************************************************************************
* ipfw tutorial *
* by gabbana *
* *
* 08-2002 *
************************************************************************
ipfw - IP firewall and traffic shaper control program
What is ipfw? ipfw is the user interface for controlling the ipfirewall
and the dummynet traffic shaper in FreeBSD. Too many of you it will look
like ipchains or iptables, but there are slight differences between them
and ipfw, that are important. ipfw is basically a ruleset that will give
you FULL controll over your traffic. Each incoming or outgoing packet is
passed through the ipfw rules.
If host is acting as a gateway, packets forwarded by the gateway are pro-
cessed by ipfw twice. In case a host is acting as a bridge, packets for-
warded by the bridge are processed by ipfw once. The rules have it's
numbers so users can name them via numbers and either delete them or know
their exactly location within the ruleset (which is very important)!
ipfw works procedural like basic programming languages: first command,
first served. This is very important when you want to add multiple
rules to a specific protocol, a host, or a port.
A configuration always includes a DEFAULT rule (numbered 65535) which
cannot be modified by the programmer and always matches packets. The
action associated with the default rule can be either deny or allow
depending on how the kernel is configured.
The ipfw rule format
ipfw [-X] command [index] action [log] protocol addresses [options]
Let's split this into pieces:
ipfw [-X] is the switch to show the current ruleset. The possible
commands are:
ipfw [-X] list (or show)
The switches [-X] supported are:
-t :shows timestamps while listing
-N :tries to resolve addresses and service names in output
-s [field] :sorts the output according to one of the four counters
Now we can finally do the real firewalling:
Each packet can be filtered based on the following information that is
associated with it:
Transmit and receive interface (by name or address)
Direction (incoming or outgoing)
Source and destination IP address (possibly masked)
Protocol (TCP, UDP, ICMP, etc.)
Source and destination port (lists, ranges or masks)
TCP flags
IP fragment flag
IP options
ICMP types
User/group ID of the socket associated with the packet
Remember the syntax:
ipfw command [index] action [log] protocol addresses [options]
Valid commands are:
add [index] :adds a rule to the ruleset (with or without a number)
delete [index] :deletes the rule of a specified number (i.e. delete 231)
ipfw command [index] action [log] protocol addresses [options]
Valid actions are:
deny :Discard packets that match this rule. The search terminates.
aliases are: drop
reject :Discard packets that match this rule, and try to send an
ICMP host unreachable notice. Search terminates.
unreach [code] :Discard packets that match this rule, and try to send an
ICMP unreachable notice with [code]. [code] can be a number
from 0-255 or a alias like: srcfail, net-unknown,
host-unknown, isolated, net-prohib, host-prohib et cetera
(see ipfw(8) for more) Search terminates.
reset :TCP packets only. Discard packets that match and sends a
TCP reset (RST) packet back. Search terminates
count :Update counters for all packets that match this rule, the
search won't terminate, it continues with the next rule.
divert [port] :Divert packets that match this rule to the divert socket
bound to port [port]. The search terminates.
tee [port] :Send a copy of packets matching this rule to the divert
socket bound to port [port]. The search terminates and
the original packet is accepted. See my eavedropping VoIP
tutorial for the usage :)
skipto [index] :Skip all subsequent rules numbered less than number.
The search continues with the first rule numbered number
or higher
allow :Pass the packet on as normal. (aliases are: pass and accept)
This are the most used command. I don't explain the command fwd and
check-state because their usage is for most configuration useless. In
case you are interestedin those commands as well, check ipfw(8) for them.
Most of those commands are useful, but in reallife most system will only
need a good ruleset build with allow and deny.
Once again our syntax:
ipfw command [index] action [log] protocol addresses [options]
[log] :The log option causes matching rules to be output to the
system console if the kernel was compiled with
IPFIREWALL_VERBOSE Check your syslogd logs for the output.
Next part are protocols:
all :All protocols will match (alias: ip)
tcp :Matches TCP packets only
udp :Matches UDP packets only
icmp :Matches ICMP packets only
This are the most common used protocols and for normal usage this is
enough. (for a complete list, see /etc/protocols).
After the protocol-bit, we have to define the adresses now. addresses is
split into the source-address and the destination-address, both are
combined with the 'to' operator. We have again a couple of ways to
display addresses:
address :One address only, like a IP or a hostname.
address/mask-bits :Address and mask-bits, for example for a C subnet
we could use 192.216.222.1/24 (24 bits == C subnet),
this would cover the entire C subnet
address:mask-pattern :mask-pattern is an IP address which will be logically
AND'ed with the address given
The keyword 'any' may be used to specify ``any IP address''. Another keyword
is 'me' that will make the rule match any IP number configured on an interface
in the system. This is a computationally semi-expensive check which should
be used with care.
You can (and often want to) specifiy ports as well. You can list ports like:
23, 80, 1080
or like:
1-443 (including boundaries)
The complete syntax of the addresses part could be like:
www.adress1.net 80 to 127.0.0.1/10
But you'll get some more examples later :)
Ok, again our syntax:
ipfw command [index] action [log] protocol addresses [options]
The options are mostly interfaces, traffic-status etc,..let's have a look:
in :Only match incoming packets.
out :Only match outgoing packets.
via ifX :Packet must be going through interface 'ifX'.
For example eth0
via if* :Packet must going through interface if, X is a unit
number.
via any :Not a wildcard! Packet must be going through some
interface!
via ipno :Packet must be going through some interface using the
ipno IP-adress
bridged :Matches only bridged packets. This can be useful for
multicast or broadcast traffic, which would otherwise
pass through the firewall twice: once during bridging,
and a second time when the packet is delivered to the
local stack.
frag :Match if the packet is a fragment and this is not the
first fragment of the datagram
ipoptions spec :Match if the IP header contains the comma separated
list of options specified in spec. The supported IP
options are:
ssrr (strict source route), lsrr (loose source route),
rr (record packet route) and ts (timestamp). The absence
of a particular option may be denoted with a `!'.
tcpoptions spec :Match if the TCP header contains the comma separated
list of options specified in spec. The supported TCP
options are:
mss (maximum segment size), window (tcp window advertise-
ment), sack (selective ack), ts (rfc1323 timestamp) and
cc (rfc1644 t/tcp connection count). The absence of a
particular option may be denoted with a `!'.
icmptypes types :Matches if the ICMP type is present in the list types.
The list may be specified as any combination of ranges
and/or individual types separated by commas. Commonly used
ICMP types are: 0 echo reply (ping reply), 3 destination
unreachable, 5 redirect, 8 echo request (ping request),
and 11 time exceeded (used to indicate TTL expiration as
with traceroute).
established :TCP packets only. Match packets that have the RST or ACK
bits set. Plain text: simply established connections
setup :TCP packets only. Match packets that have the SYN bit set
but no ACK bit. Plain text: connection attemps, trying to
setup a new connection
tcpflags spec :TCP packets only. Match if the TCP header contains the
comma separated list of flags specified in spec. The echo
reply (0), destination unreachable (3), source quench (4),
redirect (5), echo request (8), router advertisement (9),
router solicitation (10), time-to-live exceeded (11), IP
header bad (12), timestamp request (13), timestamp reply
(14), information request (15), information reply (16),
address mask request (17) and address mask reply (18).
uid user :Match all TCP or UDP packets sent by or received for a
user. A user may be matched by name or identification number.
gid group :Same as above,..you know the deal.
Phew, we are done with the theory, congratz! :)
Now we can finally do something more the only read ipfw(8) and some
explainations. We will now start to write some sample rules and rulesets.
Examples:
This command adds an entry which denies all tcp packets from
sil.antioffline.org to the telnet port of phoenix.cyberarmy.com from being
forwarded by the host:
ipfw add deny tcp from sil.antioffline.org to phoenix.cyberarmy.com telnet
Notice that you can use the alias 'telnet' instead of the dst-port 23!
