ipfw subnetting

Hi,

can anyone suggest what i'm doing wrong here.

Desired:    drop everything from 180.0.0.0 to 180.255.255.255

ipfw -q add 137 deny all from 180.0.0.0/8 to any


thanks
Paul.

--
-------------------------
Paul Macdonald
IFDNRG Ltd
Web and video hosting
-------------------------
t: 0131 5548070
m: 07970339546<<PLEASE NOTE NEW MOBILE<<
e: [hidden email]
w: http://www.ifdnrg.com
-------------------------
IFDNRG
40 Maritime Street
Edinburgh
EH6 6SA
-------------------------


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

In freebsd-questions Digest, Vol 416, Issue 1, Message: 26
On Mon, 21 May 2012 10:06:12 +0100 Paul Macdonald <[hidden email]> wrote:

 > can anyone suggest what i'm doing wrong here.
 >
 > Desired:    drop everything from 180.0.0.0 to 180.255.255.255
 >
 > ipfw -q add 137 deny all from 180.0.0.0/8 to any

t23# ipfw -q add 137 deny all from 180.0.0.0/8 to any
t23# ipfw show 137
00137    0       0 deny ip from 180.0.0.0/8 to any

So what doesn't work?  (apart from scattergun removal of small pieces of
a whole lot of Asian countries, incl. Japan, Indonesia, Australia, .. :)

cheers, Ian
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

On 21/05/2012 14:50, Ian Smith wrote: it was intended as a required temporary measure,
but even though it was listed in my ipfw list, i was/am still seeing
traffic coming in via addresses such as 180.248.x.x


A very open firewall test script is as follows:

00010 allow ip from any to any via lo0
00081 deny log ip from 180.0.0.0/8 to any
00100 check-state
00101 allow tcp from any to any established
00102 allow ip from any to any out keep-state
00103 allow icmp from any to any
65535 deny ip from any to any

but i'm still seeing traffic from

180.149.29.102
180.234.116.61
180.234.36.44
180.234.237.119
180.234.72.115

I must be doing something wrong!
Paul.





> cheers, Ian
> _______________________________________________
> [hidden email] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[hidden email]"


--
-------------------------
Paul Macdonald
IFDNRG Ltd
Web and video hosting
-------------------------
t: 0131 5548070
m: 07970339546<<PLEASE NOTE NEW MOBILE<<
e: [hidden email]
w: http://www.ifdnrg.com
-------------------------
IFDNRG
40 Maritime Street
Edinburgh
EH6 6SA
-------------------------


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

On Mon, May 21, 2012 at 8:30 AM, Paul Macdonald <[hidden email]> wrote:

> A very open firewall test script is as follows:
>
> 00010 allow ip from any to any via lo0
> 00081 deny log ip from 180.0.0.0/8 to any
> 00100 check-state

You don't need the following
> 00101 allow tcp from any to any established

This may not do what you think - "out" does not necessarily mean out
your external interface.  Packets can go in and out (from the
perspective of the ruleset) more than once.  And you want only to
start a dynamic rule for legitimate TCP traffic, which means "tcpflags
syn,!ack" - See below

> 00102 allow ip from any to any out keep-state

and you probably want to be selective about which ICMP you allow
> 00103 allow icmp from any to any
> 65535 deny ip from any to any

It's also helpful (most of the time) to be explicit about the interface

Is this ruleset just protecting this host itself, or are you using it
as a firewall for an internal network?

ipfw add allow ip from any to any via lo0
ifpw add allow ip from $local_net to $local_net

ipfw add deny log ip from 180.0.0.0/8 to any in recv $ext_if

ipfw add check-state

ipfw add allow tcp from any to any out xmit $ext_if setup keep-state
ipfw add allow udp from any to any out xmit $ext_if keep-state
ipfw add allow icmp from any to any out xmit $ext_if keep-state

ipfw add allow icmp from any to any in recv $ext_if icmptypes 3,8,11

ipfw add deny ip from any to any
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

On 21/05/2012 16:44, Michael Sierchio wrote:
this is for one host only, so i'm not so worried about interfaces..not
worried about icmp either..
I'm still seeing this traffic coming in, can anyone help with this
simpler config to keep 180.0.0.0 out?

IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

$IPF 50 check-state
#$IPF 51 allow tcp from any to any established  DISABLED PER SUGGESTION
#$IPF 52 allow all from any to any out keep-state DISABLED PER SUGGESTION
$IPF 53 allow icmp from any to any (am 0k with this)

#temp wide reaching filter
$IPF 137 deny all from 180.0.0.0/8 to any

#Allows for ports
$IPF 181 allow tcp from any to any 21
$IPF 183 allow tcp from any to any 25
#...........etc

#Another attempt to get rid of 180.x.x.x in case it is last match??
$IPF 450 deny all from 180.0.0.0/8 to any

#------------ deny and log everything
$IPF 499 deny udp from any to any
$IPF 5000 deny log all from any to any
$IPF 5010 deny icmp from any to any





--
-------------------------
Paul Macdonald
IFDNRG Ltd
Web and video hosting
-------------------------
t: 0131 5548070
m: 07970339546<<PLEASE NOTE NEW MOBILE<<
e: [hidden email]
w: http://www.ifdnrg.com
-------------------------
IFDNRG
40 Maritime Street
Edinburgh
EH6 6SA
-------------------------


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

Paul Macdonald wrote:

[snip]

It has been many years since I used IPFW as I moved on to IPFILTER, and then
on to PF which is what I use now. I don't even recall exactly why I chose to
utilize both setting directionality of flow per specific interface. I suspect
that somehow there is some rule occurring prior to your block rule that is
somehow allowing the traffic to pass.

Bear in mind the following ruleset (specified in /etc/rc.conf via
firewall_script="/etc/firewall/fwrules" is for a tributary end-point using a
ppp dialup modem connection. It may not be suitable for a proper network to
network firewall. I used it for years, and as far as I know it worked well (I
am not an expert). It is also doing NAT which you may not be doing (that
would just be one line difference in any case the "DIVERT" line).


# Firewall rules

fwcmd="/sbin/ipfw"
$fwcmd -f flush
$fwcmd add allow all from any to any via lo0
$fwcmd add allow all from any to any via xl0
$fwcmd add deny log all from any to 127.0.0.0/8

# Stop private networks (RFC1918) from entering the outside interface.
$fwcmd add deny log ip from 192.168.0.0/16 to any in via ppp0
$fwcmd add deny log ip from 172.16.0.0/12 to any in via ppp0
$fwcmd add deny log ip from 10.0.0.0/8 to any in via ppp0
$fwcmd add deny log ip from any to 192.168.0.0/16 in via ppp0
$fwcmd add deny log ip from any to 172.16.0.0/12 in via ppp0
$fwcmd add deny log ip from any to 10.0.0.0/8 in via ppp0

# Stop draft-manning-dsua-01.txt nets on the outside interface
$fwcmd add deny all from 0.0.0.0/8 to any in via ppp0
$fwcmd add deny all from 169.254.0.0/16 to any in via ppp0
$fwcmd add deny all from 192.0.2.0/24 to any in via ppp0
$fwcmd add deny all from 224.0.0.0/4 to any in via ppp0
$fwcmd add deny all from 240.0.0.0/4 to any in via ppp0
$fwcmd add deny all from any to 0.0.0.0/8 in via ppp0
$fwcmd add deny all from any to 169.254.0.0/16 in via ppp0
$fwcmd add deny all from any to 192.0.2.0/24 in via ppp0
$fwcmd add deny all from any to 224.0.0.0/4 in via ppp0
$fwcmd add deny all from any to 240.0.0.0/4 in via ppp0

$fwcmd add divert natd all from any to any via ppp0
$fwcmd add check-state

$fwcmd add allow tcp from any to any 80 via ppp0
#port opened for web server - tcp_drop_synfin was removed

$fwcmd add deny log udp from any to me in recv ppp0
$fwcmd add allow udp from any to any via ppp0 keep-state
$fwcmd add allow log icmp from any to any icmptypes 3,4

$fwcmd add deny log tcp from any to any in recv ppp0 setup
$fwcmd add allow tcp from any to any out xmit ppp0 setup keep-state
$fwcmd add allow tcp from any to any via ppp0 established keep-state

$fwcmd add allow log icmp from any to any icmptypes 8 out xmit ppp0
$fwcmd add allow log icmp from any to any icmptypes 0 in recv ppp0
$fwcmd add allow log icmp from any to any icmptypes 11 in recv ppp0

$fwcmd add 65432 deny log tcp from any to any
$fwcmd add 65433 deny log udp from any to any
$fwcmd add 65434 deny log icmp from any to any
$fwcmd add 65435 deny log ip from any to any

The main thing that would change for you immediately would be to alter the
interface of ppp0 to the exterior interface on your box that is facing the
outside Internet. And '$fwcmd add allow all from any to any via xl0' <- here
xl0 would be whichever is your interior LAN facing interface.

Perhaps this example may be useful to you. If you can get something that
works and others can find flaws in my approach it can be improved further.

