ipfwadm

If you need some help, this should be the first place to look.

Postby Lightning » Fri Jun 20, 2003 3:39 am

As posted by Thasaidon
IPFWADM

Mini-howto





Configuring the firewall


Freesco uses the IPFWADM firewall.

which has a lot of options and could be tricky to configure.



Here is a list of all commands



ipfwadm 2.3.0, 1996/07/30



Usage: ipfwadm -A [direction] command [options] (accounting)

      ipfwadm -F command [options] (forwarding firewall)

      ipfwadm -I command [options] (input firewall)

      ipfwadm -O command [options] (output firewall)

      ipfwadm -M [-s | -l] [options] (masquerading entries)

      ipfwadm -h (print this help information))



Commands:

  -i [policy]  insert rule (no policy for accounting rules)

  -a [policy]  append rule (no policy for accounting rules)

  -d [policy]  delete rule (no policy for accounting rules)

  -l            list all rules of this category

  -z            reset packet/byte counters of all rules of this category

  -f            remove all rules of this category

  -p policy    change default policy (accept/deny/reject)

  -s tcp tcpfin udp

                set masuerading timeout values

  -c            check acceptance of IP packet



Options:

  -P            protocol (either tcp, udp, icmp, or all)

  -S address[/mask] [port ...]

                source specification

  -D address[/mask] [port ...]

                destination specification

  -V address    network interface address

  -W name      network interface name

  -b            bidirectional match

  -e            extended output mode

  -k            match TCP packets only when ACK set

  -m            masquerade packets as coming from local host

  -n            numeric output of addresses and ports

  -o            turn on kernel logging for matching packets

  -r [port]    redirect packets to local port (transparent proxying)

  -t and xor    and/xor masks for TOS field

  -v            verbose mode

  -x            expand numbers (display exact values)

  -y            match TCP packets only when SYN set and ACK cleared



If you want to view these commands on your freesco, just type:

ipfwadm -h |more

This will display the general IPFWADM help (devided in 2 "pages")






Where to configure


If you want to configure a firewall yourself,

you should know what you are doing,

otherwise you could end up with a router that is no longer reachable.



The best way to configure your firewall rules is to put them in the

/mnt/router/rc/rc_user

file (0.2.7)

or

/rc/rc_user

file (0.3.x)

in order for the changes to survive a reboot.



Note !

In the 03x series you should not use the full path unless it is absolutely neccessary.

The reason for this is that there are shortcut symlinks to the same directory. Such as

/rc/rc_user
/boot/rc/rc_user
/mnt/bootdev/router/rc/rc_user

Are all the same file, same location. This also pertains to

/pkg
/boot/pkg
/mnt/bootdev/router/pkg

However, with the pkg directory they are not always the same place. If a ramdrive package is install then
/pkg = /mnt/ram1/pkg and not /mnt/bootdev/router/pkg
So if the full path is given it will not work in some cases, because of the change in the actual location. The reason for the shortcuts is to enable this flexibilty. So all references should always be to the shortest path, which keeps everything working in all configurations.



By adding your rules in the rc_user file,

your rules will be loaded BEFORE the standard freesco rules are loaded.

Firewall rules will be "read" from the TOP of the list to the BOTTOM of the list.

If the firewall encounters a rule that matches specific traffic,

it will apply that rule and look no further.

Therefore it is nececarry to put "allow" rules BEFORE "deny" or "reject" rules!



example

ipfwadm -I -a reject -P all -S 0/0 -D 192.168.0.0/24

ipfwadm -I -a accept -P tcp -S 0/0 -D 192.168.0.1/32 25



In the first rule you block all traffic from anywhere to the 192.168.0.x range (192.168.0.0 to 192.168.0.255)

therefore the accept rule for tcp port 25 traffic to the 192.168.0.1 system WILL NOT WORK !



