185213SdarrenrIP Filter Examples 285213Sdarrenr 385213Sdarrenr [Image] Permissions 485213Sdarrenr [Image] Interface 585213Sdarrenr [Image] Netmasks and hosts 685213Sdarrenr [Image] IP Protocols 785213Sdarrenr [Image] IP Options 885213Sdarrenr [Image] IP Fragments 985213Sdarrenr [Image] TCP/UDP Ports 1085213Sdarrenr [Image] ICMP type/code 1185213Sdarrenr [Image] TCP Flags (established) 1285213Sdarrenr [Image] Responding to a BAD packet 1385213Sdarrenr [Image] IP Security Classes 1485213Sdarrenr [Image] Packet state filtering 1585213Sdarrenr [Image] Network Address Translation (NAT) 1685213Sdarrenr [Image] Transparent Proxy Support 1785213Sdarrenr [Image] Transparent routing 1885213Sdarrenr [Image] Logging packets to network devices 1985213Sdarrenr [Image] Rule groups 2085213Sdarrenr Authenticating packets 2185213Sdarrenr Pre-authenticating packets 2285213Sdarrenr 2385213Sdarrenr ------------------------------------------------------------------------ 2485213Sdarrenr 2585213SdarrenrPermission Specifying. 2685213Sdarrenr 2785213SdarrenrTo specify where to pass through or to block a packet, either block or pass 2885213Sdarrenris used. In and out are used to describe the direction in which the packet 2985213Sdarrenris travelling through a network interface. Eg: 3085213Sdarrenr 3185213Sdarrenr# setup default to block all packets. 3285213Sdarrenrblock in all 3385213Sdarrenrblock out all 3485213Sdarrenr# pass packets from host firewall to any destination 3585213Sdarrenrpass in from firewall to any 3685213Sdarrenr 3785213Sdarrenr ------------------------------------------------------------------------ 3885213Sdarrenr 3985213SdarrenrSelect network Interfaces 4085213Sdarrenr 4185213SdarrenrTo select which interface a packet is currently associated with, either its 4285213Sdarrenrdestination as a result of route processing or where it has been received 4385213Sdarrenrfrom, the on keyword is used. Whilst not compulsory, it is recommended that 4485213Sdarrenreach rule include it for clarity. Eg: 4585213Sdarrenr 4685213Sdarrenr# drop all inbound packets from localhost coming from ethernet 4785213Sdarrenrblock in on le0 from localhost to any 4885213Sdarrenr 4985213Sdarrenr ------------------------------------------------------------------------ 5085213Sdarrenr 5185213SdarrenrNetmasks and hosts 5285213Sdarrenr 5385213SdarrenrAs not all networks are formed with classical network boundaries, it is 5485213Sdarrenrnecessary to provide a mechanism to support VLSM (Variable Length Subnet 5585213SdarrenrMasks). This package provides several ways to do this. Eg: 5685213Sdarrenr 5785213Sdarrenr# 5885213Sdarrenrblock in on le0 from mynet/26 to any 5985213Sdarrenr# 6085213Sdarrenrblock in on le0 from mynet/255.255.255.192 to any 6185213Sdarrenr# 6285213Sdarrenrblock in on le0 from mynet mask 255.255.255.192 to any 6385213Sdarrenr# 6485213Sdarrenrblock in on le0 from mynet mask 0xffffffc0 to any 6585213Sdarrenr 6685213SdarrenrAre all valid and legal syntax with this package. However, when regenerating 6785213Sdarrenrrules (ie using ipfstat), this package will prefer to use the shortest valid 6885213Sdarrenrnotation (top down). 6985213Sdarrenr 7085213SdarrenrThe default netmask, when none is given is 255.255.255.255 or "/32". 7185213Sdarrenr 7285213SdarrenrTo invert the match on a hostname or network, include an ! before the name 7385213Sdarrenror number with no space between them. 7485213Sdarrenr ------------------------------------------------------------------------ 7585213Sdarrenr 7685213SdarrenrProtocol 7785213Sdarrenr 7885213SdarrenrTo filter on an individual protocol, it is possible to specify the protocol 7985213Sdarrenrin a filter rule. Eg: 8085213Sdarrenr 8185213Sdarrenr# block all incoming ICMP packets 8285213Sdarrenrblock in on le0 proto icmp all 8385213Sdarrenr 8485213SdarrenrThe name of the protocol can be any valid name from /etc/protocols or a 8585213Sdarrenrnumber. 