Re: ipfw syntax clarification

Reply: Steve O'Hara-Smith : "Re: ipfw syntax clarification"
In reply to: Kurt Hackenberg : "Re: ipfw syntax clarification"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Michael Sierchio <kudzu_at_tenebras.com>
Date: Thu, 30 Dec 2021 06:32:20 UTC

On Wed, Dec 29, 2021 at 10:08 PM Kurt Hackenberg <kh@panix.com> wrote:

> On Wed, Dec 29, 2021 at 05:32:15PM -0600, Tim Daneliuk via
> freebsd-questions wrote:
>
> >We have a FBSD firewall/gateway/natd server on the permimeter of one of
> our networks.
> >
> >We have an ipfw table that is loaded with pesky IPs like this:
> >
> >   ipfw add deny all from table\(10\) to any via ${OIF}
> >
> >This does block traffic which originates from those IPs to our server.
> >However, it also prevents our server from originating requests TO those
> IPs.
> >
> >This is an issue because some of the table entries are CIDR blocks
> intended
> >to geoblock known problem areas.  However, it's sometimes desirable to,
> say,
> >connect to a web server within one of those CIDR blocks.
> >
> >How/can the rule above be modified to let no one in the table to connect
> or
> >ping to the server, but still allow the server to connect to something in
> >the forbidden blocks/IPs?
>
> Your browser tries to make a TCP connection to a web server in the
> hostile zone, but establishing that connection takes two-way
> communication.  Blocking all incoming traffic from that outside web
> server makes it impossible to establish the connection.
>
> You can deny incoming TCP connections from the hostile zone, but still
> allow outgoing connections to it, with something like this:
>
>     ipfw add pass tcp from me to table\(10\) via ${OIF} established
>     ipfw add pass tcp from table\(10\) to me via ${OIF} established
>     ipfw add pass tcp from me to table\(10\) via ${OIF} setup
>     ipfw add deny all from table\(10\) to any via ${OIF}
>

You don't want to permit any traffic from the bad IPs that aren't part of a
stateful rule.

Not accounting for NAT (which makes things a little more complicated, but
still entirely feasible):

$FW add 00500 check-state :gb

$FW add       deny ip from table\(reject\) to any in recv $WAN
...

$FW add       allow tcp from any to any out xmit $WAN setup keep-state :gb

$FW add       allow udp from any to any out xmit $WAN keep-state :gb

$FW add       allow icmp from any to any out xmit $WAN keep-state :gb


$FW add       allow ip6 from any to any out xmit $WAN setup keep-state :gb
proto tcp

$FW add       allow ip6 from any to any out xmit $WAN keep-state :gb proto
udp

$FW add       allow ipv6-icmp from any to any out xmit $WAN keep-state :gb

To the OP:  there are no geoblocks of CIDR addresses – they don't really
exist.  You can block NL, for example, but that includes addresses in the
Antilles.  There are addresses that belong in the FR blocks that are in
North America (Saint-Pierre et Miquelon).  Actual location of IP addresses
is something known to the CDNs (Akamai, Cloudflare, AWS, etc.) and is
somewhat proprietary.