SMatthew Dillon# not otherwise protected in this example - they should only bind 245fc32c802SMatthew Dillon# exposed services to exposed IPs but can safely bind internal 246fc32c802SMatthew Dillon# services to internal IPs. 247fc32c802SMatthew Dillon# 248fc32c802SMatthew Dillon# The NAT gateway works by taking packets sent from internal 249fc32c802SMatthew Dillon# IP addresses to external IP addresses and routing them to natd, which 250fc32c802SMatthew Dillon# is listening on port 8668. This is handled by rule 00300. Data coming 251fc32c802SMatthew Dillon# back to natd from the outside world must also be routed to natd using 252fc32c802SMatthew Dillon# rule 00301. To make the example interesting, we note that we do 253fc32c802SMatthew Dillon# NOT have to run internal requests to exposed hosts through natd 254fc32c802SMatthew Dillon# (rule 00290) because those exposed hosts know about our 255fc32c802SMatthew Dillon# 10. network. This can reduce the load on natd. Also note that we 256fc32c802SMatthew Dillon# of course do not have to route internal<->internal traffic through 257fc32c802SMatthew Dillon# natd since those hosts know how to route our 10. internal network. 258fc32c802SMatthew Dillon# The natd command we run from /etc/rc.local is shown below. See 259fc32c802SMatthew Dillon# also the in-kernel version of natd, ipnat. 260fc32c802SMatthew Dillon# 261fc32c802SMatthew Dillon# natd -s -u -a 208.161.114.67 262fc32c802SMatthew Dillon# 263fc32c802SMatthew Dillon# 264fc32c802SMatthew Dillonadd 00290 skipto 1000 ip from 10.0.0.0/8 to 192.100.5.0/24 265fc32c802SMatthew Dillonadd 00300 divert 8668 ip from 10.0.0.0/8 to not 10.0.0.0/8 266fc32c802SMatthew Dillonadd 00301 divert 8668 ip from not 10.0.0.0/8 to 192.100.5.5 267fc32c802SMatthew Dillon 268fc32c802SMatthew Dillon# Short cut the rules to avoid running high bandwidths through 269fc32c802SMatthew Dillon# the entire rule set. Allow established tcp connections through, 270fc32c802SMatthew Dillon# and shortcut all outgoing packets under the assumption that 271fc32c802SMatthew Dillon# we need only firewall incoming packets. 272fc32c802SMatthew Dillon# 273fc32c802SMatthew Dillon# Allowing established tcp connections through creates a small 274fc32c802SMatthew Dillon# hole but may be necessary to avoid overloading your firewall. 275fc32c802SMatthew Dillon# If you are worried, you can move the rule to after the spoof 276fc32c802SMatthew Dillon# checks. 277fc32c802SMatthew Dillon# 278fc32c802SMatthew Dillonadd 01000 allow tcp from any to any established 279fc32c802SMatthew Dillonadd 01001 allow all from any to any out via fxp0 280fc32c802SMatthew Dillonadd 01001 allow all from any to any out via fxp1 281fc32c802SMatthew Dillonadd 01001 allow all from any to any out via fxp2 282fc32c802SMatthew Dillon 283fc32c802SMatthew Dillon# Spoof protection. This depends on how well you trust your 284fc32c802SMatthew Dillon# internal networks. Packets received via fxp1 MUST come from 285fc32c802SMatthew Dillon# 10.0.1.x. Packets received via fxp2 MUST come from 10.0.2.x. 286fc32c802SMatthew Dillon# Packets received via fxp0 cannot come from the LAN1 or LAN2 2877c86a74bSMike Pritchard# blocks. We can't protect 10.0.0.x here, the