Solved

Frustration with BSD/OS 4.2 and IPFW

Posted on 2001-06-08
10
422 Views
Last Modified: 2013-12-06
Hello,

I am offering a ton of points for anyone that can get me through this problem!

 I am a knowledgable person in linux - sysadmin for 4 years, I just aquired a BSD/OS 4.2 server which will be used to replace the linux server as soon as possible. I have been able to learn what is different and setup without problem sendmail/ samba/ ftp, etc  

Here is my problem: I cant understand for anything the whole ipfw setup.  It is NOTHING like the ipchains in linux.

I know that I must setup the kernel to accept IPFW, done.
I know that I will need to make a few scripts for all the rules.  BUT there is NO documentation on this, oh yes I have read the man pages, but they give me all the options and flags but not the format or which file is which nor where to put anything. I AM LOST!

in rc.local I put:

# to enable IP packet forwarding (routing):lifornia.  All rights reserved.
echo 'starting ip forward logging...'
ipfwlog -n -d -l /var/log/ipfw_log/ipfw.log

echo -n "IP forwarding: "; sysctl -w net.inet.ip.forwarding=1

if [ -f /etc/ipfw_rules/rc.iprules ]; then
       /etc/ipfw_rules/rc.iprules
fi

echo -n 'starting IPFW...'
echo -n 'output...'
ipfw output -push /etc/ipfw_rules/rc.iprules
echo -n 'input...'ico rc.local
ipfw input -push /etc/ipfw_rules/rc.iprules

# to enable IPv6 packet forwarding (routing):
# echo -n "IPv6 forwarding: "; sysctl -w net.inet.ipv6.forwarding=1

# to disable forwarding of source-routed packets:
# echo -n "source-route: "; sysctl -w net.inet.ip.forwsrcrt=0


I have a test file called rc.iprules:

#general ipfw rules
#define computer1    10.10.10.10
#define computer2    10.10.10.16

tcp {
      srcaddr(computer1) { accept; }
      srcaddr(computer2) { accept; }
      reject;
}


Now when I reboot I am told that I am not using a proper BSD filter....... Ok so I read my man pages and see that I should have sent the file rc.iprules through the ipfwasm program to make it a assembled BSD IP filter.

I have been on this for a week and I am getting very frustrated for lack of documents.  I would like if possible for someone to take me by the hand in doing a very basic ipfw setup from start to finish which later I can use to be my base of a complete firewall setup.


Thanx
Shera

PS
I was not allowed to offer the 800 points that I wanted, but help me with this and we will work out a way to get it up to 800 points


-------------------- Part of answer ----------
Sorry but need to add one more comment for future ipfw people.

I have one little error in my setup, when you reboot (which I did this morning) all configs are gone.
Why? The directory of /var/run/ipfw is a cache directory, what is there only remains as long as you
dont reboot :)

So you need to change the rc.local, and the use of the ipfwcmp/ipfw commands to reflect this.

rc.local
ipfw input -push /etc/ipfw_rules/input


ipfwcmp -o /etc/ipfw_rules/input /etc/ipfw_rules/input.bak
ipfw input -replace /etc/ipfw_rules/input

I checked and it works , even with a reboot. Recall the directory that I used /etc/ipfw_rules  does
not exist, I made it, you can make any directory that you want.

Sorry for the error

0
Comment
Question by:sherapr
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 1

Expert Comment

by:mshivdas
Comment Utility
I'm not familiar with the setup so the best/only option I can recommend is the bsdi-user mailing list.  There's a searchable archive at http://www.nexial.nl under the Mailing Lists link.

Good luck!
0
 
LVL 1

Author Comment

by:sherapr
Comment Utility
been there, done that, it didnt help, basically I get man page info, which I already have in my box
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
I think I need a bit of information to be able to help.

Do you have a netblock or a single IP for your Internet connection?  

Will there be any Internet accessible servers on the inside?

You mention BSD 4.2, are we talking about FreeBSD 4.2 or BSD 4.2 from BSDi?
0
 
LVL 5

Expert Comment

by:Droby10
Comment Utility
don't know if this helps as i've been running an older version for years, but...

a simle rules script on my version would look something like the following...

#!/bin/sh

fwcmd = "/sbin/ipfw -q"
int_net = "10.0.0.0:255.0.0.0"
int_if = "de1"
int_ip = "10.0.0.1"
ext_if = "de0"
ext_ip = "x.x.x.x"

  # clear the rules
  $fwcmd -f flush

  # divert/nat rules here


  # localhost rules
  $fwcmd add pass all from any to any via lo0
  $fwcmd add drop all from 127.0.0.0/8 to 127.0.0.0/8


  # no spoof
  $fwcmd add drop all from $int_net in recv ${ext_if}


  # no private
  $fwcmd add drop all from 192.168.0.0:255.255.0.0 in recv ${ext_if}
  $fwcmd add drop all from 172.16.0.0:255.240.0.0 in recv ${ext_if}
  $fwcmd add drop all from 10.0.0.0:255.0.0.0 in recv ${ext_if} # duplicate of anti-spoof

  # deny everything to firewall
  $fwcmd add drop all from any to ${ext_ip} in recv ${ext_if}

  # http allowances
  $fwcmd add allow tcp from ${int_net} to any 80 in recv ${int_if}
  $fwcmd add allow tcp from ${int_net} to any 80 out xmit ${ext_if}
  $fwcmd add allow tcp from any 80 to ${int_net} in recv ${ext_if} established
  $fwcmd add allow tcp from any 80 to ${int_net} out xmit ${int_if} established

  # dns allowances (should be set to external dns host..but we have all)
  $fwcmd add allow udp from ${int_net} to any 53 in recv ${int_if}
  $fwcmd add allow udp from ${int_net} to any 53 out xmit ${ext_if}
  $fwcmd add allow udp from any 53 to ${int_net} in recv ${ext_if}
  $fwcmd add allow udp from any 53 to ${int_net} out xmit ${int_if}

  # last rule (should be set by default, but we'll implicitly put it and use it for logging)
  $fwcmd add drop log any from any to any
0
 
LVL 1

Author Comment

by:sherapr
Comment Utility
Thanks but I already fixed this yesterday, just didnt have time to come in and delete the question


jlevie -- BSD/OS 2.4 is the flavor of BSD that I have, There is BSDI, FreeBSD, OpenBSD, or NetBSD, BSDI/OS


0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:sherapr
Comment Utility
Droby10 --- sorry your answer wont do, first I already fixed it myself, and second you seem to be using a different version of BSD
0
 
LVL 5

Expert Comment

by:Droby10
Comment Utility
glad to know you resolved your problem.
0
 
LVL 1

Author Comment

by:sherapr
Comment Utility
I dont want to delete this question becouse in my search through the internet I have found that others have asked this question without getting an answer.  So I want to answer my own question to give others the chance, and not to go through the 7 headache days that I have gone through.
Excuse any misuse of terms, recall I learned this on my own.

What I leaarned about BSD/OS 4.2 IPFW and it's setup:

1. It is very powerful once you know what your doing
2. There is very little written for it
3. Inportant commands to learn: ipfw , ipfwcmp
4. Learn that that compiled rule sets go to /var/run/ipfw
5. Some commands in the man files do NOT work (ie: display)

To get ipfw to work you need to put stuff in the start up file to tell the system that you want to use ipfw and where the rule sets are..... I have found that putting this in rc.local works great. To make a very BASIC entery you could add the following lines to rc.local

vi rc.local.........

# to enable IP packet forwarding (routing):lifornia.  All # rights reserved.
echo 'starting ip forward logging...'
ipfwlog -n -d -L /var/log/ipfw_log/ipfw.log

echo -n "IP forwarding: "; sysctl -w net.inet.ip.forwarding=1


echo -n 'starting IPFW...'
echo -n 'output...'
ipfw output -push /var/run/ipfw/input
echo -n 'input...'
ipfw input -push /var/run/ipfw/output

First we turn on logging, and I have an echo statement so I can see that the log turned on when the computer boots. Since I wanted to be able to see only ipfw stuff in the log, I create a seprate log called ipfw.log.  There is alot of stuff you can do with the log but for that you will need to read the man of ipfwlog.

Second: The line that reads: echo -n "IP forwarding: "; sysctl -w net.inet.ip.forwarding=1
Is to turn on ipforwarding itself.  I didnt have to put this line, it was already in my rc.local with a # to comment it out.  NOTE: you may have to compile the kernel to allow ipfw, the steps are easy and they are in the book so I wont go into that here.

Step 3: you have to tell ipfw where it's configuration files are kept.  I have found that the compiled file works best from /var/run/ipfw.  You can make one configuration file for every rule, or you can have one for everything coming in "input", one for everything going out "output", things that should happen apon starting ipfw "pre-input", and many more (this can be found in the man of ipfw) Just to keep this simple I have a input and output in the example but actually have also pre-input.  Oh ya, file name dont matter from what I can tell, I used test-input and it worked just as well as input.bak. I use -push to shove these rules onto the whole chain.  The echo commands are just for show at boot up, they are not needed.  

Ok we are done with the rc.local file. Now the fun begins. I will not explain what a rule means becouse each command of the rules are well documented in the man files and the manual.  But will give some not so clear, or not documented stuff here.  You will be making some simple files that later you will need to compile, I like to keep things neet so inside of /etc I made a subdirectory called /etc/ipfw_rules  You can really put this stuff anywhere you want it.  Inside of /etc/iprw_rules I type vi input.bak (my name, you can put anything you want). In the file input.bak I put:

// general ipfw rules
#define computer1    10.10.10.10
#define computer2    10.10.10.16

tcp {
     srcaddr(computer1) { accept; }
     srcaddr(computer2) { accept; }
     reject;
}
udp {
      ......
}

------- end ----------

Now from reading I do know that the compiler I will use is ipfwcmp and it uses cpp which is a C compiler.  So with little experience in C but a good book on hand :)  I know that I can #define things that I will be typing over and over.  You can define you lo0, your local net, your external connection ip, all those things that you will put rules on using a #define statement.  For simplicity I just added  two computers but could have put
      #define LOCAL_NET  10.10.10.0/24
Which would have included all the local computers, but if I want to rule out one computer or another I wouldnt be able to use LOCAL_NET

All the rest of the stuff in this file is well explained with the man and manual so I wont go into it.

Save your file, input.bak :wq  and now we will compile:

type the following on the command line:
ipfwcmp -o /var/run/ipfw/input /etc/ipfw_rules/input.bak
[enter}
------------ NOTE ---------
Basically this saids to use ipfwcmp and to make a file called /var/run/ipfw/input from a file called /etc/ipfw_rules/input.bak
-----------End of NOTE ---------

Now type the following on the command line:
ipfw input -replace /var/run/ipfw/input
[enter]
----------NOTE ----------
This calls ipfw to set /var/run/ipfw/input as the input rules sourse and to replace any others that I may have.

If you didnt get any errors you can now try out your new rules. Want to see how the computer sees the rule: type ipfw on a command line and hit enter, your rule should be there.  Try pinging your different machines and you will see that using my sample nobody can ping in or out. This is not a useful script - it is just an example to show the basic steps.

Now if your like me and make many input scripts just to see how they will work and to play with the rules you will start filling up the /var/run/ipfw directory, make sure to clean it with rm, it will grow fast while learning :)

Writing these instructions it all seems so very easy and so very logical, but it took me 7 days to  get here and alot of screeming.  I hope this will help someone else that is in the same position :)

I think later I will make a web page with good instructions, becouse there is a VERY big lack of documentation for BSD/OS 4.2 out in the net.  

thanx for your time
Shera - Happy again!


0
 

Expert Comment

by:teacher_mod
Comment Utility
Hello everyone.

sherapr has request that the points be reduced to zero and the question moved to the PAQ.  If there are no objects, I'll do that in a couple of days.

teacher_mod
Community Support Moderator
Experts-Exchange
teacher_mod@experts-exchange.com
0
 

Accepted Solution

by:
teacher_mod earned 0 total points
Comment Utility
reducing points to zero and PAQing

teacher_mod
Community Support Moderator
Experts-Exchange
teacher_mod@experts-exchange.com
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now