This one disallows any connection from the entire 1337 hackers network to
my host:
ipfw add deny ip from 133.7.13.37/24 to my.host.org (C Subnet)
If you do not want people sending X sessions to your internal network (a
subnet of a class C), the following command will do the necessary filtering:
ipfw add deny tcp from any to my.org/28 6000 setup
This are only some examples you'll find often. Now we will discuss some
important things you have to take care of. You may have realized that some
'actions' either terminate the search within the ruleset and some let the
search continue. This is important in case you want to have multiple rules
matching a specific traffic like:
You want to count the incoming packets from gary7.nsa.gov, but also tee
the traffic:
ipfw add count tcp from gary7.nsa.gov to mynetwork.net/28 in
ipfw add tee 1337 tcp from gary7.nsa.gov to mynetwork.net/28 in
Not hard, or? The count 'action' will keep the ipfw search for matching
rules alive, and the tee 'action' will terminate it. So it's only logic
that we use the count 'action' first.
Another example would be to divert outgoing and incoming though NATd
when 'ed0' is my outside interface
and the number 6668 is the port that NATd listens to:
ipfw add 2000 divert 6668 all from any to any via ed0
How to allow everyone else to go though, although the previous line
make this not useful, however if i kill natd i don't want the system to
freak out:
ipfw add 65000 pass all from any to any
Commands:
The syntax for flushing the chain is:
ipfw flush
The syntax for clearing one or more packet counters is:
ipfw zero [index]
A script to protect a machine with only one connection to the network:
#!/bin/sh
IPFW=/sbin/ipfw
INTERFACE=ed0
# flush all the rules
${IPFW} -f flush
# Local loopback interface is open
${IPFW} add 1000 allow ip from any to any via lo0
${IPFW} add 1001 deny all from any to 127.0.0.0/8
# Allow outgoing traffic
${IPFW} add 2000 pass tcp from any to any out via ${INTERFACE}
# Allow TCP through if setup succeeded
${IPFW} add 3000 pass tcp from any to any established
# Allow IP fragments to pass through
${IPFW} add 4000 pass all from any to any frag
# Allow DNS answers
${IPFW} add 5000 allow udp from any to any 53 out via ${INTERFACE}
${IPFW} add 5001 allow udp from any 53 to any in via ${INTERFACE}
# Deny everything else except for ICMP
${IPFW} add 8000 deny tcp from any to any via ${INTERFACE}
${IPFW} add 8000 deny udp from any to any via ${INTERFACE}
A less restrictive version that would deny access to ports 1-1023:
#!/bin/sh
IPFW=/sbin/ipfw
INTERFACE=en0
# flush all the rules
${IPFW} -f flush
# Allow outgoing traffic
${IPFW} add 2000 pass tcp from any to any out via ${INTERFACE}
# Allow TCP through if setup succeeded
${IPFW} add 3000 pass tcp from any to any established
# Allow IP fragments to pass through
${IPFW} add 4000 pass all from any to any frag
# Deny access to all services running on reserved ports
${IPFW} add 8000 deny tcp from any to any 1-1023 in via ${INTERFACE}
${IPFW} add 8000 deny udp from any to any 1-1023 in via ${INTERFACE}
This should be enough to give you a introduction to ipfw and some way to
implement it. ipfw and related topics like NATd, traffic sharpening with
dummynet et cetera are also discussed within many newgroups like
mailing.freebsd.ipfw and other various *.freebsd.ipfw groups.
If any help with ipfw, NATd or traffic sharpening via dummynet is needed,
don't hestitate to eMail me or join irc.cyberarmy.com #cyberarmy and drop
a line.
gabbana
questions and comments: gabbana@insecured.net
************************************************************************
Greets to: sieco, ReDeeMeR, fugjostle, barnseyboy, CHi, reeferman,
k_phactor, milchschnitte, decoder, hellz(backdoor), Eidolon, shn,
LoXaGoN, intruder, Kaladis, a1b4, pandect, Khris, wa1800z, proud2b,
alfer, [0perations], sat, zvon2k, [HR]c0s, booto, Axem, crun.hr and
all I forgot from CA and my croatian hackers that supported some
projects of mine
************************************************************************
This article was originally published by CyberArmy.net in the CyberArmy Library.
|
|