BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


BSD Firewalls: Fine-Tuning Rulesets
Pages: 1, 2, 3

I'll save my change and test it using killall init. Once I've logged back in, I'll become the superuser and see what happened:



su
Password:
ipfw show

00100  0    0 allow ip from any to any via lo0
00200  0    0 deny ip from any to 127.0.0.0/8
00300  0    0 check-state
00301  0    0 deny tcp from any to any in established
00302  0    0 allow tcp from any to any keep-state setup
00400  8 1322 allow udp from 24.226.1.90 53 to any in recv ed0
00401  0    0 allow udp from 24.226.1.20 53 to any in recv ed0
00402  0    0 allow udp from 24.2.9.34 53 to any in recv ed0
00403  8  469 allow udp from any to any out
00501  4 1592 allow udp from 24.226.1.41 67 to any 68 in recv ed0
65535 29 8591 deny ip from any to any

It looks like I received eight UDP packets from the DNS server 24.226.1.90 and four UDP packets from the DHCP server 24.226.1.41. Now I'll take a look at my DHCP lease:

more /var/db/dhclient.leases
<snip to just show bottom 3 lines>

  renew 3 2001/5/16 07:46:25;
  rebind 5 2001/5/18 08:50:46;
  expire 6 2001/5/19 01:12:14;

When I issued the killall init command, I also successfully contacted the DHCP server and renewed my lease, so it looks my DHCP rule is successful.

Now, let's take a look at allowing some ICMP, as my ruleset is currently denying all ICMP packets. If you remember from Examining ICMP Packets, denying all ICMP is a bad thing as it will break Path-MTU Discovery and will prevent Source Quench messages. You'll also remember that ICMP uses both "types" and "codes" to specify the actual ICMP message.

When creating an ipfw rule that refers to ICMP, you can only specify the ICMP "type," not the associated "code." I'll become the superuser and add the following lines to my /etc/ipfw.rules file:

#allow some icmp types (codes not supported)
###########allow path-mtu in both directions
add 00600 allow icmp from any to any icmptypes 3

###########allow source quench in and out
add 00601 allow icmp from any to any icmptypes 4

While I'm at it, I should consider whether I want to be able to ping hosts outside of my network, or run the traceroute command. Because I want to be able to do both and receive responses, but I don't want anyone on the Internet to try to ping or "traceroute" me, I'll add these rules:

###########allow me to ping out and receive response back
add 00602 allow icmp from any to any icmptypes 8 out
add 00603 allow icmp from any to any icmptypes 0 in

###########allow me to run traceroute
add 00604 allow icmp from any to any icmptypes 11 in

Remember that ICMP type 8 is an echo request and ICMP type 0 is an echo reply. Since I've only allowed echo requests out and echo replies in, I can ping out but no one can ping me.

When I run traceroute, I send out UDP packets that I've already allowed using rule 00403. However, if I want to receive any responses back, I have to accept back in ICMP type 11 packets.

That looks pretty good so I'll save my changes and reset my ipfw counters using the ipfw zero command. I'll then do a killall init and once I've logged back in I'll try to do a ping and a traceroute:

ping www.freebsd.org
PING freefall.freebsd.org (216.136.204.21): 56 data bytes
64 bytes from 216.136.204.21: icmp_seq=0 ttl=239 time=85.250 ms
64 bytes from 216.136.204.21: icmp_seq=1 ttl=239 time=88.338 ms
64 bytes from 216.136.204.21: icmp_seq=2 ttl=239 time=83.757 ms
^C
--- freefall.freebsd.org ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 83.757/85.782/88.338/1.908 ms

traceroute www.freebsd.org
traceroute to freefall.freebsd.org (216.136.204.21), 30 hops max, 40 byte packets
1 10.69.4.1 (10.69.4.1) 8.678 ms 8.739 ms 10.055 ms
2 d226-12-1.home.cgocable.net (24.226.12.1) 9.800 ms 10.642 ms 7.876 ms
3 cgowave-0-158.cgocable.net (24.226.0.158) 25.910 ms 15.288 ms 13.693 ms
4 cgowave-busy-core.cgocable.net (24.226.1.1) 26.982 ms 16.521 ms 12.376 ms
5 cgowave-0-202.cgocable.net (24.226.0.202) 14.372 ms 14.224 ms 13.728 ms
6 216.197.153.65 (216.197.153.65) 14.112 ms 13.544 ms 42.612 ms
7 c1-pos8-0.bflony1.home.net (24.7.74.29) 15.093 ms 22.387 ms 18.530 ms
8 c1-pos1-0.hrfrct1.home.net (24.7.65.253) 25.953 ms 26.703 ms 26.514 ms
9 c1-pos3-0.nycmny1.home.net (24.7.69.2) 26.279 ms 29.810 ms 38.940 ms
10 * ibr02-p1-0.jrcy01.exodus.net (24.7.70.122) 32.121 ms 38.211 ms
11 bbr02-g5-0.jrcy01.exodus.net (216.32.223.130) 34.239 ms 34.815 ms 37.106 ms
12 bbr01-p2-0.okbr01.exodus.net (216.32.132.109) 37.643 ms 36.883 ms 36.201 ms
13 216.34.183.66 (216.34.183.66) 37.624 ms 39.455 ms 40.243 ms
14 bbr01-p0-0.snva03.exodus.net (206.79.9.85) 81.494 ms 82.421 ms 83.230 ms
15 64.15.192.34 (64.15.192.34) 79.431 ms 80.981 ms 115.289 ms
16 bbr02-p4-0.sntc05.exodus.net (209.185.9.70) 81.993 ms 99.964 ms 82.169 ms
17 dcr01-g6-0.sntc05.exodus.net (64.56.192.19) 81.324 ms 81.603 ms 80.146 ms
18 g2-1.bas1-m.sc5.yahoo.com (64.56.207.146) 81.867 ms 100.628 ms 94.995 ms
19 freefall.freebsd.org (216.136.204.21) 104.100 ms 95.821 ms 85.909 ms

So far, so good. I'll now become the superuser and doublecheck which rules were used:

su
Password:
ipfw show

00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 check-state
00301 0 0 deny tcp from any to any in established
00302 0 0 allow tcp from any to any keep-state setup
00400 29 5847 allow udp from 24.226.1.90 53 to any in recv ed0
00401 2 163 allow udp from 24.226.1.20 53 to any in recv ed0
00402 3 397 allow udp from 24.2.9.34 53 to any in recv ed0
00403 93 4712 allow udp from any to any out
00501 0 0 allow udp from 24.226.1.41 67 to any 68 in recv ed0
00600 3 168 allow icmp from any to any icmptype 3
00601 0 0 allow icmp from any to any icmptype 4
00602 3 252 allow icmp from any to any out icmptype 8
00603 3 252 allow icmp from any to any in icmptype 0
00604 53 2968 allow icmp from any to any in icmptype 11
65535 29 8591 deny ip from any to any

You can see those three echo request packets (rule 00602) and the three echo reply packets (rule 00603) used by the ping utility. You can also see that it took 53 ICMP type 11 packets to respond to the traceroute (rule 00604). It also looks like rule 00600 allowed three ICMP type 3 packets. However, I can't tell "why" I received those three Destination Unreachable messages as I wasn't able to specify an associated "code" in my rule.

We've actually covered a fair bit of ground in this article, so let's wait until next when we look at logging and do some further testing on the firewall's behavior.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.


Read more FreeBSD Basics columns.

Return to the BSD DevCenter.





Sponsored by: