Problems with ipfw/natd and axe(4)

Spil Oss spil.oss at gmail.com
Sun Apr 14 18:49:21 UTC 2013 

Hi Michael,

I was aware that these deny-rules could be created more efficiently, but I
wanted to stay as close as possible to the 'simple' ruleset from the base
/etc/rc.firewall rules.

settings for /etc/rc.firewall
natd_interface=ue0
firewall_simple_iif=re0          # Inside IPv4 network interface.
firewall_simple_inet=10.16.1.2.1        # Inside IPv4 network address.
firewall_simple_oif=ue0        # Outside IPv4 network interface.
firewall_simple_onet=172.17.2.111       # Outside IPv4 network address.
#firewall_simple_iif_ipv6=    Inside IPv6 network interface.
#firewall_simple_inet_ipv6=   Inside IPv6 network prefix.
#firewall_simple_oif_ipv6=    Outside IPv6 network interface.
#firewall_simple_onet_ipv6=   Outside IPv6 network prefix.

1. Requirements and intentions
This machine is my next router/firewall and web/mail/etc-server. ue0
connected to my cable modem, re0 connected to my LAN, ath0 my access point.
re0 and ath0 will later be part of bridge0.
Webserver and mail-services running in separate jails using natd
redirect_port, cannot initiate outbound connections.
Inbound ssh, http(s), smtp, imaps, submission allowed in from internet.

I'm aware that with checksum offloading the tcpdump checksum will appear
incorrect.

Earlier I worked with the examples from the handbook which I was told on
this mailing-list are not a good starting point for a ruleset. This is why
I have taken the ruleset delivered in base as my starting point.

The fact is that if I reverse re0 and ue0 (configuration as well as
physical connections) the ruleset behaves as expected.

2. Interaction of NAT + stateful
I'm trying to understand the interaction, starting with the most default.
I had tcpdump, /var/log/security, natd -v running in separate tmux windows
to try and figure out what happens.

3. Gradually add complexity
I had taken /etc/rc.firewall as the lowest level of complexity and intend
to add the extra functions.
Will bring it down to the bare minimum and try again.
natd config from /etc/rc.conf
natd_interface=ue0
natd_flags=" -config /etc/natd.conf"
or natd -n ue0 -f /etc/natd.conf -v
/etc/natd.conf
same_ports yes
dynamic yes
# redirect http, https to web-jail
# Disabled

Thanks for the pointers!

Kind regards,

Spil.


On Sat, Apr 13, 2013 at 8:01 PM, Michael Sierchio <kudzu at tenebras.com>wrote:

