Bug 37301

Summary: 4.5 rc.firewall type simple does not pass icmp, or inside to gateway udp
Product: Base System Reporter: Earl Killian <earl>
Component: miscAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Earl Killian 2002-04-21 01:40:01 UTC 
I tried the 4.5-RELEASE rc.firewall with firewall_type="simple" and
natd_enable="YES", and I was not able to talk to my gateway machine
from the hosts on the inside.  Looking at the rules below, I see only
one rule that is specific to iif, and that is just to prevent the
inside from pretending to be outside.  Most of the rules are via oif,
or to oip and so don't apply to an inside machine talking to iip via
iif.  If I eliminate those rules, I'm left with:

Rules that apply to inet:imask talking to iip via iif:

    deny all from any to 127.0.0.0/8
    deny ip from 127.0.0.0/8 to any
    deny all from ${onet}:${omask} to any in via ${iif}
    pass tcp from any to any established
    pass all from any to any frag
    pass tcp from any to any setup

So what about icmp and udp?  Do other sites really use this fw and
just not ping or dns/ntp to their gateway from inside?  Shouldn't the
following be added after the stop-spoofing rules or something?:

    # Allow internal hosts complete access
    allow all from ${inet}:${imask} to ${iip} in recv ${iif}
    allow all from ${iip} to ${inet}:${imask} out xmit ${iif}

I also notice there are no rules for icmp at all.  Shouldn't there be a
    # Allow pings out in the world
    pass icmp from ${oip} to any keep-state
down with the dns/ntp rules?

Fix: 

See description.
How-To-Repeat: Configure with firewall_type="simple".  ping to the gateway from
an inside machine and get no response.  ntp and dns also do not work
if you give the inside IP address of the gateway as the server for
these protocols.
Comment 1 Crist J. Clark freebsd_committer freebsd_triage 2002-04-21 09:19:05 UTC 
On Sat, Apr 20, 2002 at 05:35:31PM -0700, Earl Killian wrote:

> >Description:
> I tried the 4.5-RELEASE rc.firewall with firewall_type="simple" and
> natd_enable="YES", and I was not able to talk to my gateway machine
> from the hosts on the inside.  Looking at the rules below, I see only
> one rule that is specific to iif, and that is just to prevent the
> inside from pretending to be outside.  Most of the rules are via oif,
> or to oip and so don't apply to an inside machine talking to iip via
> iif.  If I eliminate those rules, I'm left with:
> 
> Rules that apply to inet:imask talking to iip via iif:
> 
>     deny all from any to 127.0.0.0/8
>     deny ip from 127.0.0.0/8 to any
>     deny all from ${onet}:${omask} to any in via ${iif}
>     pass tcp from any to any established
>     pass all from any to any frag
>     pass tcp from any to any setup
> 
> So what about icmp and udp?

You are missing,

        # Allow access to our DNS
        ${fwcmd} add pass tcp from any to ${oip} 53 setup
        ${fwcmd} add pass udp from any to ${oip} 53
        ${fwcmd} add pass udp from ${oip} 53 to any

Which allow internal machines to reach the DNS server on the
gateway. Remember,

        ############
        # This is a prototype setup for a simple firewall.  Configure this
        # machine as a named server and ntp server, and point all the machines
        # on the inside at this machine for those services.
        ############

(Not that that the rules actually work for NTP. ;)

> Do other sites really use this fw and
> just not ping or dns/ntp to their gateway from inside?

I hope no one uses it unmodified. You shouldn't. As it is documented
elsewhere in rc.firewall,

  # For ``client'' and ``simple'' the entries below should be customized
  # appropriately.

          ############
          # This is a prototype setup for a simple firewall.

You should NOT use these rules as is. They don't make a lot of
sense. Trying to make a default set of firewall rules is a fools
game. No one would be happy with them. I'd prefer to have a completely
broken set of rules. If you don't understand your own firewall rules,
you shouldn't be building your own firewall. A false-sense of security
is worse than having less security and knowing it.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
Comment 2 Earl Killian 2002-04-21 16:06:16 UTC 
Crist J. Clark writes:
 > Date: Sun, 21 Apr 2002 01:19:05 -0700
 > From: "Crist J. Clark" <cjc@FreeBSD.ORG>
 > 
 > You are missing,
 > 
 >         # Allow access to our DNS
 >         ${fwcmd} add pass tcp from any to ${oip} 53 setup
 >         ${fwcmd} add pass udp from any to ${oip} 53
 >         ${fwcmd} add pass udp from ${oip} 53 to any
 > 
 > Which allow internal machines to reach the DNS server on the
 > gateway. Remember,

But note the ${oip}.  My DNS was returning ${iip} for the address of my
internal gateway, so these rules did not apply.  This is my original
complaint.

 >         ############
 >         # This is a prototype setup for a simple firewall.  Configure this
 >         # machine as a named server and ntp server, and point all the machines
 >         # on the inside at this machine for those services.
 >         ############
 > 
 > (Not that that the rules actually work for NTP. ;)

I guess the comment needs to say point all the machines on the inside
at the outside address of this machine.
Comment 3 Kris Kennaway freebsd_committer freebsd_triage 2003-07-13 01:34:32 UTC 
State Changed
From-To: open->closed

The simple firewall is not intended to work in all situations. 
You are encouraged to review and customize it for your own 
specific requirements.