DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st August 2008
Weaseal's Avatar
Weaseal Weaseal is offline
Package Pilot
 
Join Date: May 2008
Location: East Coast, US
Posts: 177
Default ipfw rules not behaving

I am trying to limit clients on the network to 256Kbit/s down and 85Kbit/s up for internet use. We use FreeBSD 7.0-p3 as our gateway.

The bandwidth limiting is working, but it's working too well. It's not only limiting clients' access to the internet, but also to the server itself! For example, a client copying a file to/from the samba share on the FreeBSD gateway, he's still limited to 256Kbit/s / 85Kbit/s! We don't want this, we only want to limit their access on the other side of the FreeBSD gateway!

Here's the firewall rules:
Code:
$ cat /etc/firewall
#!/bin/sh -

#
# Setup system for ipfw(4) firewall service.
#

# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
        if [ -r /etc/defaults/rc.conf ]; then
                . /etc/defaults/rc.conf
                source_rc_confs
        elif [ -r /etc/rc.conf ]; then
                . /etc/rc.conf
        fi
fi

############
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open        - allows anyone in; safety net
#   limiter     - allows our clients and limits their bandwidth. should block all others

############

setup_loopback () {
        ############
        # Only in rare cases do you want to change these rules
        #
        ${fwcmd} add 100 pass all from any to any via lo0
        ${fwcmd} add 200 deny all from any to 127.0.0.0/8
        ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}

if [ -n "${1}" ]; then
        firewall_type="${1}"
fi

############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
        fwcmd="/sbin/ipfw -q"
        ;;
*)
        fwcmd="/sbin/ipfw"
        ;;
esac

############
# Flush out the list before we begin.
#
${fwcmd} -f flush

setup_loopback

############
# Network Address Translation.  All packets are passed to natd(8)
# before they encounter your remaining rules.  The firewall rules
# will then be run again on each packet after translation by natd
# starting at the rule number following the divert rule.
#
# For ``simple'' firewall type the divert rule should be put to a
# different place to not interfere with address-checking rules.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Ll][Ii][Mm][Ii][Tt][Ee][Rr])
        case ${natd_enable} in
        [Yy][Ee][Ss])
                if [ -n "${natd_interface}" ]; then
                        ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
                fi
                ;;
        esac
        case ${firewall_nat_enable} in
        [Yy][Ee][Ss])
                if [ -n "${firewall_nat_interface}" ]; then
                        ${fwcmd} nat 123 config if ${firewall_nat_interface} log
                        ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
                fi
                ;;
        esac
esac

############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# then you will want to change the default policy to open.  You can also
# do this as your only action by setting the firewall_type to ``open''.
#
# ${fwcmd} add 65000 pass all from any to any


# Prototype setups.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
        ${fwcmd} add 65000 pass all from any to any
        ;;

esac

############
# Bandwidth capping rules

case ${firewall_type} in
[Ll][Ii][Mm][Ii][Tt][Ee][Rr])

# Deny everyone who isn't on the list below
${fwcmd} add 65300 deny all from any to any

# Allow everything via the LAN interface
${fwcmd} add 400 allow all from any to any via nfe0


# Centrul - principal
${fwcmd} pipe 4001 config bw 3000Kbit/s
${fwcmd} pipe 4002 config bw 1000Kbit/s
${fwcmd} add 401 pipe 4001 all from any to 192.168.2.2
${fwcmd} add 402 pipe 4002 all from 192.168.2.2 to any

# Centrul - c1
${fwcmd} pipe 1 config bw 256Kbit/s
${fwcmd} pipe 2 config bw 85Kbit/s
${fwcmd} add 501 pipe 1 all from any to 192.168.2.3
${fwcmd} add 502 pipe 2 all from 192.168.2.3 to any

# Centrul - c2
${fwcmd} pipe 3 config bw 256Kbit/s
${fwcmd} pipe 4 config bw 85Kbit/s
${fwcmd} add 503 pipe 3 all from any to 192.168.2.4
${fwcmd} add 504 pipe 4 all from 192.168.2.4 to any

# Centrul - c3
${fwcmd} pipe 5 config bw 256Kbit/s
${fwcmd} pipe 6 config bw 85Kbit/s
${fwcmd} add 505 pipe 5 all from any to 192.168.2.5
${fwcmd} add 506 pipe 6 all from 192.168.2.5 to any

# Centrul - c4
${fwcmd} pipe 7 config bw 256Kbit/s
${fwcmd} pipe 8 config bw 85Kbit/s
${fwcmd} add 507 pipe 7 all from any to 192.168.2.6
${fwcmd} add 508 pipe 8 all from 192.168.2.6 to any