8685213Sdarrenr 8785213Sdarrenr# allow all IP packets in which are protocol 4 8885213Sdarrenrpass in on le0 proto 4 all 8985213Sdarrenr 9085213SdarrenrThere is one exception to this rule, being "tcp/udp". If given in a ruleset, 9185213Sdarrenrit will match either of the two protocols. This is useful when setting up 9285213Sdarrenrport restrictions. Eg: 9385213Sdarrenr 9485213Sdarrenr# prevent any packets destined for NFS from coming in 9585213Sdarrenrblock in on le0 proto tcp/udp from any to any port = 2049 9685213Sdarrenr 9785213Sdarrenr ------------------------------------------------------------------------ 9885213Sdarrenr 9985213SdarrenrFiltering IP fragments 10085213Sdarrenr 10185213SdarrenrIP fragments are bad news, in general. Recent study has shown that IP 10285213Sdarrenrfragments can pose a large threat to IP packet filtering, IF there are rules 10385213Sdarrenrused which rely on data which may be distributed across fragments. To this 10485213Sdarrenrpackage, the threat is that the TCP flags field of the TCP packet may be in 10585213Sdarrenrthe 2nd or 3rd fragment or possibly be believed to be in the first when 10685213Sdarrenractually in the 2nd or 3rd. 10785213Sdarrenr 10885213SdarrenrTo filter out these nasties, it is possible to select fragmented packets out 10985213Sdarrenras follows: 11085213Sdarrenr 11185213Sdarrenr# 11285213Sdarrenr# get rid of all IP fragments 11385213Sdarrenr# 11485213Sdarrenrblock in all with frag 11585213Sdarrenr 11685213SdarrenrThe problem arises that fragments can actually be a non-malicious. The 11785213Sdarrenrreally malicious ones can be grouped under the term "short fragments" and 11885213Sdarrenrcan be filtered out as follows: 11985213Sdarrenr 12085213Sdarrenr# 12185213Sdarrenr# get rid of all short IP fragments (too small for valid comparison) 12285213Sdarrenr# 12385213Sdarrenrblock in proto tcp all with short 12485213Sdarrenr 12585213Sdarrenr ------------------------------------------------------------------------ 12685213Sdarrenr 12785213SdarrenrIP Options 12885213Sdarrenr 12985213SdarrenrIP options have a bad name for being a general security threat. They can be 13085213Sdarrenrof some use, however, to programs such as traceroute but many find this 13185213Sdarrenrusefulness not worth the risk. 13285213Sdarrenr 13385213SdarrenrFiltering on IP options can be achieved two ways. The first is by naming 13485213Sdarrenrthem collectively and is done as follows: 13585213Sdarrenr 13685213Sdarrenr# 13785213Sdarrenr# drop and log any IP packets with options set in them. 13885213Sdarrenr# 13985213Sdarrenrblock in log all with ipopts 14085213Sdarrenr# 14185213Sdarrenr 14285213SdarrenrThe second way is to actually list the names of the options you wish to 14385213Sdarrenrfilter. 14485213Sdarrenr 14585213Sdarrenr# 14685213Sdarrenr# drop any source routing options 14785213Sdarrenr# 14885213Sdarrenrblock in quick all with opt lsrr 14985213Sdarrenrblock in quick all with opt ssrr 15085213Sdarrenr 15185213Sdarrenr[Image] NOTE that options are matched explicitly, so if I had lsrr,ssrr it 15285213Sdarrenrwould only match packets with both options set. 15385213Sdarrenr 15485213SdarrenrIt is also possible to select packets which DON'T have various options 15585213Sdarrenrpresent in the packet header. For example, to allow telnet connections 15685213Sdarrenrwithout any IP options present, the following would be done: 15785213Sdarrenr 15885213Sdarrenr# 15985213Sdarrenr# Allow anyone to telnet in so long as they don't use IP options. 