Internet router 288fc32c802SMatthew Dillon# must do that for us. 289fc32c802SMatthew Dillon# 290fc32c802SMatthew Dillonadd 01500 deny all from not 10.0.1.0/24 in via fxp1 291fc32c802SMatthew Dillonadd 01500 deny all from not 10.0.2.0/24 in via fxp2 292fc32c802SMatthew Dillonadd 01501 deny all from 10.0.1.0/24 in via fxp0 293fc32c802SMatthew Dillonadd 01501 deny all from 10.0.2.0/24 in via fxp0 294fc32c802SMatthew Dillon 295fc32c802SMatthew Dillon# In this example rule set there are no restrictions between 296fc32c802SMatthew Dillon# internal hosts, even those on the exposed LAN (as long as 297fc32c802SMatthew Dillon# they use an internal IP address). This represents a 298fc32c802SMatthew Dillon# potential security hole (what if an exposed host is 299fc32c802SMatthew Dillon# compromised?). If you want full restrictions to apply 300fc32c802SMatthew Dillon# between the three LANs, firewalling them off from each 301fc32c802SMatthew Dillon# other for added security, remove these two rules. 302fc32c802SMatthew Dillon# 303fc32c802SMatthew Dillon# If you want to isolate LAN1 and LAN2, but still want 304fc32c802SMatthew Dillon# to give exposed hosts free reign with each other, get 305fc32c802SMatthew Dillon# rid of rule 01010 and keep rule 01011. 306fc32c802SMatthew Dillon# 307fc32c802SMatthew Dillon# (commented out, uncomment for less restrictive firewall) 308fc32c802SMatthew Dillon#add 01010 allow all from 10.0.0.0/8 to 10.0.0.0/8 309fc32c802SMatthew Dillon#add 01011 allow all from 192.100.5.0/24 to 192.100.5.0/24 310fc32c802SMatthew Dillon# 311fc32c802SMatthew Dillon 312fc32c802SMatthew Dillon# SPECIFIC SERVICES ALLOWED FROM SPECIFIC LANS 313fc32c802SMatthew Dillon# 314fc32c802SMatthew Dillon# If using a more restrictive firewall, allow specific LANs 315fc32c802SMatthew Dillon# access to specific services running on the firewall itself. 316fc32c802SMatthew Dillon# In this case we assume LAN1 needs access to filesharing running 317fc32c802SMatthew Dillon# on the firewall. If using a less restrictive firewall 318fc32c802SMatthew Dillon# (allowing rule 01010), you don't need these rules. 319fc32c802SMatthew Dillon# 320fc32c802SMatthew Dillonadd 01012 allow tcp from 10.0.1.0/8 to 10.0.1.1 139 321fc32c802SMatthew Dillonadd 01012 allow udp from 10.0.1.0/8 to 10.0.1.1 137,138 322fc32c802SMatthew Dillon 323fc32c802SMatthew Dillon# GENERAL SERVICES ALLOWED TO CROSS INTERNAL AND EXPOSED LANS 324fc32c802SMatthew Dillon# 325fc32c802SMatthew Dillon# We allow specific UDP services through: DNS lookups, ntalk, and ntp. 326fc32c802SMatthew Dillon# Note that internal services are protected by virtue of having 327fc32c802SMatthew Dillon# spoof-proof internal IP addresses (10. net), so these rules 328fc32c802SMatthew Dillon# really only apply to services bound to exposed IPs. We have 329fc32c802SMatthew Dillon# to allow UDP fragments or larger fragmented UDP packets will 330fc32c802SMatthew Dillon# not survive the firewall. 331fc32c802SMatthew Dillon# 332fc32c802SMatthew Dillon# If we want to expose high-numbered temporary service ports 333fc32c802SMatthew Dillon# for things like DNS lookup responses we can use a port range, 334fc32c802SMatthew Dillon# in this example 4000-65535, and we set to /etc/rc.conf variables 335fc32c802SMatthew Dillon# on all exposed machines to make sure they bind temporary ports 336fc32c802SMatthew Dillon# to the exposed port range (see rc.conf example above) 337fc32c802SMatthew Dillon# 338fc32c802SMatthew Dillonadd 02000 allow udp from any to any 4000-65535,domain,ntalk,ntp 339fc32c802SMatthew Dillonadd 02500 allow udp from any to any frag 340fc32c802SMatthew Dillon 341fc32c802SMatthew Dillon# Allow similar services for TCP. Again, these only apply to 342fc32c802SMatthew Dillon# services bound to exposed addresses. NOTE: we allow 'auth' 343fc32c802SMatthew Dillon# through but do not actually run an identd server on any exposed 344fc32c802SMatthew Dillon# port. This allows the machine being authed to respond with a 345fc32c802SMatthew Dillon# TCP RESET. Throwing the packet away would result in delays 346fc32c802SMatthew Dillon# when connecting to remote services that do reverse ident lookups. 347fc32c802SMatthew Dillon# 348fc32c802SMatthew Dillon# Note that we do not allow tcp fragments through, and that we do 349fc32c802SMatthew Dillon# not allow fragments in general (except for UDP fragments). We 350fc32c802SMatthew Dillon# expect the TCP mtu discovery protocol to work properly so there 351fc32c802SMatthew Dillon# should be no TCP fragments. 352fc32c802SMatthew Dillon# 353fc32c802SMatthew Dillonadd 03000 allow tcp from any to any http,https 354fc32c802SMatthew Dillonadd 03000 allow tcp from any to any 4000-65535,ssh,smtp,domain,ntalk 355fc32c802SMatthew Dillonadd 03000 allow tcp from any to any auth,pop3,ftp,ftp-data 356fc32c802SMatthew Dillon 357455c7374SMatthew Dillon# It is important to allow certain ICMP types through, here is a list 358455c7374SMatthew Dillon# of general ICMP types. Note that it is important to let ICMP type 3 359455c7374SMatthew Dillon# through. 360fc32c802SMatthew Dillon# 361fc32c802SMatthew Dillon# 0 Echo Reply 362455c7374SMatthew Dillon# 3 Destination Unreachable (used by TCP MTU discovery, aka 363455c7374SMatthew Dillon# packet-too-big) 364fc32c802SMatthew Dillon# 4 Source Quench (typically not allowed) 365fc32c802SMatthew Dillon# 5 Redirect (typically not allowed - can be dangerous!) 366fc32c802SMatthew Dillon# 8 Echo 367fc32c802SMatthew Dillon# 11 Time Exceeded 368fc32c802SMatthew Dillon# 12 Parameter Problem 369fc32c802SMatthew Dillon# 13 Timestamp 370fc32c802SMatthew Dillon# 14 Timestamp Reply 371fc32c802SMatthew Dillon# 372fc32c802SMatthew Dillon# Sometimes people need to allow ICMP REDIRECT packets, which is 3737c86a74bSMike Pritchard# type 5, but if you allow it make sure that your Internet router 374fc32c802SMatthew Dillon# disallows it. 375fc32c802SMatthew Dillon 376455c7374SMatthew Dillonadd 04000 allow icmp from any to any icmptypes 0,3,8,11,12,13,14 377fc32c802SMatthew Dillon 378fc32c802SMatthew Dillon# log any remaining fragments that get through. Might be useful, 379fc32c802SMatthew Dillon# otherwise don't bother. Have a final deny rule as a safety to 3807c86a74bSMike Pritchard# guarantee that your firewall is inclusive no matter how the kernel 381fc32c802SMatthew Dillon# is configured. 