4. ipfwadm Usage

Contents of this section

4.1 How do i see a detailed analysis of my rules for masquerading?

There are really two ways that i am aware of the first will give you the masquerading connections. in order to see this use:
%netstat -M
see man for further details...
The second option you have available to you that gives you a bird's eye view of the rules in action is to do a:
#ipfwadm -Fnle
This will give you for instance a view of all your -[F]orwarding packet rules in [e]xtended format with interface address included plus rule options. The -[n] will force ipfwadm to display all addresses and port numbers in numeric format.
#ipfwadm -Inle
This will give you for instance a view of all your -[I]coming packet rules in [e]xtended format with interface address included plus rule options. The -[n] will force ipfwadm to display all addresses and port numbers in numeric format.
#ipfwadm -Onle
This will give you for instance a view of all your -[O]utgoing packet rules in [e]xtended format with interface address included plus rule options. The -[n] will force ipfwadm to display all addresses and port numbers in numeric format.

4.2 How do i check to see if a specific packet would be accepted, denied, or rejected by one of my specific firewalls?

You would use the -[c] switch to [c]heck if packet handling information is correct. Note the prompt is intuitive so it will prompt you for any missing switches. For an example of i wished to determine whether a my incoming from a specific ip address, a specific port, and interface was being accepted by my firewall, denied, or rejected i might do a:
#ipfwadm -c -I -P udp -V 192.168.100.100 -W eth0 -S 192.168.100.200 1024 -D 192.168.100.100 53
Since the -[c] switch requires a firewall to look @ you first need to determine which firewall you wish to check up on. In this example I wish to determine whether the udp protocol when [I]ncoming on interface eth0 which has a ip address of 192.168.100.100 streaming into port 53 originating from 192.168.100.200 on port 1024 is accepted, denied, or rejected. Thought i would never get through that without fragmenting;'))

4.3 What is the difference between rejecting and denying a packet in regards to the use of ipfwadm?

ipfwadm allows you to use to methods to discard packets either deny or reject. Deny will simply out and out ignore that the packet ever existed not sending any indication to the packet originator. Whereas reject will send a ICMP host unreachable message back to the source of the transmission. Depending on what you wish to do knowing this will of course sway your opinion on what your specific policies should be.

4.4 How do i enable ip forwarding from the command line?

IP forwarding can be enabled using the following syntax:
#echo "1" > /proc/sys/net/ipv4/ip_forward

4.5 How do i make IP forwarding automatically enabled upon bootup... whatever that is on Linux?

To set IP forwarding so that it is far more permanent goto your /etc/sysconfig/network and adjust your variable named 'FORWARD_IPV4=' to 'FORWARD_IPV4=true' and that's that.

4.6 Where exactly do i place my ipfwadm rules that i wish to have run when i bring up my system so they run without intervention?

Place them in rc.local which is the last initialization file to be run on system bootup. You might append the following as a example to r.local .
#first i set my default for ipfwadm...
/sbin/ipfwadm -F -p deny
#be certain to set default as fallover as well as consider that a bad configuration of
#masquerading could allow anyone to masquerade from your system.
/sbin/ipfwadm -F -a -m -S 192.168.100.0/24 -D 0/0
#this allows you to masquerade from your network to any ip address out there. Remember that
#-a must be used when using -m and that masquerading. This example was thrown in just to show
#you that you how feature rich this firewall is.
/sbin/ifconfig eth0 192.168.100.1
#You won't get very far without this one...
/sbin/route add -net 192.168.100.0
#add a route for this here network. Else packets won't know where to go. But we will... :'))
#The very first task you have when you build ipfwadm and begin using it is to be certain that
#you can ping anywhere you choose and all interfaces are up and routing. If you don't have that
#together then you are way ahead of yourself. In this case that is not good... Then tighten the
#firewalls right down loosening the vise when you grasp what exactly you are allowing here.

4.7 Why doesn't my browser's ftp work for me when i can access ok from other ftp clients and the command line just fine?

This is due to the browser using PASV (passive mode) which requires access on the firewall in the range of 1024 and 5000. Your three options are one to use allow emphemeral inbound connections from these ports and call it a day. The second option is to use a standard ftp client that uses predictable ports and proxy it using fwtk's ftp-gw proxy to isolate it better. Then have the ftp proxy call the ftp server on behalf of your client rather than direct access per se. Your third option and the best probably the ringer is to blend both one and two. IOW allow inbound connections to emphemeral ports used by PASV and proxy those connections using fwtk as your final layer inbound into the ftp server. You will sleep nights better this way if you really need to allow ftp server access. At the time of this writing if you are using Exploder rather than Netscape then securing your firewalls is the least of your problems...

4.8 Can I use ipfwadm to protect services like ftp or POP?

You can use ipfwadm to control the flow of any protocol that is tcp, udp, or icmp based. This means that anything that is standards based Internet services.

4.9 Why is it important that i for me to start by denying access to literally all the firewalls that are controlled by ipfwadm?

As mentioned briefly earlier the firewalls that are manipulated by ipfwadm by default forward literally all packets. This means that any and all services pass via without any supervision or accounting. It also means that for all intents and purposes that before you go any further you have yourself a basic router period. If it helps think of it as a facet that is on full blast! Hence it is very important that you apply rules that deny access to any flow until you know exactly what your allowing and denying. It might be a good idea about now to write that down if you are going whole full blast as without a plan this is the wrong place to be. If you think not consider this... How much is the information your protecting worth? ...really worth. Enough said.

4.10 Can you present a basic example for analysis?

Why sure... here it is take it for what it's worth.
############################################################################
#====================== IPFWADM RULES BASE ========================#
#===================== [IPFWADM deny everything ] =======================#
#
#Here is where i begin my rules controling all incoming, outgoing, and forwarding of
#packets great and small. So here is where i deny all period explicitely firewalls wide.
ipfwadm -I -p deny
#first like some people i know i deny everything incoming...
ipfwadm -F -p deny
#Then i deny all forwarding period...
ipfwadm -O -p deny
#Then to close everything off i deny all outgoing transmissions...
#at this point i have the second best firewall ever made next to the one markus speaks of.

#=========================[ Flush...All My Rules ]=========================#

ipfwadm -I -f
ipfwadm -F -f
ipfwadm -O -f
ipfwadm -A -f
#here i start the slate clean. That way it build from here...

#==========================[ Turning on the Tap ]=========================#

#To recap i have denied all from all directions and have flushed all rules to start fresh

ipfwadm -I -a accept -V 192.168.100.10 -S 192.168.100.0/24 -D 0/0

#the above allows for incoming packets to 192.168.100.10 from local network flowing anywhere

#========================[ Spoof Checking below ]========================#

#immediately below are my anti-spoofing reality check for any external interface traffic that
#claims to be coming from inside the network... These are also logged and tracked

ipfwadm -I -a deny -V ip_of__external_perimeter_interface -S 192.168.100.0/24 -D 0/0 -o

#======================[ Friendly External Packets ]=========================#

#any packet that flows in from my external most interface from the outside attempting access

ipfwadm -I -a accept -V ip_of__external_perimeter_interface -S 0/0 \
-D ip_of__external_perimeter_interface/32

#the above is -D address is masked completely...
#loopback can be your friend... your network of networks ;'))

ipfwadm -I -a accept -V 127.0.0.1 -S 0/0 -D 0/0

#======================[ Local Network Control ]==========================#

#Let just say for example that you wished to deny a certain ip from accessing a specific site
#on company time. This could be expanded to cover a entire subnet, and is not limited to just
#the -I as this example shows. Remember the reject switch will give your client a echo
#ipfwadm -I -a reject -V ip_of__external_perimeter_interface -S 192.168.100.0/24 -D bad_ip/32 -o

#======================[ Local Int -> Loco Net ]===========================#

#here i declare to all that my locally internal trusted interface allows incoming packets from
#local network going anywhere in Cyberverse. Which is larger than i can count...
#ipfwadm -I -a accept -V ip_address_trusted_internal_trusted_interface -S 192.168.100.0/24 -D 0/0

#=========================[ Captain's Logs ]=============================#

#here is my fall through rule to deny all others incoming and log associated unfriendly packets.

ipfwadm -I -a deny -S 0/0 -D 0/0 -o

#=====================[ Local Int to Local Net Calls ]========================#

#here is where i allow any traffic flowing out from my local internal trusted interface to
#travel from anywhere to my local network without any problems

ipfwadm -O -V ip_address_trusted_internal_trusted_interface -S 0/0 -D 192.168.100.0/24

#===========================[ Source Route Check ]=======================#

#get deny on anything that is flowing out of ip_of__external_perimeter_interface regardless
#of where the packet originates sending packets towards internal network period and record

ipfwadm -O -a deny -V ip_of__external_perimeter_interface -S 0/0 -D 192.168.100.0/24 -o

#===========================[ Masquerading Relay ]=======================#

#it is probably a real good idea to not allow any masquerading that you haven't authorized
#therefore anything coming from internal network from ip _address_of_external_perimeter_interface
#will be not allowed (denied) and logged for analysis

ipfwadm -O -a deny -V ip _address_of_external_perimeter_interface -S 192.168.100.0/24 -D 0/0 -o

#=========================[ Rejecting on Ext Interface ]=====================#

#here i declare to all that my external untrusted interface rejects packets out from itself
#to a specific ip address. Seems redundant when it could be done as easily on internal interface
#but would not hurt anything and can be used to create a multi straining device per se plus log.

ipfwadm -O -a reject -V ip _address_of_external_perimeter_interface \
-S ip _address_of_external_perimeter_interface -D bad_ip_address/32 -o

#==========================[ Looping Ext Int Here ]=======================#

#here the loopback microverse is allowed to continue to live on the external interface

ipfwadm -O -a accept -V 127.0.0.1 -S 0/0 -D 0/0

#=========================[ Outgoing Allowed Here ]======================#

#Any outgoing packet that gets this far should be considered routeable and allowed from
#ip _address_of_external_perimeter_interface to continue on its merry way... better put if
#it originates from ip _address_of_external_perimeter_interface and is flowing out from
#ip _address_of_external_perimeter_interface to anywhere allow it now.

ipfwadm -O -a accept -V ip _address_of_external_perimeter_interface \
-S ip _address_of_external_perimeter_interface -D 0/0

#===========================[ Logging Out Ext Int ]======================#

#right about now i do what some people i know do and deny and log outgoing packets

ipfwadm -O -a deny -S 0/0 -D 0/0 -o

#==========================[ Masquerade if Needed ]=====================#

#here is where i would install maquerading rules if i was doing many to one. If a reasonable
#size network then you probably are not too concerned here and may leave commented
#forwarding from local network and local interface going anywhere... if kernel not set to
#masquerade then this won't work. Make sure forwarding is switched on... as well.
#ipfwadm -F -a masquerade -W ppp0 -S 192.168.100.0/24 -D 0/0

#========================[ Rejecting Forwarding here ]=====================#

#Here is a example of rejecting access to a ip address from local network to wherever
#note that rejecting using forwarding firewall or outgoing firewall has more overhead
#but IMHO it never hurts to have redundancy on denies as this can cover for some errors.
#there is more overhead as there are more steps involved in processing the logic.

ipfwadm -F -a reject -W ppp0 -S 192.168.100.0/24 -D bad_ip -o

#==========================[ Forwarding DNS traffic ]=====================#

#here is the forwarding of DNS forwarding to your network... consider split DNS.

ipfwadm -F -a accept -b -P udp -S 0/0 53 -D 192.168.100.0/24

#========================[ Forwarding email outgoing ]=====================#

#here is the forwarding from mail server outgoing to any SMTP server wherever outside.

ipfwadm -F -a accept -b -P tcp -S 192.168.100.100/32 25 -D 0/0 1024:65535

#========================[ Forwarding email incoming ]=====================#

#here is the forwarding from: email to: my mail server from anywhere.

ipfwadm -F -a accept -b -P tcp -S 0/0 1024:65535 -D 192.168.100.100/32 25

#========================[ Forwarding http outerweb ]=====================#

#Now that we have our DNS and Email going we are ready to get our webserver FWDing.

ipfwadm -F -a accept -b -P tcp -S 192.168.100.0/24 80 -D 0/0 1024:65535

#=======================[ Forwarding http 2 innerweb ]=====================#

#Now that we have our DNS and Email going we are ready to get our webserver FWDing.

ipfwadm -F -a accept -b -P tcp -S 0/0 1024:65535 -D 192.168.100.150 80

#======================[ All FWard Denied+Logged ]======================#

#here all IP forwarding that i have not explicitely accepted is denied and logged

ipfwadm -F -a deny -S 0/0 -D 0/0 -o

#==================[ Allow Incoming Ping from localnet ]=====================#

#here all type '8' messages are allowed. This means 'echo request' to big I use of -V and -W
#are interchangeable use. [I]ncoming to -V ip_address_trusted_internal__interface allowed

ipfwadm -I -a accept -P icmp -V ip_address_trusted_internal_interface -S 192.168.100.0/24 8 -D 0/0

#==================[ Allow FWing Ping from localnet ]======================#

#echo request is [F]orwarded as long as [S]ource address is wherever and destination wherever...
#plus the type is set to '8' which is 'echo request'

ipfwadm -F -a accept -P icmp -S 0/0 8 -D 0/0

#=============[ Allow Outgoing Ping from external interface ]===================#

#allow echo request from -V external interface to come or go from anywhere but log it.

ipfwadm -O -a accept -P icmp -V ip _address_of_external_perimeter_interface -S 0/0 8 -D 0/0 -o

#================[ Allow Incoming Ping Reply from Net ]====================#

#here all type '0' messages are allowed. This means 'echo reply' from big I use of -V and -W
#are interchangeable use. [I]ncoming to -V ip_address_untrusted_external__interface allowed
#A slightly more granular way to look @ this is 'echo reply' from anywhere to anywhere allowed

ipfwadm -I -a accept -P icmp -V ip_address_untrusted_external_interface -S 0/0 0 -D 0/0

#======================[ Allow FWing Ping reply ]=======================#

#echo reply is [F]orwarded as long as [S]ource address is anywhere and [D]estination is wherever...

ipfwadm -F -a accept -P icmp -S 0/0 0 -D 0/0

#==============[ Allow Incoming Ping reply from external interface ]==============#

#allow 'echo reply' originating from -V trusted_internal_interface with a [S]ource from anywhere to
#a [D]estination of internal network with message type 0 set and log it.

ipfwadm -O -a accept -P icmp -V ip _address_of_internal_trusted_interface -S 0/0 0 -D 192.168.100.0/24 -o

#=========================[ Bits and Bytes ]==========================#

#The above icmp example is by no means definative and should be used as a model only. It is
#Important to realize that icmp does not depend on ports or ACK bits to set. Rather it uses
#a series of message types that are as follows... i hope it helps you. Probably the best way
#to do this is to add one type until you fully understand the ramifications of rules for icmp.
#Message Type = 0 description = 'Echo Reply' which is the reponse to a Echo Request. (PING)
#Message Type = 3 description = 'Destination Unreachable' can be used against you so best that you
#consider allowing incoming from external interface to your network but deny it outbound if possible.
#Message Type = 4 description = 'Source Quench' used to tell you or others that the conversation too fast
#slow down! This is something you will probably wish to allow both ways when talking icmp.
#Message Type =5 description = 'Redirect' used for redirecting routes. Best not allowed on
#firewalls period. If you insist don't allow type '5' inbound traffic flowing into your network.
#Message Type = 8 description = 'Echo Request' this is created by ping and should be allowed. (PING)
#Message Type = 11 description = 'TTL Exceeded' used to signal that packet lifetime has expired either
#outbound or inbound. Should be ok to allow in both directions.
#Message Type = 12 description = 'Parameter Problem' should be allowed as signals a packet header problem.

#Well i hope that this has been some help. If you find this information useful please
#share the information. Remember to only allow those services you need to have running exclusively.
############################################################################


Next Chapter, Previous Chapter

Table of contents of this chapter, General table of contents

Top of the document, Beginning of this Chapter