16085213Sdarrenr# 16185213Sdarrenrpass in proto tcp from any to any port = 23 with no ipopts 16285213Sdarrenr# 16385213Sdarrenr# Allow packets with strict source routing and no loose source routing 16485213Sdarrenr# 16585213Sdarrenrpass in from any to any with opt ssrr not opt lsrr 16685213Sdarrenr 16785213Sdarrenr ------------------------------------------------------------------------ 16885213Sdarrenr 16985213SdarrenrFiltering by ports 17085213Sdarrenr 17185213SdarrenrFiltering by port number only works with the TCP and UDP IP protocols. When 17285213Sdarrenrspecifying port numbers, either the number or the service name from 17385213Sdarrenr/etc/services may be used. If the proto field is used in a filter rule, it 17485213Sdarrenrwill be used in conjunction with the port name in determining the port 17585213Sdarrenrnumber. 17685213Sdarrenr 17785213SdarrenrThe possible operands available for use with port numbers are: 17885213Sdarrenr 17985213SdarrenrOperand Alias Parameters Result 18085213Sdarrenr< lt port# true if port is less than given value 18185213Sdarrenr> gt port# true if port is greater than given value 18285213Sdarrenr= eq port# true if port is equal to than given value 18385213Sdarrenr!= ne port# true if port is not equal to than given value 18485213Sdarrenr<= le port# true if port is less than or equal to given value 18585213Sdarrenr=> ge port# true if port is greater than or equal to given value 18685213Sdarrenr 18785213SdarrenrEg: 18885213Sdarrenr 18985213Sdarrenr# 19085213Sdarrenr# allow any TCP packets from the same subnet as foo is on through to host 19185213Sdarrenr# 10.1.1.2 if they are destined for port 6667. 19285213Sdarrenr# 19385213Sdarrenrpass in proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 19485213Sdarrenr# 19585213Sdarrenr# allow in UDP packets which are NOT from port 53 and are destined for 19685213Sdarrenr# localhost 19785213Sdarrenr# 19885213Sdarrenrpass in proto udp from fubar port != 53 to localhost 19985213Sdarrenr 20085213SdarrenrTwo range comparisons are also possible: 20185213Sdarrenr 20285213SdarrenrExpression Syntax: 20385213Sdarrenrport1# <> port2# true if port is less than port1 or greater than port2 20485213Sdarrenrport1# >< port2# true if port is greater than port1 and less than port2 20585213Sdarrenr 20685213Sdarrenr[Image] NOTE that in neither case, when the port number is equal to one of 20785213Sdarrenrthose given, does it match. Eg: 20885213Sdarrenr 20985213Sdarrenr# 21085213Sdarrenr# block anything trying to get to X terminal ports, X:0 to X:9 21185213Sdarrenr# 21285213Sdarrenrblock in proto tcp from any to any port 5999 >< 6010 21385213Sdarrenr# 21485213Sdarrenr# allow any connections to be made, except to BSD print/r-services 21585213Sdarrenr# this will also protect syslog. 21685213Sdarrenr# 21785213Sdarrenrblock in proto tcp/udp all 21885213Sdarrenrpass in proto tcp/udp from any to any port 512 <> 515 21985213Sdarrenr 22085213SdarrenrNote that the last one above could just as easily be done in the reverse 22185213Sdarrenrfashion: allowing everything through and blocking only a small range. Note 22285213Sdarrenrthat the port numbers are different, however, due to the difference in the 22385213Sdarrenrway they are compared. 22485213Sdarrenr 22585213Sdarrenr# 22685213Sdarrenr# allow any connections to be made, except to BSD print/r-services 22785213Sdarrenr# this will also protect syslog. 22885213Sdarrenr# 22985213Sdarrenrpass in proto tcp/udp all 23085213Sdarrenrblock in proto tcp/udp from any to any port 511 >< 516 23185213Sdarrenr 23285213Sdarrenr ------------------------------------------------------------------------ 23385213Sdarrenr 23485213SdarrenrTCP Flags (established) 23585213Sdarrenr 23685213SdarrenrFiltering on TCP flags is useful, but fraught with danger. I'd recommend 23785213Sdarrenrthat before using TCP flags in your IP filtering, you become at least a 23885213Sdarrenrlittle bit acquainted with what the role of each of them is and when they're 23985213Sdarrenrused. This package will