After you edited your rules, type:

rc_masq
(0.2.7)

or

rc_masq restart

(0.3.x)





The basics


The basic setup is as follows:



ipfwadm -I -a reject -P tcp -W $INET -D 0.0.0.0/0 22 -y -o



The general command

IPFWADM


The "traffic" direction this rule is for (-I)

-I                      Inbound traffic (traffic TO your router)

-O                    Outbound traffic (traffic FROM your router)



The way this rule should be applied into the firewall ruleset (-a)

-a                    The rule will be appended (added) in the list or current rules.

-I                      The rule will be inserted into the current rules list



I don't know what the difference is here,

but Since I created my own special rule-set... I use the -a option.



The policy regarding the traffic (reject)

accept              The rule will allow this specific traffic

reject              The rule will reject this specific traffic, but will send a responce to the other side saying this port is "closed"

deny                The rule will deny this specific traffic, and will not send any responce (stealth)



The Protocol identifier (-P)

-P                    The actual protocol used in the rule (if any)

                                             

The Protocol (tcp)

tcp                  The rule is used for TCP protocol

udp                  The rule is used for UDP protocol

icmp                The rule is used for ICMP protocol

all                    The rule is used for ALL protocols



The source of the traffic (-W $INET)

-W $INET                      This stands for your INTERNET interface, and can be used if you want to block something from the INTERNET.

-S 0.0.0.0/0.0.0.0          This should be the Source IP the traffic is generated from, WITH subnetmask

-S 0.0.0.0/0                  This should be the Source IP the traffic is generated from, WITH prefix



The destination of the traffic

-D 0.0.0.0/0.0.0.0          This should be the Destination IP the traffic is going to, WITH subnetmask

-D 0.0.0.0/0                  This should be the Destination IP the traffic is going to, WITH prefix



The port (range)

22                    The port you want the rule to apply to

22:25                The port range you want the rule to apply to



Filtering and logging

-y                    This will filter the packets which apply to this rule

-o                    This will log the rule into your log file if the rule is applied to traffic.







Example


reject incomming tcp connections to port 22 from the internet and log



should be:

ipfwadm -I -a reject -P tcp -W $INET -D 0.0.0.0/0 22 -y -o



As you can see...

ipfwadm          is the basic command



-I                      is used because the rule must apply to INBOUND traffic (going TO the router)



-a                    is used to APPEND (add) this rule to your firewall rule-set (loaded on bootup)



reject              is used because you want to BLOCK the inbound traffic

                        This still makes the router send a ?port is in use, but closed? signal to the requesting ip.



-P tcp              is used because you want to block a specific port on the TCP protocol



NOTE!

You CAN NOT specify a port WITHOUT specifying a protocol!



-W $INET          is used because you want to block the traffic comming FROM the internet TO you internet interface



You could also use -W eth0 if your internet interface is eht0.

Or you could specify your public ip -S 198.133.219.25/255.255.255.255 or -S 198.133.219.25/32

198.133.219.25 should be replaced with your public ip address

and 255.255.255.255 subnetmask is the same as /32 prefix, which means you specify just this 1 (one) ip address.

(search google for "tcp/ip subnetting" if you want to know more about that)



-D 0.0.0.0/0      is used to specify the destination ip address.

In this case we block ALL ip ranges.         

Instead of using 0.0.0.0/0 you could use 0/0, or 0.0.0.0/0.0.0.0 it's all the same.

If you would like to block the traffic to a specific range, you just specify the range:

-D 192.168.0.0/255.255.255.0 (with subnetmask) or the same range 192.168.0.0/24 (with prefix)



22                    is used to specify the port.

If you want to block a range of ports, say 22 to 25 you should use the following:

22:25

NOTE!

In order to specify a port (range), YOU NEED TO SPECIFY A PROTOCOL !



-y                    is used to specify that the packets should be filtered.

This is not nessesary and could cause problems!

So I suggest you don't use it.



-o                    is used to put an entry in your freesco log file, each time the rule is applied.

NOTE!

If you put this in a rule for a port which is used very often (like a port used for gaming),

your log files will flood and fill up with entries of this rule beeing applied!

(in other words... DON'T use this rule for multiplaying online or such things)
Lightning
 

Return to FAQ - Frequently Asked Questions

Who is online

Users browsing this forum: No registered users and 2 guests