-Mike


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

On Mon, 21 May 2012 16:30:59 +0100, Paul Macdonald wrote:
 > On 21/05/2012 14:50, Ian Smith wrote:
 > > In freebsd-questions Digest, Vol 416, Issue 1, Message: 26
 > > On Mon, 21 May 2012 10:06:12 +0100 Paul Macdonald<[hidden email]>  wrote:
 > >
 > >   >  can anyone suggest what i'm doing wrong here.
 > >   >
 > >   >  Desired:    drop everything from 180.0.0.0 to 180.255.255.255
 > >   >
 > >   >  ipfw -q add 137 deny all from 180.0.0.0/8 to any
 > >
 > > t23# ipfw -q add 137 deny all from 180.0.0.0/8 to any
 > > t23# ipfw show 137
 > > 00137    0       0 deny ip from 180.0.0.0/8 to any
 > >
 > > So what doesn't work?  (apart from scattergun removal of small pieces of
 > > a whole lot of Asian countries, incl. Japan, Indonesia, Australia, .. :)

 > it was intended as a required temporary measure,
 > but even though it was listed in my ipfw list, i was/am still seeing traffic
 > coming in via addresses such as 180.248.x.x

Ok.  Coming in to what service/s?

 > A very open firewall test script is as follows:
 >
 > 00010 allow ip from any to any via lo0
 > 00081 deny log ip from 180.0.0.0/8 to any
 > 00100 check-state
 > 00101 allow tcp from any to any established
 > 00102 allow ip from any to any out keep-state
 > 00103 allow icmp from any to any
 > 65535 deny ip from any to any
 >
 > but i'm still seeing traffic from
 >
 > 180.149.29.102

Banglalion Communications Ltd. WiMAX Operator. Bangladesh.

 > 180.234.116.61
 > 180.234.36.44
 > 180.234.237.119
 > 180.234.72.115

Augere Wireless Broadband Bangladesh Limited. (FWIW)

 > I must be doing something wrong!

If you're using just that order, denying 180/8 BEFORE the check-state,
then incoming traffic from 180/8 not being dropped (and logged) at rule
81 would represent a serious bug in ipfw, worthy of a PR.  But this
may not be quite as it seems .. for example, even when dropped you'll
see such packets from tcpdump, which are hooked before the firewall.

Where and how, past the firewall, are you detecting this traffic?  What
sort of traffic?  Are you sure sysctl net.inet.ip.fw.enable=1 ? Seeing
`ipfw show` over a period, even better `ipfw -t show` with timestamps,
could convince us the firewall was actually otherwise working ..

In your later post to Michael you had that rule 137 AFTER check-state,
which means that packets from 180/8 - in response to outbound requests
by you (or your rootkit :) to those addresses - might indeed pass.

 > 00102 allow ip from any to any out keep-state

keep-state for 'ip' or 'all' traffic (rather than specifying tcp, udp or
icmp) doesn't make much sense, and could have dangerous consequences of
allowing any sort of return traffic from (say) 180/8 initiated from your
end, but only if check-state were BEFORE you've denied 180/8 traffic.

Rather than show the script, please post results from ipfw show, and a
few of the log entries of denied packets (with your addresses obscured
if need be).  And some logging from where you're detecting those hosts?

cheers, Ian
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

On 21/05/2012 17:01, Paul Macdonald wrote:
> On 21/05/2012 16:44, Michael Sierchio wrote:
>> On Mon, May 21, 2012 at 8:30 AM, Paul Macdonald<[hidden email]>  wrote:
>>
>>> A very open firewall test script is as follows:
>>>

this is now resolved, i hadn't realised (embarrassingly) that ipfw list
will show rules if if the fw is disabled.
at some point during debugging i think i'd disabled the firewall and not
re-enabled, and on seeing rules listed assumed it was actually on

this was web traffic, coming in from 5-6 very wide ranges, with a
referrer of  http://bdsclickcenter.com/en/surf/view/75967
Not sure why they've become interested in one of my clients sites, but
they have probably hit the server from several 100k ip's.
mod_rewrite has been serving them 403's for over 24 hrs, but that
doesn't seem to bother them!

thanks to those who took the time to help.




--
-------------------------
Paul Macdonald
IFDNRG Ltd
Web and video hosting
-------------------------
t: 0131 5548070
m: 07970339546<<PLEASE NOTE NEW MOBILE<<
e: [hidden email]
w: http://www.ifdnrg.com
-------------------------
IFDNRG
40 Maritime Street
Edinburgh
EH6 6SA
-------------------------


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

On Mon, May 21, 2012 at 10:19 AM, Paul Macdonald <[hidden email]> wrote:

> this is now resolved, i hadn't realised (embarrassingly) that ipfw list will
> show rules if if the fw is disabled.

You should consider using tables, which allow you to add ad hoc nets,
etc. and you can swap rulesets atomically so you can manipulate tables
and then deploy them.

ipfw add deny ip from table\(1\) to any

etc.
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"

> can anyone suggest what i'm doing wrong here.
>
> Desired:    drop everything from 180.0.0.0 to 180.255.255.255
>
> ipfw -q add 137 deny all from 180.0.0.0/8 to any

nothing wrong. all is fine.
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"