Re: IPFW statefull firewall ruleset - some sites or applications do not work as expected

From: Ronald Klop <ronald_at_FreeBSD.org>
Date: Thu, 14 Nov 2024 10:17:27 UTC
Op 02-11-2024 om 16:30 schreef Dries Michiels:
> Hello,
> 
> So I have a very basic ruleset, as described in the FreeBSD handbook, see below. I have "blurred" my open ports as seen in the ruleset below.
> Igc0 is my WAN port and in the table "trusted_if" are like my LAN if and some bridges.
> 
> 00001 reass ip from any to any in
> 00010 allow ip from any to any via table(trustedif)
> 00050 deny log ip from any to any not antispoof in
> 00100 nat 1 ip4 from any to any in recv igc0
> 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state :default
> 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :default
> 05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-state :default
> 05001 allow udp from any to me *some open ports* in recv igc0 keep-state :default
> 09998 deny log tcp from any to any
> 09999 deny log udp from any to any
> 10000 nat 1 ip4 from any to any out xmit igc0
> 65535 allow ip from any to any
> 
> Now comes the tricky part. There are some applications that don't work correctly with this ruleset.
> For example, itsme (belgium application) to identify yourself with a lot of accounts, does not work.
> Recently my banking website also stopped working. So now I'm wondering how do I start to troubleshoot this issue?
> Are there any ceavets with this ruleset when redirects are happening for example? I'm also wondering if Belgian PF users have the same issue?£
> 
> I'm hopeful to get to the bottom of this as its quite annoying needing to switch wifi channels to my ISP's router which does work with these applications.
> 
> Regards
> Dries
> 
> 

Hi,

It is a while ago that I build ipfw firewalls, but doesn't rule 10 match all internal (from LAN) traffic, preventing outgoing (to WAN) packets to get to the nat rules?

I would suggest something like this:

00001 reass ip from any to any in
00050 deny log ip from any to any not antispoof in
00100 nat 1 ip4 from any to any via igc0
00300 check-state :default
00200 allow ip from any to any in table(trustedif) keep-state :default
05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-state :default
05001 allow udp from any to me *some open ports* in recv igc0 keep-state :default
09999 deny log ip from any to any
65535 allow ip from any to any



Regards,
Ronald.