compare the flags present in each TCP packet, if 24085213Sdarrenrasked, and match if those present in the TCP packet are the same as in the 24185213SdarrenrIP filter rule. 24285213Sdarrenr 24385213SdarrenrSome IP filtering/firewall packages allow you to filter out TCP packets 24485213Sdarrenrwhich belong to an "established" connection. This is, simply put, filtering 24585213Sdarrenron packets which have the ACK bit set. The ACK bit is only set in packets 24685213Sdarrenrtransmitted during the lifecycle of a TCP connection. It is necessary for 24785213Sdarrenrthis flag to be present from either end for data to be transferred. If you 24885213Sdarrenrwere using a rule which as worded something like: 24985213Sdarrenr 25085213Sdarrenrallow proto tcp 10.1.0.0 255.255.0.0 port = 23 10.2.0.0 255.255.0.0 established 25185213Sdarrenr 25285213SdarrenrIt could be rewritten as: 25385213Sdarrenr 25485213Sdarrenrpass in proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A 25585213Sdarrenrpass out proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A 25685213Sdarrenr 25785213SdarrenrA more useful flag to filter on, for TCP connections, I find, is the SYN 25885213Sdarrenrflag. This is only set during the initial stages of connection negotiation, 25985213Sdarrenrand for the very first packet of a new TCP connection, it is the only flag 26085213Sdarrenrset. At all other times, an ACK or maybe even an URG/PUSH flag may be set. 26185213SdarrenrSo, if I want to stop connections being made to my internal network 26285213Sdarrenr(10.1.0.0) from the outside network, I might do something like: 26385213Sdarrenr 26485213Sdarrenr# 26585213Sdarrenr# block incoming connection requests to my internal network from the big bad 26685213Sdarrenr# internet. 26785213Sdarrenr# 26885213Sdarrenrblock in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA 26985213Sdarrenr 27085213SdarrenrIf you wanted to block the replies to this (the SYN-ACK's), then you might 27185213Sdarrenrdo: 27285213Sdarrenr 27385213Sdarrenrblock out on le0 proto tcp from 10.1.0.0 to any flags SA/SA 27485213Sdarrenr 27585213Sdarrenrwhere SA represents the SYN-ACK flags both being set. 27685213Sdarrenr 27785213SdarrenrThe flags after the / represent the TCP flag mask, indicating which bits of 27885213Sdarrenrthe TCP flags you are interested in checking. When using the SYN bit in a 27985213Sdarrenrcheck, you SHOULD specify a mask to ensure that your filter CANNOT be 28085213Sdarrenrdefeated by a packet with SYN and URG flags, for example, set (to Unix, this 28185213Sdarrenris the same as a plain SYN). 28285213Sdarrenr ------------------------------------------------------------------------ 28385213Sdarrenr 28485213SdarrenrICMP Type/Code 28585213Sdarrenr 28685213SdarrenrICMP can be a source of a lot of trouble for Internet Connected networks. 28785213SdarrenrBlocking out all ICMP packets can be useful, but it will disable some 28885213Sdarrenrotherwise useful programs, such as "ping". Filtering on ICMP type allows for 28985213Sdarrenrpings (for example) to work. Eg: 29085213Sdarrenr 29185213Sdarrenr# block all ICMP packets. 29285213Sdarrenr# 29385213Sdarrenrblock in proto icmp all 29485213Sdarrenr# 29585213Sdarrenr# allow in ICMP echos and echo-replies. 29685213Sdarrenr# 29785213Sdarrenrpass in on le1 proto icmp from any to any icmp-type echo 29885213Sdarrenrpass in on le1 proto icmp from any to any icmp-type echorep 29985213Sdarrenr 30085213SdarrenrTo specify an ICMP code, the numeric value must be used. So, if we wanted to 30185213Sdarrenrblock all port-unreachables, we would do: 30285213Sdarrenr 30385213Sdarrenr# 30485213Sdarrenr# block all ICMP destination unreachable packets which are port-unreachables 30585213Sdarrenr# 30685213Sdarrenrblock in on le1 proto icmp from any to any icmp-type unreach code 3 30785213Sdarrenr 30885213Sdarrenr ------------------------------------------------------------------------ 30985213Sdarrenr 31085213SdarrenrResponding to a BAD packet 31185213Sdarrenr 31285213SdarrenrTo provide feedback to people trying to send packets through your filter 31385213Sdarrenrwhich you wish to disallow, you can send back either an ICMP error 31485213Sdarrenr(Destination Unreachable) or, if they're sending a TCP packet, a TCP RST 31585213Sdarrenr(Reset). 