> There are some things about this ruleset that are confused.  Multiple
> deny rules where one will do, et.
>
> > 01100 deny ip from 10.16.2.1 to any in via ue0
> > 01200 deny ip from 172.17.2.111 to any in via re0
> > 01300 deny ip from any to 10.0.0.0/8 via ue0
> > 01500 deny ip from any to 192.168.0.0/16 via ue0
> > 01600 deny ip from any to 0.0.0.0/8 via ue0
> > 01700 deny ip from any to 169.254.0.0/16 via ue0
> > 01800 deny ip from any to 192.0.2.0/24 via ue0
> > 01900 deny ip from any to 224.0.0.0/4 via ue0
> > 02000 deny ip from any to 240.0.0.0/4 via ue0
>
> and you need to think about inbound and outbound traffic, and a few
> other things.  You have keep-state rules way down the ruleset and a
> divert natd in the middle.  This won't do.
>
> 1.  State what the requirements and intent are.  I'm reluctant to dive
> into the solution space for an ill-defined problem.  You conclude that
> the problem is with the NIC, and I think it's with your ruleset.  For
> example, which interfaces are external, what's the topology, do
> external interfaces have public or private addresses, etc?    Is this
> a firewall or a standalone box?
>
> Note that if you do a tcpdump, the checksums will look wrong because
> they're offloaded onto the NIC.  That's normal.
>
> 2.  Until you understand the interaction of NAT + stateful rules,
> don't use them.
>
> 3.  Start with a small ruleset and nat config (show us your natd
> config) that is permissive, then gradually add protection.  natd by
> itself is stateful, and will probably provide all you need.
>
> - M
>
> On Sat, Apr 13, 2013 at 6:34 AM, Spil Oss <spil.oss at gmail.com> wrote:
> > Hi All,
> >
> > I can't use ipfw with natd with my ASIX AX88772B USB NIC
> >
> > ipfw ruleset (slightly modified /etc/rc.firewall simple ruleset)
> > 00010 allow ip from any to me dst-port 22 recv ue0
> > 00010 allow tcp from me 22 to any xmit ue0
> > 00100 allow ip from any to any via lo0
> > 00200 deny ip from any to 127.0.0.0/8
> > 00300 deny ip from 127.0.0.0/8 to any
> > 00400 deny ip from any to ::1
> > 00500 deny ip from ::1 to any
> > 00600 allow ipv6-icmp from :: to ff02::/16
> > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
> > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
> > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1
> > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
> > 01100 deny ip from 10.16.2.1 to any in via ue0
> > 01200 deny ip from 172.17.2.111 to any in via re0
> > 01300 deny ip from any to 10.0.0.0/8 via ue0
> > 01500 deny ip from any to 192.168.0.0/16 via ue0
> > 01600 deny ip from any to 0.0.0.0/8 via ue0
> > 01700 deny ip from any to 169.254.0.0/16 via ue0
> > 01800 deny ip from any to 192.0.2.0/24 via ue0
> > 01900 deny ip from any to 224.0.0.0/4 via ue0
> > 02000 deny ip from any to 240.0.0.0/4 via ue0
> > 02100 divert 8668 ip4 from any to any via ue0
> > 02200 deny ip from 10.0.0.0/8 to any via ue0
> > 02400 deny ip from 192.168.0.0/16 to any via ue0
> > 02500 deny ip from 0.0.0.0/8 to any via ue0
> > 02600 deny ip from 169.254.0.0/16 to any via ue0
> > 02700 deny ip from 192.0.2.0/24 to any via ue0
> > 02800 deny ip from 224.0.0.0/4 to any via ue0
> > 02900 deny ip from 240.0.0.0/4 to any via ue0
> > 03000 allow tcp from any to any established
> > 03100 allow ip from any to any frag
> > 03200 allow tcp from any to me dst-port 22 setup
> > 03300 allow tcp from any to me dst-port 25 setup
> > 03400 allow tcp from any to me dst-port 465 setup
> > 03500 allow tcp from any to me dst-port 587 setup
> > 03600 allow tcp from any to me dst-port 80 setup
> > 03700 allow tcp from any to me dst-port 443 setup
> > 03800 deny log logamount 5 ip4 from any to any in via ue0 setup proto tcp
> > 03900 allow tcp from any to any setup
> > 04000 allow udp from me to any dst-port 53 keep-state
> > 04100 allow udp from me to any dst-port 123 keep-state
> > 04200 allow ip from any to any dst-port 22 recv ue0
> > 65535 deny ip from any to any
> >
> > If I remove rule 10 it will NOT work with ue0, the same ruleset without
> > rule 10 DOES work with re0 on the same machine (re0 as external and ue0
> as
> > internal NIC).
> >
> > If I connect from the gateway on 172.17.2.1 to the ssh server on this
> > machine, I can see the ACK and SYN+ACK but there's no ACK from the client
> > to the server to establish the tcp session. Only difference I could find
> > was that the checksum was incorrect.
> >
> > Found an older PR kern/170081 about fxp having trouble with nat when
> > rxcsum/txcsum was enabled, that is why I started fiddling with
> > rxcsum/txcsum and found that the NIC is unusable/dead without
> rxcsum/txcsum
> > enabled so this was not an option.
> >
> > # ifconfig ue0
> > ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> >         options=8000b<RXCSUM,TXCSUM,VLAN_MTU,LINKSTATE>
> >         ether 00:60:6e:42:5b:53
> >         inet6 fe80::260:6eff:fe42:5b53%ue0 prefixlen 64 scopeid 0x7
> >         inet 172.17.2.111 netmask 0xffffff00 broadcast 172.17.2.255
> >         nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> >         media: Ethernet autoselect (100baseTX <full-duplex>)
> >         status: active
> >
> > Any suggestions or pointers?
> >
> > Kind regards,
> >
> > Spil.
> > _______________________________________________
> > freebsd-ipfw at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>

More information about the freebsd-ipfw mailing list