On Wed, Oct 30, 2002 at 03:47:24PM -0600, Pete Davis wrote:
[snip]
> Below is the ipf script which works for all protocols tested. If I take
> out the first rule in 'Output rules to Internet' (pass out quick on fxp1
> proto tcp from 1.2.3.4 to any flags S keep state keep frags), FTP does
> not work. I would think "pass out quick on fxp1 proto tcp from 1.2.3.4
> to any port = 21 flags S keep state keep frags" would take care of
> passive ftp but it doesn't seem to be working.
The FTP proxy lives in ipnat(8). You need to put in ipnat(8) rules to
proxy FTP.
> Question 1: Am I missing something or am I being too cautious by not
> allowing out all traffic from the proxy box to the internet?
If you don't have to, don't allow it. If it is the only way to get
things working, it is probably well worth the risk.
> Question 2: Don't UDP and ICMP states time out quickly with IPF such
> that I should just use 'keep state' with them (for the rules on the
> private side, in/out)?
I wouldn't bother with any 'keep state' rules on the private side. It
does not provide any extra protection and consumes resources. It is
actually a negative. More below...
> fxp0 = internal interface (private) = 192.168.11.1
> fxp1 = external interface (internet) = 1.2.3.4
> (not actual ip's)
>
> ## input rules from Private ##
> pass in quick on fxp0 proto tcp from any to 192.168.11.1 port = 80
> flags S keep state keep frags
This is a rule where 'keep state' is bad. A client can make a
connection from any port to port 80. What does remembering the state
give you?
> pass in quick on fxp0 proto udp from any port = 53 to 192.168.11.1
Isn't this backwards? Or if not, shouldn't you have a list of DNS
servers rather than 'any?' You've just let anyone on the internal
network reach any UDP port on 192.168.11.1 provided they use 53 as a
source port.
> pass in quick on fxp0 proto icmp from any to 192.168.11.1
You might want to limit the types here to 3 and 11, the "essential"
ICMP, and possibly 0 and 8, the echo response and request.
> block in quick on fxp0 from any to any
>
> ## Output rules to Private ##
> pass out quick on fxp0 proto tcp from 192.168.11.1 to any flags S keep
> state keep frags
> pass out quick on fxp0 proto udp from 192.168.11.1 to any port = 53
If this is what you really want (to reach an internal DNS server),
you'd be much better off making this 'keep state' and losing the
53/udp rule in the input set.
> pass out quick on fxp0 proto icmp from 192.168.11.1 to any
>
> ## Input rules from Internet ##
> block in quick on fxp1 proto tcp from any to any flags S
> block in quick on fxp1 proto icmp from any to any
> block in quick on fxp1 from any to any
Not sure why you need three rules here. The last one will do it all
for you.
> ## Output rules to Internet ##
> pass out quick on fxp1 proto tcp from 1.2.3.4 to any flags S keep state
> keep frags
> pass out quick on fxp1 proto tcp from 1.2.3.4 to any port = 80 flags S
> keep state keep frags
> pass out quick on fxp1 proto tcp from 1.2.3.4 to any port = 21 flags S
> keep state keep frags
> pass out quick on fxp1 proto tcp from 1.2.3.4 to any port = 443 flags S
> keep state keep frags
> pass out quick on fxp1 proto udp from 1.2.3.4 to any port = 53 keep
> state
> pass out quick on fxp1 proto icmp from 1.2.3.4 to any keep state
>
> Thanks for any help.
You are missing,
pass out quick on fxp1 proto tcp from 1.2.3.4 to any port = 53 keep state
Which is technically required to fully support DNS queries (53/tcp is
NOT just for zone transfers).
--
Crist J. Clark | [EMAIL PROTECTED]
| [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/ | [EMAIL PROTECTED]
