Very Computer

by **Chris J [#** » Sat, 09 May 1998 04:00:00

Hiya,

Got a problem setting up ipfwadm (version 2.3.0). System is running kernel
2.0.33.

I am attempting to firewall everything incoming (bar certain ports, including
all < 1023 ports), however I've spotted a slight flaw in this plan. Once I've
set the connection up, outgoing connections cannot be established, as I've
firewalled 1024:65535, hence blocking out the local port end.

What I'm trying to achive is a firewall whereby users cannot put up their own
servers or daemons for external access without asking for the ports to be
unlocked. Internally, they have free reign.

Is there a method wherby incoming connections can be blocked, but outgoing
connections (to any port) can still be established? My current rules look
like (143.58.59.3 is the machine I'm attempting to firewall. The firewall is
also on this machine - the IP has been changed to protect the innocent :)

# Priviliged ports ( < 1024) - always allow
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 0:1023
ipfwadm -I -a accept -P udp -S 0.0.0.0/0 -D 143.58.59.3/32 0:1023

# Allow access within university
ipfwadm -I -a accept -P tcp -S 143.58.0.0/16 -D 143.58.59.3/32 0:65535
ipfwadm -I -a accept -P udp -S 143.58.0.0/16 -D 143.58.59.3/32 0:65535

# Services
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 1026
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 2049
ipfwadm -I -a accept -P udp -S 0.0.0.0/0 -D 143.58.59.3/32 2049
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 6000
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 2000
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 5678

## This causes the problems with outgoing connections being setup
# Reject all other connections
ipfwadm -I -a reject -y -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 1024:65535
ipfwadm -I -a reject -y -P udp -S 0.0.0.0/0 -D 143.58.59.3/32 1024:65535

Alternatively...am I missing summat obvious, and am being blind to miss it?

TIA,

Chris...

--

/ When will we get the chance to | \
/ be ourselves? When will the | Eat a pint of fish a day \
/ labeling in society dissapear? | \

by **Stephen Meyle** » Sat, 09 May 1998 04:00:00

> Hiya,

> Got a problem setting up ipfwadm (version 2.3.0). System is running kernel
> 2.0.33.

[snip]

> ## This causes the problems with outgoing connections being setup
> # Reject all other connections
> ipfwadm -I -a reject -y -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 1024:65535
> ipfwadm -I -a reject -y -P udp -S 0.0.0.0/0 -D 143.58.59.3/32 1024:65535

> Alternatively...am I missing summat obvious, and am being blind to miss it?

> TIA,

> Chris...

> --

> / When will we get the chance to | \
> / be ourselves? When will the | Eat a pint of fish a day \
> / labeling in society dissapear? | \

The problem is that the second part of the TCP handshake has the SYN bit set and
is being rejected because of the -y specification. I believe the way to achieve
what you want is to allow all packets with the ACK bit set, and disallow all
others (SYN w/o ACK). Something like this:

ipfwadm -I -a accept -k -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 1024:65535
ipfwadm -I -a reject -P tcp -S 0.0.0.0/0 -D 143.58.59.3/32 1024:65535

The -y and -k are not applicable to UDP as it is connectionless.

Hope this helps

Steve

Very Computer

Firewalling incoming connections

Firewalling incoming connections

Firewalling incoming connections