# Centrul - c5
${fwcmd} pipe 9 config bw 256Kbit/s
${fwcmd} pipe 10 config bw 85Kbit/s
${fwcmd} add 509 pipe 9 all from any to 192.168.2.7
${fwcmd} add 510 pipe 10 all from 192.168.2.7 to any

# Centrul - c6
${fwcmd} pipe 11 config bw 256Kbit/s
${fwcmd} pipe 12 config bw 85Kbit/s
${fwcmd} add 511 pipe 11 all from any to 192.168.2.8
${fwcmd} add 512 pipe 12 all from 192.168.2.8 to any

# Centrul - c7
${fwcmd} pipe 13 config bw 256Kbit/s
${fwcmd} pipe 14 config bw 85Kbit/s
${fwcmd} add 513 pipe 13 all from any to 192.168.2.9
${fwcmd} add 514 pipe 14 all from 192.168.2.9 to any

# Centrul - c8
${fwcmd} pipe 15 config bw 3000Kbit/s
${fwcmd} pipe 16 config bw 1000Kbit/s
${fwcmd} add 515 pipe 15 all from any to 192.168.2.10
${fwcmd} add 516 pipe 16 all from 192.168.2.10 to any

# Centrul - c9
${fwcmd} pipe 17 config bw 256Kbit/s
${fwcmd} pipe 18 config bw 85Kbit/s
${fwcmd} add 517 pipe 17 all from any to 192.168.2.11
${fwcmd} add 518 pipe 18 all from 192.168.2.11 to any
And here's ifconfig:
Code:
$ ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:e0:4c:4d:0d:68
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:1d:92:0b:ae:ef
        inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
192.168.1.0/24 is the 'internet' (it's where our router is anyway which goes to the internet) and 192.168.2.0/24 is the internal network.

Any ideas as to why it is behaving this way?
__________________
FreeBSD addict since 4.2-RELEASE.
My FreeBSD wiki.
Reply With Quote
  #2   (View Single Post)  
Old 1st August 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Add the interface names to your bandwidth rules. Packets should only be sent to the queues when leaving (out xmit) the external interface, and when entering (in recv) the external interface.

Right now, you are also double-shaping all your packets, as you haven't specified interfaces on any of your rules.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #3   (View Single Post)  
Old 8th August 2008
Weaseal's Avatar
Weaseal Weaseal is offline
Package Pilot
 
Join Date: May 2008
Location: East Coast, US
Posts: 177
Default

Could you please provide some examples? I'm stuck. I either completely block the machine, give it unlimited bandwidth, or get it stuck with both limited bandwidth to the gateway and the internet.

I want unlimited bandwidth to the gateway but limited to the internet.

I think what I'm stuck on is the 'in/out' part. What does each refer to exactly? Does in mean into the network? Into the interface? From which direction? I've read the man page but it didn't help me understand.

Here's an example of what I tried based on what you said:
Quote:
Originally Posted by phoenix View Post
Add the interface names to your bandwidth rules. Packets should only be sent to the queues when leaving (out xmit) the external interface, and when entering (in recv) the external interface.
Code:
# Centrul - c8
${fwcmd} pipe 15 config bw 256Kbit/s
${fwcmd} pipe 16 config bw 85Kbit/s
${fwcmd} add 515 pipe 15 all from any to 192.168.2.10 via nfe0 out
${fwcmd} add 516 pipe 16 all from 192.168.2.10 to any via rl0 in
This just completely prevents the machine from accessing anything.
__________________
FreeBSD addict since 4.2-RELEASE.
My FreeBSD wiki.

Last edited by Weaseal; 8th August 2008 at 12:56 PM.
Reply With Quote
  #4   (View Single Post)  
Old 8th August 2008
Weaseal's Avatar
Weaseal Weaseal is offline
Package Pilot
 
Join Date: May 2008
Location: East Coast, US
Posts: 177
Default

EUREKA!!!!!
After days and hours sitting in front of this term window, IT HAS HAPPENED! I here post the entire firewall config, as my final firewall writing opus (if there's a God I'll never have to write another one )
Code:
$ cat /etc/firewall
#!/bin/sh -

#
# Setup system for ipfw(4) firewall service.
#

# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
        if [ -r /etc/defaults/rc.conf ]; then
                . /etc/defaults/rc.conf
                source_rc_confs
        elif [ -r /etc/rc.conf ]; then
                . /etc/rc.conf
        fi
fi

############
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open        - allows anyone in; safety net
#   limiter     - allows our clients and limits their bandwidth. should block all others

############

setup_loopback () {
        ############
        # Only in rare cases do you want to change these rules
        #
        ${fwcmd} add 100 pass all from any to any via lo0
        ${fwcmd} add 200 deny all from any to 127.0.0.0/8
        ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}

if [ -n "${1}" ]; then
        firewall_type="${1}"
fi

############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
        fwcmd="/sbin/ipfw -q"
        ;;
*)
        fwcmd="/sbin/ipfw"
        ;;
esac

