IPFW Rules and Games
deeptech71 at gmail.com
deeptech71 at gmail.com
Fri Nov 2 15:00:09 PDT 2007
Hi, Jack, let's see.
Jack Barnett wrote:
>
> Lots of people play games here and basically a pain to keep trying to
> get these stupid things to work with individual rules for each.
>
> I'm running FreeBSD 6.x with IPFW/natd
>
> I get a dynamic IP from my ISP and the internal nic is 192.168.17.1
> Everything inside the network is 192.168.17.xxx
>
> The setup is this:
> 192.168.17.x <--> 192.168.17.1 <[FreeBSD]> Dynamic IP <--> {Random Game
> Server on the Internets}
> [Internet Network(GAME)] <--> [FreeBSD] <--> {Internets}
>
> There are a bunch of games that send out TCP/UDP packets (and who knows
> what else) on different ports to different destinations and then
> receive data back on "random" ports. Basically, anything on any
> protocol from the internal network should be able to establish and setup
> connections out AND be allowed to receive data back from whomever they
> connected out to; but "random" hosts trying to connect in should be
> blocked.
Back on "random" ports? That's not how it should be. Your client must
send a request (ping or connect) to a server, using the game's client
port as the local port, and the server port as the remote port. The
reply should come back the same way, reversed.
for example, a client sends a connect request:
192.168.17.7:28000 > 87.15.13.165
natd converts the packet to:
49.74.121.3:28000 > 87.15.13.165:29000
(49.74.121.3 is your public IP)
and adds a dynamic rule (inside natd, not ipfw), that packet coming from
87.15.13.165, port 29000 to 49.74.121.3 port 28000 should be routed to
192.168.17.7, port 28000. So:
the server replies:
87.15.13.165:29000 > 49.74.121.3:28000
natd converts the packet to:
87.15.13.165:29000 > 192.168.17.7:28000
Any unknown packets will be blocked by natd. These are the "unauthorized
random hosts".
So basically the ruleset should be simple:
ipfw -f flush
# allow lo0 stuff
# block some spoofs/attacks
# if you are hosting gameservers from 192.168.17.3 or whatever,
# you should (manually) open server ports, in other words, add
# routes to 192.168.17.3 to specific server ports
ipfw add divert natd all from any to any via $outside_interface
allow all from any to any
# block some more spoofs/attacks :)
# define services (like you did with http)
Correct me if I'm wrong.
What games do reply back on random ports?
>
> I added this for a temporary fix:
> ${fwcmd} add pass all from any to any
>
> I don't think that is the right answer; That allows to much in?
>
> I've tried these per the docs:
>
> ${fwcmd} add allow all from any to any out via {$iip} setup
> ${fwcmd} add allow all from any to any out via {$iip} established
> ${fwcmd} add allow all from any to any in via {$iip} established
>
> and also a bunch of others; but none of them worked.
>
> Here is my full config:
> # simple
> [Ss][Ii][Mm][Pp][Ll][Ee])
> ############
> # This is a prototype setup for a simple firewall. Configure this
> # machine as a DNS and NTP server, and point all the machines
> # on the inside at this machine for those services.
> ############
>
> # set these to your outside interface network and netmask and ip
> oif="xl0"
> onet=`ifconfig xl0 | grep "inet " | awk '{print $6}'`
I'm not sure about this. Isn't the sixth word the broadcast address
(ending with .255)?
> omask="0xfffffe00"
0xfffffe00 wtf?
> oip=`ifconfig xl0 | grep "inet " | awk '{print $2}'`
>
> # set these to your inside interface network and netmask and ip
> iif="dc1"
> inet="192.168.17.0"
> imask="0xffffff00"
> iip="192.168.17.1"
What kind of internet connection do you have?
>
> setup_loopback
>
> # Stop spoofing
> ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
> ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
>
> # Stop RFC1918 nets on the outside interface
> ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
> ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
> ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
>
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
> RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and
> class E)
> # on the outside interface
> ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
> ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
> ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
> ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
> ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
>
> # Network Address Translation. This rule is placed here
> deliberately
> # so that it does not interfere with the surrounding
> address-checking
> # rules. If for example one of your internal LAN machines had
> its IP
> # address set to 192.0.2.1 then an incoming packet for it after
> being
> # translated by natd(8) would match the `deny' rule above.
> Similarly
> # an outgoing packet originated from it before being translated
> would
> # match the `deny' rule below.
> case ${natd_enable} in
> [Yy][Ee][Ss])
> if [ -n "${natd_interface}" ]; then
> ${fwcmd} add divert natd all from any to any via
> ${natd_interface}
> fi
> ;;
> esac
>
> # Stop RFC1918 nets on the outside interface
> ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
> ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
> ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
>
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
> RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and
> class E)
> # on the outside interface
> ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
> ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
> ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
> ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
> ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
>
> # Allow internal traffic
> ${fwcmd} add allow all from any to any via ${iif}
> # Allow all local traffic
> ${fwcmd} add allow all from ${inet}:${imask} to ${inet}:${imask}
>
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
>
> # Allow IP fragments to pass through
> ${fwcmd} add pass all from any to any frag
>
> # Allow setup of incoming email
> #${fwcmd} add pass tcp from any to ${oip} 25 setup
> #${fwcmd} add pass tcp from any to ${iip} 25 setup
> ${fwcmd} add pass tcp from any to any 25 setup
>
> # Allow access to our DNS
> ${fwcmd} add pass tcp from any to ${iip} 53 setup
> ${fwcmd} add pass udp from any to ${iip} 53
> ${fwcmd} add pass udp from ${iip} 53 to any
>
> #${fwcmd} add pass tcp from {$inet}:{$imask} to ${oip} 53 setup
> #${fwcmd} add pass udp from {$inet}:{$imask} to ${oip} 53
> #${fwcmd} add pass udp from ${oip} 53 to {$inet}:{$imask}
>
> # SMB - Samba
> #${fwcmd} add pass tcp from any to ${iip} 137
> #${fwcmd} add pass udp from any to ${iip} 137
> #${fwcmd} add pass tcp from any to ${iip} 138
> #${fwcmd} add pass udp from any to ${iip} 138
> #${fwcmd} add pass udp from any to ${iip} 791
>
> # Allow access to our WWW
> #${fwcmd} add pass tcp from any to ${oip} 80 setup
> ${fwcmd} add pass tcp from any to any 80 setup
>
> ${fwcmd} add pass tcp from any to ${iip} 888 setup
>
> # Allow access to our SSH
> #${fwcmd} add pass tcp from any to ${oip} 22 setup
> ${fwcmd} add pass tcp from any to any 22 setup
>
> # Reject&Log all setup of incoming connections from the outside
> ${fwcmd} add deny log tcp from any to any in via ${oif} setup
>
> # Allow setup of any other TCP connection
> ${fwcmd} add pass tcp from any to any setup
>
> # Allow DNS queries out in the world
> #${fwcmd} add pass udp from ${oip} to any 53 keep-state
> ${fwcmd} add pass udp from any to any 53 keep-state
>
> # Allow NTP queries out in the world
> #${fwcmd} add pass udp from ${oip} to any 123 keep-state
> ${fwcmd} add pass udp from any to any 123 keep-state
>
> # NWN/NWN2 Client
>
>
#http://nwn2forums.bioware.com/forums/viewtopic.html?topic=507894&forum=116&sp=30
>
>
>
#http://nwn.bioware.com/forums/viewtopic.html?topic=387975&forum=56&sp=135
>
> #add 123 allow udp from any to 1.2.3.4
> 5120-5300,6500,6667,27900,28900
>
> #UDP 5120 - Outbound and Inbound packets
> #UDP 2485 - Outbound and Inbound packets
>
> #TCP 2486 - Outbound and Inbound packets
> #TCP 2487 - Outbound and Inbound packets
> #TCP 2488 - Outbound and Inbound packets
>
> #UDP 2489 - Outbound and Inbound packets
> #TCP 28910 - Server port
> #UDP 5121 - Server port
> #UDP 5122 - Server port
> #UDP 27900 - Server port
> #UDP 50643 - Server port
> #UDP 6121 - Server port
>
> # not working.
> #add allow all from any to any
> 2485-2490,5210-5230,6121-6500,27900,27900-28910,50643
> #add pass all from any to any
> 2485-2490,5210-5230,6121-6500,27900,27900-28910,50643
> #add allow all from any to any 5120-5300,6500,6667,27900,28900
>
> #allow outbound setup connections
> # not working. #${fwcmd} add allow tcp from any to any
> out via {$iip} setup
> #allow in and outbound established connections
> #${fwcmd} add allow tcp from any to any out via {$iip} established
> #${fwcmd} add allow tcp from any to any in via {$iip} established
>
> ${fwcmd} add pass all from any to any
>
> # Everything else is denied by default, unless the
> # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
> # config file.
> ;;
>
More information about the freebsd-questions
mailing list