31685213Sdarrenr 31785213SdarrenrWhat's the difference ? TCP/IP stacks take longer to pass the ICMP errors 31885213Sdarrenrback, through to the application, as they can often be due to temporary 31985213Sdarrenrproblems (network was unplugged for a second) and it is `incorrect' to shut 32085213Sdarrenrdown a connection for this reason. Others go to the other extreme and will 32185213Sdarrenrshut down all connections between the two hosts for which the ICMP error is 32285213Sdarrenrreceived. The TCP RST, however, is for only *one* connection (cannot be used 32385213Sdarrenrfor more than one) and will cause the connection to immediately shut down. 32485213SdarrenrSo, for example, if you're blocking port 113, and setup a rule to return a 32585213SdarrenrTCP RST rather than nothing or an ICMP packet, you won't experience any 32685213Sdarrenrdelay if the other end was attempting to make a connection to an identd 32785213Sdarrenrservice. 32885213Sdarrenr 32985213SdarrenrSome examples are as follows: 33085213Sdarrenr 33185213Sdarrenr# 33285213Sdarrenr# block all incoming TCP connections but send back a TCP-RST for ones to 33385213Sdarrenr# the ident port 33485213Sdarrenr# 33585213Sdarrenrblock in proto tcp from any to any flags S/SA 33685213Sdarrenrblock return-rst in quick proto tcp from any to any port = 113 flags S/SA 33785213Sdarrenr# 33885213Sdarrenr# block all inbound UDP packets and send back an ICMP error. 33985213Sdarrenr# 34085213Sdarrenrblock return-icmp in proto udp from any to any 34185213Sdarrenr 34285213SdarrenrWhen returning ICMP packets, it is also possible to specify the type of ICMP 34385213Sdarrenrerror return. This was requested so that traceroute traces could be forced 34485213Sdarrenrto end elegantly. To do this, the requested ICMP Unreachable code is placed 34585213Sdarrenrin brackets following the "return-icmp" directive: 34685213Sdarrenr 34785213Sdarrenr# 34885213Sdarrenr# block all inbound UDP packets and send back an ICMP error. 34985213Sdarrenr# 35085213Sdarrenrblock return-icmp (3) in proto udp from any to any port > 30000 35185213Sdarrenrblock return-icmp (port-unr) in proto udp from any to any port > 30000 35285213Sdarrenr 353108533SschweikhThose two examples are equivalent, and return an ICMP port unreachable error 35485213Sdarrenrpacket to in response to any UDP packet received destined for a port greater 35585213Sdarrenrthan 30,000. 35685213Sdarrenr ------------------------------------------------------------------------ 35785213Sdarrenr 35885213SdarrenrFiltering IP Security Classes 35985213Sdarrenr 36085213SdarrenrFor users who have packets which contain IP security bits, filtering on the 36185213Sdarrenrdefined classes and authority levels is supported. Currently, filtering on 36285213Sdarrenr16bit authority flags is not supported. 36385213Sdarrenr 36485213SdarrenrAs with ipopts and other IP options, it is possible to say that the packet 36585213Sdarrenronly matches if a certain class isn't present. 36685213Sdarrenr 36785213SdarrenrSome examples of filtering on IP security options: 36885213Sdarrenr 36985213Sdarrenr# 37085213Sdarrenr# drop all packets without IP security options 37185213Sdarrenr# 37285213Sdarrenrblock in all with no opt sec 37385213Sdarrenr# 37485213Sdarrenr# only allow packets in and out on le0 which are top secret 37585213Sdarrenr# 37685213Sdarrenrblock out on le1 all 37785213Sdarrenrpass out on le1 all with opt sec-class topsecret 37885213Sdarrenrblock in on le1 all 37985213Sdarrenrpass in on le1 all with opt sec-class topsecret 38085213Sdarrenr 38185213Sdarrenr ------------------------------------------------------------------------ 38285213Sdarrenr 38385213SdarrenrPacket state filtering 38485213Sdarrenr 38585213SdarrenrPacket state filtering can be used for any TCP flow to short-cut later 38685213Sdarrenrfiltering. The "short-cuts" are kept in a table, with no alterations to the 38785213Sdarrenrpacket filter list made. Subsequent packets, if a matching packet is found 38885213Sdarrenrin the table, are not passed through the list. For TCP flows, the filter 38985213Sdarrenrwill follow the ack/sequence numbers of packets and only allow packets 39085213Sdarrenrthrough which fall inside the correct window. 39185213Sdarrenr 39285213Sdarrenr# 39385213Sdarrenr# Keep state for all outgoing telnet connections 39485213Sdarrenr# and disallow all other TCP traffic. 39585213Sdarrenr# 39685213Sdarrenrpass out on le1 proto tcp from any to any port = telnet keep state 39785213Sdarrenrblock out on le1 all 39885213Sdarrenr 39985213SdarrenrFor UDP packets, packet exchanges are effectively stateless. However, if a 40085213Sdarrenrpacket is first sent out from a given port, a reply is usually expected in 40185213Sdarrenranswer, in the `reverse' direction. 40285213Sdarrenr 40385213Sdarrenr# 40485213Sdarrenr# allow UDP replies back from name servers 40585213Sdarrenr# 40685213Sdarrenrpass out on le1 proto udp from any to any port = domain keep state 40785213Sdarrenr 40885213SdarrenrHeld UDP state is timed out, as is TCP state for entries added which do not 40985213Sdarrenrhave the SYN flag set. If an entry is created with the SYN flag set, any 41085213Sdarrenrsubsequent matching packet which doesn't have this flag set (ie a SYN-ACK) 41185213Sdarrenrwill cause it to be "timeless" (actually, the timeout defaults to 5 days), 41285213Sdarrenruntil either a FIN or RST is seen. 41385213Sdarrenr 41485213Sdarrenr ------------------------------------------------------------------------ 41585213Sdarrenr 41685213SdarrenrNetwork Address Translation (NAT) 41785213Sdarrenr 41885213SdarrenrNetwork address translation is used to remap IP #'s from one address range 41985213Sdarrenrto another range of network addresses. For TCP and UDP, this also can 42085213Sdarrenrinclude the port numbers. The IP#'s/port #'s are changed when a packet is 42185213Sdarrenrgoing out through an interface and IP Filter matches it against a NAT rules. 42285213Sdarrenr 42385213SdarrenrPackets coming back in the same interface are remapped, as a matter of 42485213Sdarrenrcourse, to their original address information. 42585213Sdarrenr 42685213Sdarrenr# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source 42785213Sdarrenr# port number to something between 10,000 and 20,000 inclusive. For all other 42885213Sdarrenr# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily 42985213Sdarrenr# for each new user. In this example, ed1 is the external interface. 43085213Sdarrenr# Use ipnat, not ipf to load these rules. 43185213Sdarrenr# 43285213Sdarrenrmap ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000 43385213Sdarrenrmap ed1 10.1.0.0/16 -> 240.1.0.0/24 43485213Sdarrenr 43585213Sdarrenr ------------------------------------------------------------------------ 43685213Sdarrenr 43785213SdarrenrTransparent Proxy Suppoer 43885213Sdarrenr 43985213SdarrenrTransparent proxies are supported through redirection, which works in a 44085213Sdarrenrsimilar way to NAT, except that rules are triggered by input packets. To 44185213Sdarrenreffect redirection rules, ipnat must be used (same as for NAT) rather than 44285213Sdarrenripf. 44385213Sdarrenr 44485213Sdarrenr# Redirection is triggered for input packets. 