Re: IPFW statefull firewall ruleset - some sites or applications do not work as expected

In reply to: Dries Michiels : "Re: IPFW statefull firewall ruleset - some sites or applications do not work as expected"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Ronald Klop <ronald-lists_at_klop.ws>
Date: Mon, 18 Nov 2024 13:48:52 UTC
Hi,

I just re-read the ipfw man page about one_pass = 0.

# sysctl -d net.inet.ip.fw.one_pass
net.inet.ip.fw.one_pass: Only do a single pass through ipfw when using dummynet(4)

I think next to dummynet, the definition also counts for netgraph and NAT rules, but not for every rule. So I doubt that one_pass=0 will do anything after rule 10 applies.

But I won't call myself a master of ipfw. So will be happy to stand corrected.

Regards,
Ronald.

 
Van: Dries Michiels <driesm@freebsd.org>
Datum: maandag, 18 november 2024 13:23
Aan: Ronald Klop <ronald@freebsd.org>
CC: freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org, FreeBSD Net <freebsd-net@freebsd.org>
Onderwerp: Re: IPFW statefull firewall ruleset - some sites or applications do not work as expected
> 
> Hi, unfortunately that's not the case, as I have onepass to off, meaning that after every rule, the packet continues to be processed by the next rule (so the NAT does get reached).
>  
>  
> Op do 14 nov 2024 om 11:17 schreef Ronald Klop <ronald@freebsd.org>:
>> Op 02-11-2024 om 16:30 schreef Dries Michiels:
>> > Hello,
>> >
>> > So I have a very basic ruleset, as described in the FreeBSD handbook, see below. I have "blurred" my open ports as seen in the ruleset below.
>> > Igc0 is my WAN port and in the table "trusted_if" are like my LAN if and some bridges.
>> >
>> > 00001 reass ip from any to any in
>> > 00010 allow ip from any to any via table(trustedif)
>> > 00050 deny log ip from any to any not antispoof in
>> > 00100 nat 1 ip4 from any to any in recv igc0
>> > 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state :default
>> > 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :default
>> > 05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-state :default
>> > 05001 allow udp from any to me *some open ports* in recv igc0 keep-state :default
>> > 09998 deny log tcp from any to any
>> > 09999 deny log udp from any to any
>> > 10000 nat 1 ip4 from any to any out xmit igc0
>> > 65535 allow ip from any to any
>> >
>> > Now comes the tricky part. There are some applications that don't work correctly with this ruleset.
>> > For example, itsme (belgium application) to identify yourself with a lot of accounts, does not work.
>> > Recently my banking website also stopped working. So now I'm wondering how do I start to troubleshoot this issue?
>> > Are there any ceavets with this ruleset when redirects are happening for example? I'm also wondering if Belgian PF users have the same issue?£
>> >
>> > I'm hopeful to get to the bottom of this as its quite annoying needing to switch wifi channels to my ISP's router which does work with these applications.
>> >
>> > Regards
>> > Dries
>> >
>> >
>> 
>> Hi,
>> 
>> It is a while ago that I build ipfw firewalls, but doesn't rule 10 match all internal (from LAN) traffic, preventing outgoing (to WAN) packets to get to the nat rules?
>> 
>> I would suggest something like this:
>> 
>> 00001 reass ip from any to any in
>> 00050 deny log ip from any to any not antispoof in
>> 00100 nat 1 ip4 from any to any via igc0
>> 00300 check-state :default
>> 00200 allow ip from any to any in table(trustedif) keep-state :default
>> 05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-state :default
>> 05001 allow udp from any to me *some open ports* in recv igc0 keep-state :default
>> 09999 deny log ip from any to any
>> 65535 allow ip from any to any
>> 
>> 
>> 
>> Regards,
>> Ronald.
>>  >