Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.bhp.com.au!mel.dit.csiro.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.cis.okstate.edu!news.ksu.ksu.edu!news.physics.uiowa.edu!math.ohio-state.edu!howland.reston.ans.net!newsfeed.internetmci.com!news.sprintlink.net!helena.MT.net!nate From: nate@trout.sri.MT.net (Nate Williams) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: IPFW filter rules... Date: 12 Feb 1996 17:20:28 GMT Organization: SRI Intl. - Montana Operations Lines: 58 Message-ID: <4fnsss$jj6@helena.MT.net> References: <Pine.HPP.3.91.960207170506.20192A-100000@ocean.fit.qut.edu.au> <4fe9ol$f8@ender1.techcenter.paccar.com> <4fk7g9$i2d@hammy.lonestar.org> Reply-To: "Nate Williams" <nate@sneezy.sri.com> NNTP-Posting-Host: trout.sri.mt.net In article <4fk7g9$i2d@hammy.lonestar.org>, Gordon Burditt <gordon@hammy.lonestar.org> wrote: >>A couple of things come to mind: 1) Most packet filters have an implicit "deny" >>tacked on the end of the filter rules. I.e., deny anything I haven't explicitly >>allowed. I don't know if ipfw works that way or not. >> >>2) You may be suffering from re-ordering of the rules you've written. From the >>man page on ipfw: >> >>" The system has a rule weighting system for the firewall chain. This means >> that rules are not used in the order that they are specified. To see what >> rule ordering is used, use the list command." >> >>3) Rule re-ordering can bite you big time. You might try the "list" command >>mentioned above to see the order in which your rules are being applied. FWIW, Poul-Henning just modified the IPFW kernel sources to no longer re-order the rules by default, per discussions on many firewall mailing lists and a discussion on the FreeBSD mailing list. >Another question on ipfw: Does the "via <interface name>" qualifier >refer to "it came *IN* via that interface" or "it's going *OUT* via >that interface"? It seems to be how it came *IN*, but I've never been >able to definitely prove it. It implies 'on the interface', which means that packets coming or going will be subject to this rules. I verified this on my box, which disallows any packets coming over the external network interface from sending/receiving packets to any machines in my local network. This stops folks from spoofing my IP address externally and accessing my hosts. If it didn't work, my box wouldn't be able to speak to any of the hosts in my internal network. >Some obvious things to deny include denying any packet that pretends >to come from your local net or the loopback interface coming in via >the PPP link. Piece of cake. >Because of the rule re-ordering, I can't depend on the rule order >unless one rule is strictly more specific than another one. Get the patch that Poul just committed to -stable (/sys/netinet/ip_fw.c), apply it to your kernel, and be happy. :) I figured out a set of rules which happens to work after long hours with the ruleset because I was too stupid to disable the re-ordering. I'm now going to make my ruleset much smaller now that -stable has the re-ordering removed. Nate -- nate@sneezy.sri.com | Research Engineer, SRI Intl. - Montana Operations nate@trout.sri.MT.net | Loving life in God's country, the great state of work #: (406) 449-7662 | Montana. home #: (406) 443-7063 | A fly pole and a 4x4 Chevy truck = Heaven on Earth