382fc32c802SMatthew Dillon# 383fc32c802SMatthew Dillonadd 05000 deny log ip from any to any frag 384fc32c802SMatthew Dillonadd 06000 deny all from any to any 385fc32c802SMatthew Dillon.Ed 386fc32c802SMatthew Dillon.Sh PORT BINDING INTERNAL AND EXTERNAL SERVICES 387fc32c802SMatthew DillonWe've mentioned multi-homing hosts and binding services to internal or 3885203edcdSRuslan Ermilovexternal addresses but we haven't really explained it. 3895203edcdSRuslan ErmilovWhen you have a 390fc32c802SMatthew Dillonhost with multiple IP addresses assigned to it, you can bind services run 3915203edcdSRuslan Ermilovon that host to specific IPs or interfaces rather than all IPs. 3925203edcdSRuslan ErmilovTake 3935203edcdSRuslan Ermilovthe firewall machine for example: with three interfaces 394fc32c802SMatthew Dillonand two exposed IP addresses 395fc32c802SMatthew Dillonon one of those interfaces, the firewall machine is known by 5 different 396fc32c802SMatthew DillonIP addresses (10.0.0.1, 10.0.1.1, 10.0.2.1, 192.100.5.5, and say 3975203edcdSRuslan Ermilov192.100.5.1). 3985203edcdSRuslan ErmilovIf the firewall is providing file sharing services to the 399fc32c802SMatthew Dillonwindows LAN segment (say it is LAN1), you can use samba's 'bind interfaces' 4005203edcdSRuslan Ermilovdirective to specifically bind it to just the LAN1 IP address. 4015203edcdSRuslan ErmilovThat 402fc32c802SMatthew Dillonway the file sharing services will not be made available to other LAN 4035203edcdSRuslan Ermilovsegments. 4045203edcdSRuslan ErmilovThe same goes for NFS. 4055203edcdSRuslan ErmilovIf LAN2 has your UNIX engineering 4065203edcdSRuslan Ermilovworkstations, you can tell nfsd to bind specifically to 10.0.2.1. 4075203edcdSRuslan ErmilovYou 408fc32c802SMatthew Dilloncan specify how to bind virtually every service on the machine and you 409fc32c802SMatthew Dilloncan use a light 410fc32c802SMatthew Dillon.Xr jail 8 411fc32c802SMatthew Dillonto indirectly bind services that do not otherwise give you the option. 412fc32c802SMatthew Dillon.Sh SEE ALSO 413fc32c802SMatthew Dillon.Xr ipnat 1 , 4145521ff5aSRuslan Ermilov.Xr dummynet 4 , 415fc32c802SMatthew Dillon.Xr ipnat 5 , 4165521ff5aSRuslan Ermilov.Xr rc.conf 5 , 417bf7f20c2SRuslan Ermilov.Xr smb.conf 5 Pq Pa ports/net/samba , 418bf7f20c2SRuslan Ermilov.Xr samba 7 Pq Pa ports/net/samba , 4195521ff5aSRuslan Ermilov.Xr config 8 , 4205521ff5aSRuslan Ermilov.Xr ipfw 8 , 421fc32c802SMatthew Dillon.Xr jail 8 , 422fc32c802SMatthew Dillon.Xr natd 8 , 4235521ff5aSRuslan Ermilov.Xr nfsd 8 424fc32c802SMatthew Dillon.Sh ADDITIONAL READING 425faf58d14SMax Laier.Bl -tag -width xxxx 426faf58d14SMax Laier.It Nm Ipfilter 427fc32c802SMatthew Dillon.Xr ipf 5 , 428fc32c802SMatthew Dillon.Xr ipf 8 , 429fc32c802SMatthew Dillon.Xr ipfstat 8 430faf58d14SMax Laier.It Nm Packet Filter 431faf58d14SMax Laier.Xr pf.conf 5 , 432faf58d14SMax Laier.Xr pfctl 8 , 433faf58d14SMax Laier.Xr pflogd 8 434faf58d14SMax Laier.El 435fc32c802SMatthew Dillon.Sh HISTORY 436fc32c802SMatthew DillonThe 437fc32c802SMatthew Dillon.Nm 438fc32c802SMatthew Dillonmanual page was originally written by 439fc32c802SMatthew Dillon.An Matthew Dillon 440fc32c802SMatthew Dillonand first appeared 441fc32c802SMatthew Dillonin 442fc32c802SMatthew Dillon.Fx 4.3 , 443fc32c802SMatthew DillonMay 2001. 444