Re: [CFR] unified rc.firewall

From: Hajimu UMEMOTO <ume_at_freebsd.org>
Date: Tue, 24 Nov 2009 02:27:23 +0900
Hi,

>>>>> On Mon, 23 Nov 2009 10:56:14 -0500
>>>>> John Baldwin <jhb_at_freebsd.org> said:

jhb> _at__at_ -178,6 +212,16 _at__at_
jhb>         # Allow any traffic to or from my own net.
jhb>         ${fwcmd} add pass all from me to ${net}
jhb>         ${fwcmd} add pass all from ${net} to me
jhb> +       if [ -n "$net6" ]; then
jhb> +               ${fwcmd} add pass ip6 from me6 to ${net6}
jhb> +               ${fwcmd} add pass ip6 from ${net6} to me6
jhb> +       fi
jhb> +
jhb> +       if [ -n "$net6" ]; then
jhb> +               # Allow any link-local multicast traffic
jhb> +               ${fwcmd} add pass ip6 from fe80::/10 to ff02::/16
jhb> +               ${fwcmd} add pass ip6 from ${net6} to ff02::/16
jhb> +       fi

jhb> Any reason to not use 'all' here rather than 'ip6' to match the earlier IPv4
jhb> rules?

Thank you for the review.
The rule is only applicable for IPv6.  Rather, I prefer to use 'ip4'
explicitly over 'all' or 'ip' here.  However, changing 'all' to 'ip4'
makes the diff complex.  So, I keep 'all' as is.

jhb> _at__at_ -273,6 +329,55 _at__at_
jhb>         ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
jhb>         ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
jhb>  
jhb> +       if [ -n "$oif6" -a -n "$onet6" -a -n "$iif6" -a -n "$inet6" ]; then
jhb> +               # Stop unique local unicast address on the outside interface
jhb> +               ${fwcmd} add deny ip6 from fc00::/7 to any via ${oif6}
jhb> +               ${fwcmd} add deny ip6 from any to fc00::/7 via ${oif6}
jhb> +
jhb> ....

jhb> Similarly here, why not use 'all' instead of 'ip6'?

Same above.

jhb> _at__at_ -291,7 +396,11 _at__at_
jhb>         ${fwcmd} add pass tcp from any to me 80 setup
jhb>  
jhb>         # Reject&Log all setup of incoming connections from the outside
jhb> -       ${fwcmd} add deny log tcp from any to any in via ${oif} setup
jhb> +       ${fwcmd} add deny log ip4 from any to any in via ${oif} setup proto 
jhb> tcp
jhb> +       if [ -n "$oif6" -a -n "$onet6" -a -n "$iif6" -a -n "$inet6" ]; then
jhb> +               ${fwcmd} add deny log ip6 from any to any in via ${oif6} \
jhb> +                   setup proto tcp
jhb> +       fi

jhb> I would actually not use separate v6 interfaces for the 'simple' firewall
jhb> but just have 'oif', 'onet', and 'onet_ipv6' variables.  Then you don't need
jhb> this diff at all as the existing rule will work fine.

Yup, it should makes rule simpler.  However, many sites still use
tunnel for IPv6 connectivity.  I think, separating 'oif' and 'oif6'
makes such sites happy.  So, this diff should make sense, IMHO.

jhb>         # For services permitted below.
jhb>         ${fwcmd} add pass tcp  from me to any established
jhb> +       if [ $ipv6_available -eq 0 ]; then
jhb> +               ${fwcmd} add pass ip6 from any to any proto tcp established
jhb> +       fi

jhb> I think this extra rule here isn't needed at all as the first rule should
jhb> already match all of those packets.

WORKSTATION type rule is fully dynamic.  However, I saw it doesn't
work for IPv6 as expected.  SSH connection stalls after some period.
I suspect keepalive timer doesn't work well for IPv6.
So, I changed to use traditional setup/established rule for TCP/IPv6.
Further, 'me' doesn't match to IPv6 address.

jhb>         # Allow any connection out, adding state for each.
jhb>         ${fwcmd} add pass tcp  from me to any setup keep-state
jhb>         ${fwcmd} add pass udp  from me to any       keep-state
jhb>         ${fwcmd} add pass icmp from me to any       keep-state
jhb> +       if [ $ipv6_available -eq 0 ]; then
jhb> +               ${fwcmd} add pass ip6 from me6 to any proto tcp setup
jhb> +               ${fwcmd} add pass ip6 from me6 to any proto udp keep-state
jhb> +               ${fwcmd} add pass ip6 from me6 to any proto ipv6-icmp \
jhb> +                   keep-state
jhb> +       fi

jhb> I think it is more consistent to use 'pass tcp from me6 to any' similar to
jhb> the IPv4 rules here.  It is also shorter and easier to read that way IMO.

I thought similar thing with 'all' vs 'ip4'.  Rather, I prefer to
change IPv4 rules.  However, if 'all' is preferable, I'll change so.

Sincerely,

--
Hajimu UMEMOTO _at_ Internet Mutual Aid Society Yokohama, Japan
ume_at_mahoroba.org  ume_at_{,jp.}FreeBSD.org
http://www.imasy.org/~ume/
Received on Mon Nov 23 2009 - 16:27:38 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:58 UTC