UFW-Like frontend for IPFW

[Ian Smith]

In freebsd-questions Digest, Vol 666, Issue 2, Message: 1
On Mon, 6 Mar 2017 20:43:56 +0700 Victor Sudakov <vas at mpeks.tomsk.su> wrote:
 > Polytropon wrote:
 > > On Sun, 5 Mar 2017 17:57:02 +0530, Michael Wilcox wrote:
 > > > I was wondering if there is any frontend for IPFW.
 > > > 
 > > > Does anyone have one or must I use it directly?
 > > 
 > > If I see the analogy correctly, a "UFW-like frontend" already
 > > is "included" with ipfw, i. e., ipfw works at a comparable
 > > level. If you compare the ufw commands with the ipfw commands,
 > > they are quite similar, so you'd use ipfw directly in the same
 > > manner as you use ufw to interact with iptables.
 > > 
 > > As an equation:
 > > 
 > > 	   ufw        ipfw
 > > 	---------- = ------
 > > 	 iptables     ipfw
 > > 
 > > More or less... ;-)

Polytropon: I wish I'd had ufw - or better, ipfw+dummynet for linux - 
back when I admin'd a couple of debian boxes.  iptables is REALLY gnarly 
without some sort of higher level administration tool, as is tc compared 
to dummynet.  From skimming one ubuntu description, your analogy's good.

 > There is one thing that a higher level macro language on top of ipfw
 > would be nice to have for.

ipfw rules are very much like an assembly language, and 'assemble' to 
precisely executable opcodes in a well-defined virtual machine. pf feels 
(to me) more like 'higher level' coding, which seems to suit many people 
better .. but I'm an old assembler kind of guy, from S/370 onwards :)

 > Several times I have tried to emulate Cisco PIX/ASA logic with ipfw.
 > I just want to have e.g. 3 interfaces: inside, outside, dmz with
 > security levels of 100, 0, 50 respectively. Traffic can flow from the
 > interface with a higher security level to the interface with a lower
 > security level, and return traffic is permitted too.
 > 
 > Every time I have tried to express this with ipfw rules, I failed
 > miserably, though superficially it looks simple (with keep-state).

That's quite doable, but I wouldn't use numeric levels like that, and 
I'd use static rules first to limit access between inside, outside and
dmz, adding dynamic (stateful) rules after those constraints are met.

Just roughly, as a partial sketch, and assuming all at layer 3 (ip):

  check-state	// pass established dynamic flows

    # can only check both interfaces on 'out' packets, leaving ipfw
  deny tcp from any to any out recv $dmz_if xmit $inside_if setup
  deny udp from any to any out recv $dmz_if xmit $inside_if

    # if dmz provides service/s to outside, skip over these for them
    # those can be allowed/denied on 'in' pass, using dest address/es.

  deny tcp from any to any out recv $outside_iface setup
  deny udp from any to any out recv $outside_iface

    # skip this for any static (setup then established) services below
  deny all from any to any established

    # best use static rules for icmp, see rc.firewall 'workstation'

    # then (or earlier, if you prefer) separate flows for inside|dmz
    # then allow services on inside and dmz, perhaps using static rules
    # then allow access from inside|dmz to dmz|outside statefully.

 > Has anyone done this?

More or less :)  My firewalls are mostly static rules, but stateful 
rules in this instance are likely simpler.  Don't be too entranced by 
statefulness; there are cases (icmp, sometimes DNS, ssh perhaps) where 
static rules make more sense, and don't suffer from timeouts etc.

cheers, Ian