############
# Flush out the list before we begin.
#
${fwcmd} -f flush

setup_loopback

############
# Network Address Translation.  All packets are passed to natd(8)
# before they encounter your remaining rules.  The firewall rules
# will then be run again on each packet after translation by natd
# starting at the rule number following the divert rule.
#
# For ``simple'' firewall type the divert rule should be put to a
# different place to not interfere with address-checking rules.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Ll][Ii][Mm][Ii][Tt][Ee][Rr])
        case ${natd_enable} in
        [Yy][Ee][Ss])
                if [ -n "${natd_interface}" ]; then
                        ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
                fi
                ;;
        esac
        case ${firewall_nat_enable} in
        [Yy][Ee][Ss])
                if [ -n "${firewall_nat_interface}" ]; then
                        ${fwcmd} nat 123 config if ${firewall_nat_interface} log
                        ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
                fi
                ;;
        esac
esac

############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# then you will want to change the default policy to open.  You can also
# do this as your only action by setting the firewall_type to ``open''.
#
# ${fwcmd} add 65000 pass all from any to any


# Prototype setups.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
        ${fwcmd} add 65000 pass all from any to any
        ;;

esac



# # # # # # # # # # # # # #
# Bandwidth capping rules #
# # # # # # # # # # # # # #


case ${firewall_type} in
[Ll][Ii][Mm][Ii][Tt][Ee][Rr])

# Deny everyone who isn't on the list below
${fwcmd} add 65300 deny all from any to any

# Let everything keep moving past these interfaces
${fwcmd} add 350 allow all from any to any out via nfe0
${fwcmd} add 351 allow all from any to any out via rl0

# Allow clients to speak to the server and vice versa
${fwcmd} add 360 allow all from any to 192.168.2.1 via rl0
${fwcmd} add 361 allow all from 192.168.2.1 to any via rl0


# Centrul - principal
${fwcmd} pipe 4001 config bw 100Mbit/s
${fwcmd} pipe 4002 config bw 100Mbit/s
${fwcmd} add 401 pipe 4001 all from any to 192.168.2.2 in via nfe0
${fwcmd} add 402 pipe 4002 all from 192.168.2.2 to any in via rl0

# Centrul - c1
${fwcmd} pipe 1 config bw 256Kbit/s
${fwcmd} pipe 2 config bw 85Kbit/s
${fwcmd} add 501 pipe 1 all from any to 192.168.2.3 in via nfe0
${fwcmd} add 502 pipe 2 all from 192.168.2.3 to any in via rl0

# Centrul - c2
${fwcmd} pipe 3 config bw 256Kbit/s
${fwcmd} pipe 4 config bw 85Kbit/s
${fwcmd} add 503 pipe 3 all from any to 192.168.2.4 in via nfe0
${fwcmd} add 504 pipe 4 all from 192.168.2.4 to any in via rl0

# Centrul - c3
${fwcmd} pipe 5 config bw 256Kbit/s
${fwcmd} pipe 6 config bw 85Kbit/s
${fwcmd} add 505 pipe 5 all from any to 192.168.2.5 in via nfe0
${fwcmd} add 506 pipe 6 all from 192.168.2.5 to any in via rl0

# Centrul - c4
${fwcmd} pipe 7 config bw 256Kbit/s
${fwcmd} pipe 8 config bw 85Kbit/s
${fwcmd} add 507 pipe 7 all from any to 192.168.2.6 in via nfe0
${fwcmd} add 508 pipe 8 all from 192.168.2.6 to any in via rl0

# Centrul - c5
${fwcmd} pipe 9 config bw 256Kbit/s
${fwcmd} pipe 10 config bw 85Kbit/s
${fwcmd} add 509 pipe 9 all from any to 192.168.2.7 in via nfe0
${fwcmd} add 510 pipe 10 all from 192.168.2.7 to any in via rl0

# Centrul - c6
${fwcmd} pipe 11 config bw 256Kbit/s
${fwcmd} pipe 12 config bw 85Kbit/s
${fwcmd} add 511 pipe 11 all from any to 192.168.2.8 in via nfe0
${fwcmd} add 512 pipe 12 all from 192.168.2.8 to any in via rl0

# Centrul - c7
${fwcmd} pipe 13 config bw 256Kbit/s
${fwcmd} pipe 14 config bw 85Kbit/s
${fwcmd} add 513 pipe 13 all from any to 192.168.2.9 in via nfe0
${fwcmd} add 514 pipe 14 all from 192.168.2.9 to any in via rl0

