misc/37301: 4.5 rc.firewall type simple does not pass icmp, or inside to gateway udp

[Crist J. Clark]

The following reply was made to PR misc/37301; it has been noted by GNATS.

From: "Crist J. Clark" <c...@FreeBSD.ORG>
To: Earl Killian <ea...@killian.com>
Cc: freebsd-gn...@FreeBSD.ORG
Subject: Re: misc/37301: 4.5 rc.firewall type simple does not pass icmp, or inside to gateway udp
Date: Sun, 21 Apr 2002 01:19:05 -0700

On Sat, Apr 20, 2002 at 05:35:31PM -0700, Earl Killian wrote:

> >Description:
> I tried the 4.5-RELEASE rc.firewall with firewall_type="simple" and
> natd_enable="YES", and I was not able to talk to my gateway machine
> from the hosts on the inside. Looking at the rules below, I see only
> one rule that is specific to iif, and that is just to prevent the
> inside from pretending to be outside. Most of the rules are via oif,
> or to oip and so don't apply to an inside machine talking to iip via
> iif. If I eliminate those rules, I'm left with:
>
> Rules that apply to inet:imask talking to iip via iif:
>
> deny all from any to 127.0.0.0/8
> deny ip from 127.0.0.0/8 to any
> deny all from ${onet}:${omask} to any in via ${iif}
> pass tcp from any to any established
> pass all from any to any frag
> pass tcp from any to any setup
>
> So what about icmp and udp?

You are missing,

# Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any

Which allow internal machines to reach the DNS server on the
gateway. Remember,

############
# This is a prototype setup for a simple firewall. Configure this
# machine as a named server and ntp server, and point all the machines
# on the inside at this machine for those services.
############

(Not that that the rules actually work for NTP. ;)

> Do other sites really use this fw and
> just not ping or dns/ntp to their gateway from inside?

I hope no one uses it unmodified. You shouldn't. As it is documented
elsewhere in rc.firewall,

# For ``client'' and ``simple'' the entries below should be customized
# appropriately.

############
# This is a prototype setup for a simple firewall.

You should NOT use these rules as is. They don't make a lot of
sense. Trying to make a default set of firewall rules is a fools
game. No one would be happy with them. I'd prefer to have a completely
broken set of rules. If you don't understand your own firewall rules,
you shouldn't be building your own firewall. A false-sense of security
is worse than having less security and knowing it.
--
Crist J. Clark | cjc...@alum.mit.edu
| cjc...@jhu.edu
http://people.freebsd.org/~cjc/ | c...@freebsd.org

To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

[Earl Killian]

>Number: 37301
>Category: misc
>Synopsis: 4.5 rc.firewall type simple does not pass icmp, or inside to gateway udp
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Apr 20 17:40:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Earl Killian
>Release: 4.5
>Organization:
>Environment:
FreeBSD gate.killian.com 4.5-RELEASE FreeBSD 4.5-RELEASE #1: Mon Apr 15 20:21:44 PDT 2002 root@:/usr/src/sys/compile/GATE i386

>Description:
I tried the 4.5-RELEASE rc.firewall with firewall_type="simple" and
natd_enable="YES", and I was not able to talk to my gateway machine
from the hosts on the inside. Looking at the rules below, I see only
one rule that is specific to iif, and that is just to prevent the
inside from pretending to be outside. Most of the rules are via oif,
or to oip and so don't apply to an inside machine talking to iip via
iif. If I eliminate those rules, I'm left with:

Rules that apply to inet:imask talking to iip via iif:

deny all from any to 127.0.0.0/8
deny ip from 127.0.0.0/8 to any
deny all from ${onet}:${omask} to any in via ${iif}
pass tcp from any to any established
pass all from any to any frag
pass tcp from any to any setup

So what about icmp and udp? Do other sites really use this fw and
just not ping or dns/ntp to their gateway from inside? Shouldn't the
following be added after the stop-spoofing rules or something?:

# Allow internal hosts complete access
allow all from ${inet}:${imask} to ${iip} in recv ${iif}
allow all from ${iip} to ${inet}:${imask} out xmit ${iif}

I also notice there are no rules for icmp at all. Shouldn't there be a
# Allow pings out in the world
pass icmp from ${oip} to any keep-state
down with the dns/ntp rules?

>How-To-Repeat:
Configure with firewall_type="simple". ping to the gateway from
an inside machine and get no response. ntp and dns also do not work
if you give the inside IP address of the gateway as the server for
these protocols.

>Fix:
See description.

>Release-Note:
>Audit-Trail:
>Unformatted: