From nobody@FreeBSD.org  Sat Apr 20 17:35:32 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id C0CC337B404
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 20 Apr 2002 17:35:31 -0700 (PDT)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g3L0ZVE01160;
	Sat, 20 Apr 2002 17:35:31 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200204210035.g3L0ZVE01160@freefall.freebsd.org>
Date: Sat, 20 Apr 2002 17:35:31 -0700 (PDT)
From: Earl Killian <earl@killian.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: 4.5 rc.firewall type simple does not pass icmp, or inside to gateway udp
X-Send-Pr-Version: www-1.0

>Number:         37301
>Category:       misc
>Synopsis:       4.5 rc.firewall type simple does not pass icmp, or inside to gateway udp
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr 20 17:40:01 PDT 2002
>Closed-Date:    Sat Jul 12 17:35:08 PDT 2003
>Last-Modified:  Sat Jul 12 17:35:08 PDT 2003
>Originator:     Earl Killian
>Release:        4.5
>Organization:
>Environment:
FreeBSD gate.killian.com 4.5-RELEASE FreeBSD 4.5-RELEASE #1: Mon Apr 15 20:21:44 PDT 2002     root@:/usr/src/sys/compile/GATE  i386

>Description:
I tried the 4.5-RELEASE rc.firewall with firewall_type="simple" and
natd_enable="YES", and I was not able to talk to my gateway machine
from the hosts on the inside.  Looking at the rules below, I see only
one rule that is specific to iif, and that is just to prevent the
inside from pretending to be outside.  Most of the rules are via oif,
or to oip and so don't apply to an inside machine talking to iip via
iif.  If I eliminate those rules, I'm left with:

Rules that apply to inet:imask talking to iip via iif:

    deny all from any to 127.0.0.0/8
    deny ip from 127.0.0.0/8 to any
    deny all from ${onet}:${omask} to any in via ${iif}
    pass tcp from any to any established
    pass all from any to any frag
    pass tcp from any to any setup

So what about icmp and udp?  Do other sites really use this fw and
just not ping or dns/ntp to their gateway from inside?  Shouldn't the
following be added after the stop-spoofing rules or something?:

    # Allow internal hosts complete access
    allow all from ${inet}:${imask} to ${iip} in recv ${iif}
    allow all from ${iip} to ${inet}:${imask} out xmit ${iif}

I also notice there are no rules for icmp at all.  Shouldn't there be a
    # Allow pings out in the world
    pass icmp from ${oip} to any keep-state
down with the dns/ntp rules?

>How-To-Repeat:
Configure with firewall_type="simple".  ping to the gateway from
an inside machine and get no response.  ntp and dns also do not work
if you give the inside IP address of the gateway as the server for
these protocols.

>Fix:
See description.

>Release-Note:
>Audit-Trail:

From: "Crist J. Clark" <cjc@FreeBSD.ORG>
To: Earl Killian <earl@killian.com>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: misc/37301: 4.5 rc.firewall type simple does not pass icmp, or inside to gateway udp
Date: Sun, 21 Apr 2002 01:19:05 -0700

 On Sat, Apr 20, 2002 at 05:35:31PM -0700, Earl Killian wrote:
 
 > >Description:
 > I tried the 4.5-RELEASE rc.firewall with firewall_type="simple" and
 > natd_enable="YES", and I was not able to talk to my gateway machine
 > from the hosts on the inside.  Looking at the rules below, I see only
 > one rule that is specific to iif, and that is just to prevent the
 > inside from pretending to be outside.  Most of the rules are via oif,
 > or to oip and so don't apply to an inside machine talking to iip via
 > iif.  If I eliminate those rules, I'm left with:
 > 
 > Rules that apply to inet:imask talking to iip via iif:
 > 
 >     deny all from any to 127.0.0.0/8
 >     deny ip from 127.0.0.0/8 to any
 >     deny all from ${onet}:${omask} to any in via ${iif}
 >     pass tcp from any to any established
 >     pass all from any to any frag
 >     pass tcp from any to any setup
 > 
 > So what about icmp and udp?
 
 You are missing,
 
         # Allow access to our DNS
         ${fwcmd} add pass tcp from any to ${oip} 53 setup
         ${fwcmd} add pass udp from any to ${oip} 53
         ${fwcmd} add pass udp from ${oip} 53 to any
 
 Which allow internal machines to reach the DNS server on the
 gateway. Remember,
 
         ############
         # This is a prototype setup for a simple firewall.  Configure this
         # machine as a named server and ntp server, and point all the machines
         # on the inside at this machine for those services.
         ############
 
 (Not that that the rules actually work for NTP. ;)
 
 > Do other sites really use this fw and
 > just not ping or dns/ntp to their gateway from inside?
 
 I hope no one uses it unmodified. You shouldn't. As it is documented
 elsewhere in rc.firewall,
 
   # For ``client'' and ``simple'' the entries below should be customized
   # appropriately.
 
           ############
           # This is a prototype setup for a simple firewall.
 
 You should NOT use these rules as is. They don't make a lot of
 sense. Trying to make a default set of firewall rules is a fools
 game. No one would be happy with them. I'd prefer to have a completely
 broken set of rules. If you don't understand your own firewall rules,
 you shouldn't be building your own firewall. A false-sense of security
 is worse than having less security and knowing it.
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

From: "Earl A. Killian" <earl@killian.com>
To: "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: misc/37301: 4.5 rc.firewall type simple does not pass icmp, or inside to gateway udp
Date: Sun, 21 Apr 2002 08:06:16 -0700

 Crist J. Clark writes:
  > Date: Sun, 21 Apr 2002 01:19:05 -0700
  > From: "Crist J. Clark" <cjc@FreeBSD.ORG>
  > 
  > You are missing,
  > 
  >         # Allow access to our DNS
  >         ${fwcmd} add pass tcp from any to ${oip} 53 setup
  >         ${fwcmd} add pass udp from any to ${oip} 53
  >         ${fwcmd} add pass udp from ${oip} 53 to any
  > 
  > Which allow internal machines to reach the DNS server on the
  > gateway. Remember,
 
 But note the ${oip}.  My DNS was returning ${iip} for the address of my
 internal gateway, so these rules did not apply.  This is my original
 complaint.
 
  >         ############
  >         # This is a prototype setup for a simple firewall.  Configure this
  >         # machine as a named server and ntp server, and point all the machines
  >         # on the inside at this machine for those services.
  >         ############
  > 
  > (Not that that the rules actually work for NTP. ;)
 
 I guess the comment needs to say point all the machines on the inside
 at the outside address of this machine.
State-Changed-From-To: open->closed 
State-Changed-By: kris 
State-Changed-When: Sat Jul 12 17:34:32 PDT 2003 
State-Changed-Why:  
The simple firewall is not intended to work in all situations. 
You are encouraged to review and customize it for your own 
specific requirements. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37301 
>Unformatted:
