The FreeBSD Diary

I think I still have more work to do on my firewall rules.  Here are the areas which need work:

• $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
• IRC setup - the existing rule set doesn't allow new IRC connections.

In order to get IRC working, I have the following rules in place:

allow tcp from any to any setup

I will work on these problems in the order listed above.  Short cuts to the topics are listed below.

IRC Connections | Deny all

Here's part of the output from "ipfw show":

02210         71       3124 allow tcp from any to any 0-1000
02211         78       8909 allow udp from any to any 0-1000
02220          0          0 allow tcp from any to any 1000-2000
02220          0          0 allow udp from any to any 1000-2000
02230          0          0 allow tcp from any to any 2000-3000
02230          0          0 allow udp from any to any 2000-3000
02240          0          0 allow tcp from any to any 3000-4000
02240          0          0 allow udp from any to any 3000-4000
02250          0          0 allow tcp from any to any 4000-5000
02250         26       4341 allow udp from any to any 4000-5000

As you can see, I'm getting traffic in the 0-1000, and 4000-5000 ranges.  It's a matter of refining the ports to see which ones are being used.  Now I'm sure tcpdump would be useful here.  BTW: I've just started compiling my kernel.

My next step was the following set of rules:

02201          0          0 allow tcp from any to any 0-100
02202         10        440 allow tcp from any to any 100-200
02203          0          0 allow tcp from any to any 200-300
02204          0          0 allow tcp from any to any 300-400
02205          0          0 allow tcp from any to any 400-500
02206          0          0 allow tcp from any to any 500-600
02207          0          0 allow tcp from any to any 600-700
02208          0          0 allow tcp from any to any 700-800
02209          0          0 allow tcp from any to any 800-900
02210          0          0 allow tcp from any to any 900-1000

You can see now that it's all within the 100-200 range.  So now I create a set of rules from 100-200.  And so on.  Eventually I found that it was port 110 which was being used.  If you check in /etc/services, you'll see that this is the Post Office Protocol (POP).  Silly me.  My mail client was going out and checking for mail at my ISP.  That's what I've been tracking.  Not IRC.

# allow all local traffic
$fwcmd add allow all from ${inet}:${imask} to ${inet}:${imask}

Pretty simple.  The problem was that I wasn't allowing local traffic.  And the above allows local traffic to go anywhere.  I have now removed the allow tcp from any to any setup rule mentioned above.

$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}

However, with natd divert, this causes a problem (at least with -stable as of 1988/08/28).  When a packet goes through natd, it gets reinjected at the start of the rules.  Then the rules are seeing a packet from the outside with a destination within RFC 1918 space (ie within 192.168.*.*).

There are two known solutions:

1. delete the rule
2. upgrade to -current

#1 above is not very good.  #2 is the best option at present.  I took a third option, which is not recommended but does do some good.  I moved the modified rule to be above the natd divert.

After a bit of thought, I've concluded that the above solution will be sufficient for me.  I believe my ISP has sufficient filtering on their routers to prevent such attacks event reaching me.

I have also been told that IP Filter doesn't have this problem.  I may just investigate that option.