Chapter 31. Firewalls

IPFW is a stateful firewall written for FreeBSD which supports both IPv4 and IPv6. It is comprised of several components: the kernel firewall filter rule processor and its integrated packet accounting facility, the logging facility, NAT, the dummynet(4) traffic shaper, a forward facility, a bridge facility, and an ipstealth facility.

FreeBSD provides a sample ruleset in /etc/rc.firewall which defines several firewall types for common scenarios to assist novice users in generating an appropriate ruleset. IPFW provides a powerful syntax which advanced users can use to craft customized rulesets that meet the security requirements of a given environment.

This section describes how to enable IPFW, provides an overview of its rule syntax, and demonstrates several rulesets for common configuration scenarios.

After saving the needed edits, start the firewall. To enable logging limits now, also set the sysctl value specified above:

There is no /etc/rc.conf variable to set logging limits. To limit the number of times a rule is logged per connection attempt, specify the number using this line in /etc/sysctl.conf:

Only firewall rules with the log option will be logged. The default rules do not include this option and it must be manually added. Therefore it is advisable that the default ruleset is edited for logging. In addition, log rotation may be desired if the logs are stored in a separate file.

An alternate way to load a custom ruleset is to set the firewall_script variable to the absolute path of an executable script that includes IPFW commands. The examples used in this section assume that the firewall_script is set to /etc/ipfw.rules:

If firewall_type is set to either client or simple , modify the default rules found in /etc/rc.firewall to fit the configuration of the system.

To use one of the default firewall types provided by FreeBSD, add another line which specifies the type:

IPFW is included in the basic FreeBSD install as a kernel loadable module, meaning that a custom kernel is not needed in order to enable IPFW.

The dynamic rules facility is vulnerable to resource depletion from a SYN-flood attack which would open a huge number of dynamic rules. To counter this type of attack with IPFW, use limit . This option limits the number of simultaneous sessions by checking the open dynamic rules, counting the number of times this rule and IP address combination occurred. If this count is greater than the value specified by limit , the packet is discarded.

When a keep-state rule is matched, the firewall will create a dynamic rule which matches bidirectional traffic between the source and destination addresses and ports using the same protocol.

Several keywords can follow the source and destination. As the name suggests, OPTIONS are optional. Commonly used options include in or out , which specify the direction of packet flow, icmptypes followed by the type of ICMP message, and keep-state .

An optional destination port can be specified using the port number or name from /etc/services.

The to keyword must be followed by the destination address or a keyword that represents the destination address. The same keywords and addresses described in the SRC section can be used to describe the destination.

An optional source port can be specified using the port number or name from /etc/services.

The from keyword must be followed by the source address or a keyword that represents the source address. An address can be represented by any , me (any address configured on an interface on this system), me6 , (any IPv6 address configured on an interface on this system), or table followed by the number of a lookup table which contains a list of addresses. When specifying an IP address, it can be optionally followed by its CIDR mask or subnet mask. For example, 1.2.3.4/25 or 1.2.3.4:255.255.255.128 .

This optional value can be used to specify any protocol name or number found in /etc/protocols.

Logging is done after all other packet matching conditions have been met, and before performing the final action on the packet. The administrator decides which rules to enable logging on.

When a packet matches a rule with the log keyword, a message will be logged to syslogd(8) with a facility name of SECURITY . Logging only occurs if the number of packets logged for that particular rule does not exceed a specified LOG_AMOUNT. If no LOG_AMOUNT is specified, the limit is taken from the value of net.inet.ip.fw.verbose_limit . A value of zero removes the logging limit. Once the limit is reached, logging can be re-enabled by clearing the logging counter or the packet counter for that rule, using ipfw resetlog .

check-state : checks the packet against the dynamic state table. If a match is found, execute the action associated with the rule which generated this dynamic rule, otherwise move to the next rule. A check-state rule does not have selection criterion. If no check-state rule is present in the ruleset, the dynamic rules table is checked at the first keep-state or limit rule.

A rule can be associated with one of the following actions. The specified action will be executed when the packet matches the selection criterion of the rule.

Each rule is associated with a set number from 0 to 31 . Sets can be individually disabled or enabled, making it possible to quickly add or delete a set of rules. If a SET_NUMBER is not specified, the rule will be added to set 0 .

Each rule is associated with a number from 1 to 65534 . The number is used to indicate the order of rule processing. Multiple rules can have the same number, in which case they are applied according to the order in which they have been added.

This section provides an overview of these keywords and their options. It is not an exhaustive list of every possible option. Refer to ipfw(8) for a complete description of the rule syntax that can be used when creating IPFW rules.

When creating an IPFW rule, keywords must be written in the following order. Some keywords are mandatory while other keywords are optional. The words shown in uppercase represent a variable and the words shown in lowercase must precede the variable that follows it. The # symbol is used to mark the start of a comment and may appear at the end of a rule or on its own line. Blank lines are ignored.

When a packet enters the IPFW firewall, it is compared against the first rule in the ruleset and progresses one rule at a time, moving from top to bottom in sequence. When the packet matches the selection parameters of a rule, the rule’s action is executed and the search of the ruleset terminates for that packet. This is referred to as “first match wins”. If the packet does not match any of the rules, it gets caught by the mandatory IPFW default rule number 65535, which denies all packets and silently discards them. However, if the packet matches a rule that contains the count , skipto , or tee keywords, the search continues. Refer to ipfw(8) for details on how these keywords affect rule processing.

The last rule logs all packets that do not match any of the rules in the ruleset:

The next set of rules controls connections from Internet hosts to the internal network. It starts by denying packets typically associated with attacks and then explicitly allows specific types of connections. All the authorized services that originate from the Internet use limit to prevent flooding.

The next rule allows the packet through if it matches an existing entry in the dynamic rules table:

The first two rules allow all traffic on the trusted internal interface and on the loopback interface:

The firewall script begins by indicating that it is a Bourne shell script and flushes any existing rules. It then creates the cmd variable so that ipfw add does not have to be typed at the beginning of every rule. It also defines the pif variable which represents the name of the interface that is attached to the Internet.

This sets the default policy of ipfw(8) to be more permissive than the default deny ip from any to any , making it slightly more difficult to get locked out of the system right after a reboot.

This section demonstrates how to create an example stateful firewall ruleset script named /etc/ipfw.rules. In this example, all connection rules use in or out to clarify the direction. They also use via interface-name to specify the interface the packet is traveling over.

31.4.4. In-kernel NAT

FreeBSD’s IPFW firewall has two implementations of NAT: the userland implementation natd(8), and the more recent in-kernel NAT implementation.
Both work in conjunction with IPFW to provide network address translation.
This can be used to provide an Internet Connection Sharing solution so that several internal computers can connect to the Internet using a single public IP address.

To do this, the FreeBSD machine connected to the Internet must act as a gateway.
This system must have two NICs, where one is connected to the Internet and the other is connected to the internal LAN.
Each machine connected to the LAN should be assigned an IP address in the private network space, as defined by RFC 1918.

Some additional configuration is needed in order to enable the in-kernel NAT facility of IPFW.
To enable in-kernel NAT support at boot time, the following must be set in /etc/rc.conf:

gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"

When firewall_nat_enable is set but firewall_enable is not, it will have no effect and do nothing.
This is because the in-kernel NAT implementation is only compatible with IPFW.

When the ruleset contains stateful rules, the positioning of the NAT rule is critical and the skipto action is used.
The skipto action requires a rule number so that it knows which rule to jump to.
The example below builds upon the firewall ruleset shown in the previous section.
It adds some additional entries and modifies some existing rules in order to configure the firewall for in-kernel NAT.
It starts by adding some additional variables which represent the rule number to skip to, the keep-state option, and a list of TCP ports which will be used to reduce the number of rules.

#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 1000"
pif=dc0
ks="keep-state"
good_tcpo="22,25,37,53,80,443,110"

With in-kernel NAT it is necessary to disable TCP segmentation offloading (TSO) due to the architecture of libalias(3), a library implemented as a kernel module to provide the in-kernel NAT facility of IPFW.
TSO can be disabled on a per network interface basis using ifconfig(8) or on a system wide basis using sysctl(8).
To disable TSO system wide, the following must be set it /etc/sysctl.conf:

net.inet.tcp.tso="0"

A NAT instance will also be configured.
It is possible to have multiple NAT instances each with their own configuration.
For this example only one NAT instance is needed, NAT instance number 1.
The configuration can take a few options such as: if which indicates the public interface, same_ports which takes care that alliased ports and local port numbers are mapped the same, unreg_only will result in only unregistered (private) address spaces to be processed by the NAT instance, and reset which will help to keep a functioning NAT instance even when the public IP address of the IPFW machine changes.
For all possible options that can be passed to a single NAT instance configuration consult ipfw(8).
When configuring a stateful NATing firewall, it is necessary to allow translated packets to be reinjected in the firewall for further processing.
This can be achieved by disabling one_pass behavior at the start of the firewall script.

ipfw disable one_pass
ipfw -q nat 1 config if $pif same_ports unreg_only reset

The inbound NAT rule is inserted after the two rules which allow all traffic on the trusted and loopback interfaces and after the reassemble rule but before the check-state rule.
It is important that the rule number selected for this NAT rule, in this example 100, is higher than the first three rules and lower than the check-state rule.
Furthermore, because of the behavior of in-kernel NAT it is advised to place a reassemble rule just before the first NAT rule and after the rules that allow traffic on trusted interface.
Normally, IP fragmentation should not happen, but when dealing with IPSEC/ESP/GRE tunneling traffic it might and the reassembling of fragments is necessary before handing the complete packet over to the in-kernel NAT facility.

The reassemble rule was not needed with userland natd(8) because the internal workings of the IPFW divert action already takes care of reassembling packets before delivery to the socket as also stated in ipfw(8).

The NAT instance and rule number used in this example does not match with the default NAT instance and rule number created by rc.firewall.
rc.firewall is a script that sets up the default firewall rules present in FreeBSD.

$cmd 005 allow all from any to any via xl0  # exclude LAN traffic
$cmd 010 allow all from any to any via lo0  # exclude loopback traffic
$cmd 099 reass all from any to any in       # reassemble inbound packets
$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 101 check-state

The outbound rules are modified to replace the allow action with the $skip variable, indicating that rule processing will continue at rule 1000.

The seven tcp rules have been replaced by rule 125 as the $good_tcpo variable contains the seven allowed outbound ports.

Remember that IPFW’s performance is largely determined by the number of rules present in the ruleset.

# Authorized outbound packets
$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks
$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks

The inbound rules remain the same, except for the very last rule which removes the via $pif in order to catch both inbound and outbound rules.

The NAT rule must follow this last outbound rule, must have a higher number than that last rule, and the rule number must be referenced by the skipto action.

In this ruleset, rule number 1000 handles passing all packets to our configured instance for NAT processing.
The next rule allows any packet which has undergone NAT processing to pass.

$cmd 999 deny log all from any to any
$cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules
$cmd 1001 allow ip from any to any

In this example, rules 1001011251000, and 1001 control the address translation of the outbound and inbound packets so that the entries in the dynamic state table always register the private LANIP address.

Consider an internal web browser which initializes a new outbound HTTP session over port 80.
When the first outbound packet enters the firewall, it does not match rule 100 because it is headed out rather than in.
It passes rule 101 because this is the first packet and it has not been posted to the dynamic state table yet.
The packet finally matches rule 125 as it is outbound on an allowed port and has a source IP address from the internal LAN.
On matching this rule, two actions take place.
First, the keep-state action adds an entry to the dynamic state table and the specified action, skipto rule 1000, is executed.
Next, the packet undergoes NAT and is sent out to the Internet.
This packet makes its way to the destination web server, where a response packet is generated and sent back.
This new packet enters the top of the ruleset.
It matches rule 100 and has its destination IP address mapped back to the original internal address.
It then is processed by the check-state rule, is found in the table as an existing session, and is released to the LAN.

On the inbound side, the ruleset has to deny bad packets and allow only authorized services.
A packet which matches an inbound rule is posted to the dynamic state table and the packet is released to the LAN.
The packet generated as a response is recognized by the check-state rule as belonging to an existing session.
It is then sent to rule 1000 to undergo NAT before being released to the outbound interface.

Transitioning from userland natd(8) to in-kernel NAT might appear seamless at first but there is small catch.
When using the GENERIC kernel, IPFW will load the libalias.ko kernel module, when firewall_nat_enable is enabled in /etc/rc.conf.
The libalias.ko kernel module only provides basic NAT functionality, whereas the userland implementation natd(8) has all NAT functionality available in its userland library without any extra configuration.
All functionality refers to the following kernel modules that can additionally be loaded when needed besides the standard libalias.ko kernel module: alias_ftp.ko, alias_bbt.ko, skinny.ko, irc.ko, alias_pptp.ko and alias_smedia.ko using the kld_list directive in /etc/rc.conf.
If a custom kernel is used, the full functionality of the userland library can be compiled in, in the kernel, using the options LIBALIAS.

31.4.4.1. Port Redirection

The drawback with NAT in general is that the LAN clients are not accessible from the Internet.
Clients on the LAN can make outgoing connections to the world but cannot receive incoming ones.
This presents a problem if trying to run Internet services on one of the LAN client machines.
A simple way around this is to redirect selected Internet ports on the NAT providing machine to a LAN client.

For example, an IRC server runs on client A and a web server runs on client B.
For this to work properly, connections received on ports 6667 (IRC) and 80 (HTTP) must be redirected to the respective machines.

With in-kernel NAT all configuration is done in the NAT instance configuration.
For a full list of options that an in-kernel NAT instance can use, consult ipfw(8).
The IPFW syntax follows the syntax of natd. The syntax for redirect_port is as follows:

redirect_port proto targetIP:targetPORT[-targetPORT]
  [aliasIP:]aliasPORT[-aliasPORT]
  [remoteIP[:remotePORT[-remotePORT]]]

To configure the above example setup, the arguments should be:

redirect_port tcp 192.168.0.2:6667 6667
redirect_port tcp 192.168.0.3:80 80

After adding these arguments to the configuration of NAT instance 1 in the above ruleset, the TCP ports will be port forwarded to the LAN client machines running the IRC and HTTP services.

ipfw -q nat 1 config if $pif same_ports unreg_only reset 
  redirect_port tcp 192.168.0.2:6667 6667 
  redirect_port tcp 192.168.0.3:80 80

Port ranges over individual ports can be indicated with redirect_port.
For example, tcp 192.168.0.2:2000-3000 2000-3000 would redirect all connections received on ports 2000 to 3000 to ports 2000 to 3000 on client A.

31.4.4.2. Address Redirection

Address redirection is useful if more than one IP address is available.
Each LAN client can be assigned its own external IP address by ipfw(8), which will then rewrite outgoing packets from the LAN clients with the proper external IP address and redirects all traffic incoming on that particular IP address back to the specific LAN client.
This is also known as static NAT.
For example, if IP addresses 128.1.1.1128.1.1.2, and 128.1.1.3 are available, 128.1.1.1 can be used as the ipfw(8) machine’s external IP address, while 128.1.1.2 and 128.1.1.3 are forwarded back to LAN clients A and B.

The redirect_address syntax is as below, where localIP is the internal IP address of the LAN client, and publicIP the external IP address corresponding to the LAN client.

redirect_address localIP publicIP

In the example, the arguments would read:

redirect_address 192.168.0.2 128.1.1.2
redirect_address 192.168.0.3 128.1.1.3

Like redirect_port, these arguments are placed in a NAT instance configuration.
With address redirection, there is no need for port redirection, as all data received on a particular IP address is redirected.

The external IP addresses on the ipfw(8) machine must be active and aliased to the external interface.
Refer to rc.conf(5) for details.

31.4.4.3. Userspace NAT

Let us start with a statement: the userspace NAT implementation: natd(8), has more overhead than in-kernel NAT.
For natd(8) to translate packets, the packets have to be copied from the kernel to userspace and back which brings in extra overhead that is not present with in-kernel NAT.

To enable the userpace NAT daemon natd(8) at boot time, the following is a minimum configuration in /etc/rc.conf.
Where natd_interface is set to the name of the NIC attached to the Internet.
The rc(8) script of natd(8) will automatically check if a dynamic IP address is used and configure itself to handle that.

gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"

In general, the above ruleset as explained for in-kernel NAT can also be used together with natd(8).
The exceptions are the configuration of the in-kernel NAT instance (ipfw -q nat 1 config …​) which is not needed together with reassemble rule 99 because its functionality is included in the divert action.
Rule number 100 and 1000 will have to change sligthly as shown below.

$cmd 100 divert natd ip from any to any in via $pif
$cmd 1000 divert natd ip from any to any out via $pif

To configure port or address redirection, a similar syntax as with in-kernel NAT is used.
Although, now, instead of specifying the configuration in our ruleset script like with in-kernel NAT, configuration of natd(8) is best done in a configuration file.
To do this, an extra flag must be passed via /etc/rc.conf which specifies the path of the configuration file.

natd_flags="-f /etc/natd.conf"

The specified file must contain a list of configuration options, one per line.
For more information about the configuration file and possible variables, consult natd(8).
Below are two example entries, one per line:

redirect_port tcp 192.168.0.2:6667 6667
redirect_address 192.168.0.3 128.1.1.3

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.