current-users: Re: ipf rules

Subject: Re: ipf rules
To: Erik Huizing <huizing@cpsc.ucalgary.ca>
From: David Maxwell <david@vex.net>
List: current-users
Date: 12/13/2000 17:07:11
On Wed, Dec 13, 2000 at 01:34:20PM -0700, Erik Huizing wrote:
> All the machines on my lan have 192.168.1.x addresses, they all use
> 192.168.1.16 as their router.

Then by adding 'block in quick from 192.168.0.0/16 to any' you are
asking to block all traffic from your own hosts.

> My firewall/server is 24.65.241.78 with 192.168.1.16 as an alias
> the NAT rules I've got are like this
> map ep0 192.168.1.1/28 -> 0.0.0.0/32

I'd be picky about calling it a 'firewall' when it doesn't sit between 
your machines and the outside world. ;-)

> Right now, my ipf rules are
> 
> block in quick from 172.16.0.0/12 to any
> block in quick from 10.0.0.0/8 to any

Since you are Natting, you don't _really_ use those rules right now.
Not that it's bad to explicitly deny things, but with NAT, you're 
only going to pass in packets that match outgoing connections.

If you have a router in front of this box (to the Internet), those
rules would be best applied there, and you could include the 192.168.x.x
restriction as well.

> pass in proto tcp/udp all
> pass out proto tcp/udp all
> 
> I'd like to block the 192 block if its comming from the cable modem. I've
> only got one NIC in my machine hence the alias. So is it possible for me
> to block the 192.168 segment, or do I need another NIC?

Ahh. Cable modem.

If ipf supported MAC address based blocking, then you could block things
from the cable modem with those 192.168 addresses, but I don't believe it
does. There's no other way to tell such packets apart from your local
packets. 

An extra ethernet card is the 'right' solution.

You are only blocking a small subset of attacks with that filter anyway -
mostly DoS (though not only), since unless the packets are from a host
belonging to your cableco, you can't reply to them anyway.

							David


> On Wed, 13 Dec 2000, David Maxwell wrote:
> 
> > On Tue, Dec 12, 2000 at 05:08:26PM -0700, Erik Huizing wrote:
> > > I've been reading through the ipf how-to, and can't seem to come up with a
> > > rule that's applicable to my situation:
> > > My bsd box has one NIC in it, and is performing NAT. I'm able to block the
> > > 172.16.0.0 and 10.0.0.0 ranges, but when I add the rule to block
> > > block in quick from 192.168.0.0/16 to any
> > > all the machines on my LAN don't work. 
> > > So my question is, can I block that range, and still have my LAN
> > > connected, or do I need two NICs?
> > 
> > More information about your actual addresses is required for someone
> > to be able to answer that.
> > 
> > -- 
> > David Maxwell, david@vex.net|david@maxwell.net -->
> > (About an Amiga rendering landscapes) It's not thinking, it's being artistic!
> > 					      - Jamie Woods
> > 
> > 

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
Any sufficiently advanced Common Sense will seem like magic... 
					      - me