Discussion:
firewall behind ISP router
(too old to reply)
Harald Weis
2010-11-18 15:58:08 UTC
Permalink
Has anybody configured a firewall behind an ISP router ?

My IPF rules contain:
@3 pass out quick on fxp0 proto tcp from any to 212.27.40.241/32 port =
domain flags S/FSRPAU keep state
@4 pass out quick on fxp0 proto udp from any to 212.27.40.241/32 port =
domain keep state
@5 pass out quick on fxp0 proto tcp from any to 212.27.40.240/32 port =
domain flags S/FSRPAU keep state
@6 pass out quick on fxp0 proto udp from any to 212.27.40.240/32 port =
domain keep state

When running "ping www.freebsd.org" the DNS servers reply with "bad"
packets like so:
18/11/2010 11:16:12.075987 fxp0 @0:23 b 212.27.40.240,53 ->
192.168.0.111,43124 PR udp len 20 203 IN bad
18/11/2010 11:16:17.129620 fxp0 @0:23 b 212.27.40.241,53 ->
192.168.0.111,21048 PR udp len 20 203 IN bad
18/11/2010 11:16:19.074905 fxp0 @0:23 b 212.27.40.240,53 ->
192.168.0.111,43124 PR udp len 20 80 IN bad
18/11/2010 11:16:29.074863 fxp0 @0:23 b 212.27.40.241,53 ->
192.168.0.111,21048 PR udp len 20 80 IN bad

Running "ping <IP address of www.freebsd.org>" is OK.

I cannot find out the meaning of "bad" and whether the problem is in the
rooter or in my "inclusive" firewall.
Please note that my firewall works fine with ISP modems.

Thanks in advance for any help.
Harald Weis
Harald Weis
2010-11-18 18:55:14 UTC
Permalink
Your issue is not with Ping aka ICMP but with DNS...
Try some of these...
pass in quick proto tcp/udp from any port = 53 to your-dns-server port >
1023
Yes, that works. This is beautiful. I have added one single line:

pass in quick proto udp from any port = 53 to $myip port > 1023

And I see that the reply to ping does not come from the ISP's
official DNS server but from another one. I can guess the reason.

Thank you very much indeed.
Harald Weis
pass in quick proto tcp/udp from any port > 1023 to your-dns-server port
= 53
pass in quick proto tcp/udp from any port > 1023 to your-dns-server port
= 53
# you probably don't need this based on the fact the your request is
getting out...
pass out quick proto tcp/udp from your-dns-server to any port = 53
Note that there is no logging simply because the amount of traffic is
too high...
Post by Harald Weis
Has anybody configured a firewall behind an ISP router ?
@3 pass out quick on fxp0 proto tcp from any to 212.27.40.241/32 port =
domain flags S/FSRPAU keep state
@4 pass out quick on fxp0 proto udp from any to 212.27.40.241/32 port =
domain keep state
@5 pass out quick on fxp0 proto tcp from any to 212.27.40.240/32 port =
domain flags S/FSRPAU keep state
@6 pass out quick on fxp0 proto udp from any to 212.27.40.240/32 port =
domain keep state
When running "ping www.freebsd.org" the DNS servers reply with "bad"
192.168.0.111,43124 PR udp len 20 203 IN bad
192.168.0.111,21048 PR udp len 20 203 IN bad
192.168.0.111,43124 PR udp len 20 80 IN bad
192.168.0.111,21048 PR udp len 20 80 IN bad
Running "ping <IP address of www.freebsd.org>" is OK.
I cannot find out the meaning of "bad" and whether the problem is in the
rooter or in my "inclusive" firewall.
Please note that my firewall works fine with ISP modems.
Thanks in advance for any help.
Harald Weis
--
Harald Weis
Harald Weis
2010-11-19 22:17:08 UTC
Permalink
Post by Harald Weis
Your issue is not with Ping aka ICMP but with DNS...
Try some of these...
pass in quick proto tcp/udp from any port = 53 to your-dns-server port >
1023
pass in quick proto udp from any port = 53 to $myip port > 1023
And I see that the reply to ping does not come from the ISP's
official DNS server but from another one. I can guess the reason.
No it does not work. Ping works, but not the rest, e.g. http et cetera.

In the meantime I have shamefully realized that I have completely
overlooked the fact that my desktop computer (configured with two
Ethernet interfaces) works perfectly since ages with exactly the
same firewall (without the above 'pass in' rule) at the same physical
level of the router as the laptop. The router has five Ethernet
outlets allowing the connection of five PC's. All outlets seem to be
totally equivalent.

Why does the same set of rules not work for the laptop? Mystery.
I repeat that the set of rules is strictly identical, with the obvious
exception of the interface names.
For memory, the icmp protocol gets blocked by bad packets like this:
18/11/2010 11:16:17.129620 fxp0 @0:23 b 212.27.40.241,53 ->
192.168.0.111,21048 PR udp len 20 203 IN bad

And the http protocol gets blocked by bad packets like this:
18/11/2010 20:39:41.371115 fxp0 @0:24 b 195.71.11.67,80 ->
192.168.0.111,36923 PR tcp len 20 60 -AS IN bad

I also recall that all 'pass out' rules have 'flags S/FSRPAU keep state'
set.

Thanks in advance,
Harald Weis

Loading...