44585213Sdarrenr# For example, to redirect FTP connections through this box (in this case ed0 44685213Sdarrenr# is the interface on the "inside" where default routes point), to the local 44785213Sdarrenr# ftp port, forcing them to connect through a proxy, you would use: 44885213Sdarrenr# 44985213Sdarrenrrdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp 45085213Sdarrenr 45185213Sdarrenr ------------------------------------------------------------------------ 45285213Sdarrenr 45385213SdarrenrTransparent routing 45485213Sdarrenr 45585213SdarrenrTransparent routing can be performed in two ways using IP Filter. The first 45685213Sdarrenris to use the keyword "fastroute" in a rule, using the normal route lookup 45785213Sdarrenrto occur or using a fixed route with "to". Both effect transparent routing 45885213Sdarrenrby not causing any decrement in the TTL to occur as it passes through the 45985213Sdarrenrkernel. 46085213Sdarrenr 46185213Sdarrenr# Route all UDP packets through transparently. 46285213Sdarrenr# 46385213Sdarrenrpass in quick fastroute proto udp all 46485213Sdarrenr# 46585213Sdarrenr# Route all ICMP packets to network 10 (on le0) out through le1, to "router" 46685213Sdarrenr# 46785213Sdarrenrpass in quick on le0 to le1:router proto icmp all 46885213Sdarrenr 46985213Sdarrenr ------------------------------------------------------------------------ 47085213Sdarrenr 47185213SdarrenrLogging packets to the network 47285213Sdarrenr 47385213SdarrenrLogging packets to the network devices is supported for both packets being 47485213Sdarrenrpassed through the filter and those being blocked. For packets being passed 47585213Sdarrenron, the "dup-to" keyword must be used, but for packets being blocked, either 47685213Sdarrenr"to" (more efficient) or "dup-to" can be used. 47785213Sdarrenr 47885213SdarrenrTo log packets to the interface without requiring ARP to work, create a 47985213Sdarrenrstatic arp cache for a meaningless IP# (say 10.0.0.1) and log packets to 48085213Sdarrenrthis IP#. 48185213Sdarrenr 48285213Sdarrenr# Log all short TCP packets to qe3, with "packetlog" as the intended 48385213Sdarrenr# destination for the packet. 48485213Sdarrenr# 48585213Sdarrenrblock in quick to qe3:packetlog proto tcp all with short 48685213Sdarrenr# 48785213Sdarrenr# Log all connection attempts for TCP 48885213Sdarrenr# 48985213Sdarrenrpass in quick on ppp0 dup-to le1:packetlog proto tcp all flags S/SA 49085213Sdarrenr 49185213Sdarrenr ------------------------------------------------------------------------ 49285213Sdarrenr 49385213SdarrenrRule groups 49485213Sdarrenr 49585213SdarrenrTo aide in making rule processing more efficient, it is possible to setup 49685213Sdarrenrrule `groups'. By default, all rules are in group 0 and all other groups 49785213Sdarrenrhave it as their ultimate parent. To start a new group, a rule includes a 49885213Sdarrenr`head' statement, such as this: 49985213Sdarrenr 50085213Sdarrenr# Process all incoming ppp packets on ppp0 with group 100, with the default for 50185213Sdarrenr# this interface to block all incoming. 50285213Sdarrenr# 50385213Sdarrenrblock in quick on ppp0 all head 100 50485213Sdarrenr 50585213SdarrenrIf we then wanted to allow people to connect to our WWW server, via ppp0, we 50685213Sdarrenrcould then just add a rule about WWW. NOTE: only packets which match the 50785213Sdarrenrabove rule are processed by any group 100 rules. 50885213Sdarrenr 50985213Sdarrenr# Allow connections to the WWW server via ppp0. 51085213Sdarrenr# 51185213Sdarrenrpass in quick proto tcp from any to any port = WWW keep state group 100 51285213Sdarrenr 51385213Sdarrenr ------------------------------------------------------------------------ 51485213SdarrenrReturn to the IP Filter home page 51585213Sdarrenr$FreeBSD$ 516