# Centrul - c8
${fwcmd} pipe 15 config bw 256Kbit/s
${fwcmd} pipe 16 config bw 85Kbit/s
${fwcmd} add 515 pipe 15 all from any to 192.168.2.10 in via nfe0
${fwcmd} add 516 pipe 16 all from 192.168.2.10 to any in via rl0

# Centrul - c9
${fwcmd} pipe 17 config bw 256Kbit/s
${fwcmd} pipe 18 config bw 85Kbit/s
${fwcmd} add 517 pipe 17 all from any to 192.168.2.11 in via nfe0
${fwcmd} add 518 pipe 18 all from 192.168.2.11 to any in via rl0

# Petrea
${fwcmd} pipe 19 config bw 256Kbit/s
${fwcmd} pipe 20 config bw 85Kbit/s
${fwcmd} add 519 pipe 19 all from any to 192.168.2.12 in via nfe0
${fwcmd} add 520 pipe 20 all from 192.168.2.12 to any in via rl0

# Anisoara Ulmanu
${fwcmd} pipe 21 config bw 256Kbit/s
${fwcmd} pipe 22 config bw 85Kbit/s
${fwcmd} add 521 pipe 21 all from any to 192.168.2.13 in via nfe0
${fwcmd} add 522 pipe 22 all from 192.168.2.13 to any in via rl0

# Grisa
${fwcmd} pipe 23 config bw 256Kbit/s
${fwcmd} pipe 24 config bw 85Kbit/s
${fwcmd} add 523 pipe 23 all from any to 192.168.2.14 in via nfe0
${fwcmd} add 524 pipe 24 all from 192.168.2.14 to any in via rl0

# Nicu Bivol
${fwcmd} pipe 25 config bw 256Kbit/s
${fwcmd} pipe 26 config bw 85Kbit/s
${fwcmd} add 525 pipe 25 all from any to 192.168.2.15 in via nfe0
${fwcmd} add 526 pipe 26 all from 192.168.2.15 to any in via rl0









;;
esac
Now here's what it does:
Limits network clients' internet bandwidth to 256/85 Kbit/s.
Does NOT limit clients' bandwidth to the gateway itself.

2 little sentences describes so much ipfw!
__________________
FreeBSD addict since 4.2-RELEASE.
My FreeBSD wiki.
Reply With Quote
  #5   (View Single Post)  
Old 13th August 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

"in" and "out" refer to whether the packet is entering an interface (coming from outside the box, receiving) or leaving the interface (sending).

All packets that go through a router/firewall will come "in" on one interface, and go "out" on another.

All packets that originate on the firewall and are being sent to another system, will go "out" an interface.

All packets destined for the firewall (originated on another system) will go "in" an interface.

Thus, all your rules should specify which direction the traffic is going, and which interface it is using.

If you want to bandwidth limit traffic going through the firewall, the rules would be similar to (where nfe0 is the external, public facing interface):
Code:
${fwcmd} pipe 15 config bw 256Kbit/s
${fwcmd} pipe 16 config bw 85Kbit/s
${fwcmd} add 515 pipe 15 all from any to 192.168.2.10 in recv nfe0
${fwcmd} add 516 pipe 16 all from 192.168.2.10 to any out xmit nfe0
You should only bandwidth limit on the external, public interface. That way, the firewall can queue up packets in RAM before sending. If you limit on the internal, private interface, strange things can happen (especially since you say you don't want to limit traffic to/from the firewall itself).

Does that clear things up a bit?
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #6   (View Single Post)  
Old 13th August 2008
Weaseal's Avatar
Weaseal Weaseal is offline
Package Pilot
 
Join Date: May 2008
Location: East Coast, US
Posts: 177
Default

phoenix,
I tried your format. The clients were not able to get out of/past the server at all. I had to add this line:
Code:
${fwcmd} add 65200 allow all from any to any via ${int_if}
just to let them out at all. However, that gives them unlimited upload bandwidth (all outgoing packets hit this new rule instead of the individual "out xmit ${ext_if}" rules).

Any ideas?
__________________
FreeBSD addict since 4.2-RELEASE.
My FreeBSD wiki.

Last edited by Weaseal; 13th August 2008 at 02:13 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
how to configure ipfw with 4 modems??? m4st3rcr4zy FreeBSD General 0 13th February 2009 06:26 AM
looking for good ipfw resources dk_netsvil General software and network 0 15th August 2008 04:05 PM
A P2P controlling tool at last - ipfw-classifyd s0xxx FreeBSD Ports and Packages 0 3rd August 2008 09:49 AM
ipfw question Johnny2Bad FreeBSD General 2 21st May 2008 12:16 AM
ipfw destination nat problem mitak FreeBSD General 2 15th May 2008 02:36 PM


All times are GMT. The time now is 02:57 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick