Re: ipfwadm

Michael H. Warfield (mhw@wittsend.com)
Sun, 26 May 1996 18:06:46 -0400 (EDT)


Russell Berry enscribed thusly:

> I have my linux box on a network of suns on eth0, I have a ppp
> connection to the internet. I configured output to default policy of
> accept, and input policy to deny. I set input to accept from the
> localnet/24 on eth0, this works fine, and to my_provider/24, and that
> works fine, as well as a couple of other machines out there I want to
> have access to my machine.

> Here's the problem, I set this:

> ipfwadm -I -a acc -b -W ppp0 -P tcp -S 0.0.0.0/0 80 -D 0.0.0.0/0 80
> ipfwadm -I -a acc -b -W ppp0 -P udp -S 0.0.0.0/0 80 -D 0.0.0.0/0 80

> now ipfwadm -I -l says:
> ...
> acc tcp anywhere anywhere www -> www
> acc udp anywhere anywhere www -> www

> And yet I can't get my browser to work, why??? A side note, I also
> tried accepting on port 53, just to check to see if it was a nameserver
> problem in netscape. Thanks in advance for you help.

Well, I hate to sound obnoxious (the rest of you QUIT SNICKERING!)
but I would hope it wouldn't work since you would never connect www->www!

Connections from a client to a www server would go foo->www where
foo is something 1024 or above. The client code cannot (and wouldn't want
to) use any of the reserved ports below 1024. In technical jargon, a
"session" or "tcp connection" is defined as an ordinal pair of source address
and port with destination address and port. This can also (loosly) be
considered an ordinal pair of "Client Address and port", c_addr:c_port with
"Server Address and port", s_addr:s_port. If you connected c_addr:80->
s_addr:80 you could only support one unique connection from client to server.
That would be totally unacceptable in a multi-user, multi-process
configuration. By using allocatable client ports 1024 and above you can
then have connections c_addr:c_port->s_addr:80 where c_port is different
for each connection. (For the purists - YES I KNOW that s_addr by convention
is SOURCE ADDRESS. Here I'm using it as SERVER ADDRESS to avoid ambiguity.)

Since you've set this on the "input" side, the port on the "outside"
(the server side) will always be 80. The port on the "inside" (the client,
or browser, side) will always be something other than 80 (specifically
1024 or greater).

HTTP (www) only uses TCP. Do NOT enable UDP ports thinking they
have anything to do with the web!

Now - assuming this "filter" to be on the ppp connetion, here
is the "input" filtering rule I would apply to this.

ipfwadm -I -a acc -b -W ppp0 -P tcp -S 0.0.0.0/0 80 -D localnet/24

This will allow any tcp packets coming through the ppp interface from
port 80 at any address going to any port on the local ether net address.

Note: This is NOT A GOOD RULE - it will only do what you were trying
to do with your rules! This would still allow someone to setup and fake an
ftp client to use port 80 on an intruder system to try and connection to say
"ftp" on your internal system as foo:80->bar:21 and this rule would then
allow it! You need additional directional or flag sensitive rules (see -y
option and others) to restrict incoming connection attempts. (See Cheswick
and Bellovin below!!!!)

> ---russ

<Soap Box On>

Now for the REALLY OBNOXIOUS PART! Make sure you know what you are
doing when playing with filtering rules. You obviously do not! You made two
fundamental mistakes which would be inexcusable for someone who is working
in a security related area! Mistakes and gotcha's can severely compromise
or destroy a firewall. You have to know EXACTLY what you are doing or you can
do far more damage than good. This is not something you can just PUTZ with
and hope it works right!

This crap is NOT for amateurs so if you are going to get into it
you might as well get into it up to your arm-pits and get good at it.
A half assed attempt like this will only get you burned sooner or later!
You demonstrated a lack of understanding of both firewalls and TCP/IP
protocols. DO NOT PROCEED FURTHER until you correct both of those
deficiencies FIRST!

<Soap Box Off>

Word of advise - some good books on firewalls, security and TCP/IP:

Firewalls and Internet Security - William Cheswick & Steven Bellovin
(The firewall Bible - this is a MUST).

Building Internet Firewalls - Brent Chapman & Elizabeth Zwicky
(Excellent O-Reilly boot. Brent is the moderator for the
Firewalls mailing list - firewalls@greatcircle.com)

Internet Firewalls and Network Security - Karanjit Siyan
(Not as good and Cheswick and Bellovin, but useful).

Managing TCP/IP - O'Reilly Handbook
(Another vital book even though I don't have it or the author
at hand)

Mike

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!