Advanced ipfw configuring

��

�� "��" ��

ipfw 10 add divert 8778 ip from 3.3.3.0/24 to 6.6.6.0/24
ipfw 20 add divert 8668 ip from 3.3.3.0/24 to any
ipfw 30 add divert 8668 ip from 4.4.4.0/24 to 5.5.5.0/24
ipfw 40 add divert 8778 ip from 4.4.4.0/24 to any
ipfw 50 add fwd 1.1.1.254 ip from 1.1.1.1 to any
ipfw 60 add fwd 2.2.2.254 ip from 2.2.2.2 to any
ipfw 70 add divert 8668 ip from any to 1.1.1.1
ipfw 80 add divert 8778 ip from any to 2.2.2.2

�� : http://ipfw.ism.kiev.ua/pbr.html
�� . �� nat � �� . �� .
�� !

http://ipfw.ism.kiev.ua/nipfw.html

#!/bin/sh
ipfw='/sbin/ipfw -q'
ournet='192.168.0.1/24'
uprefix='192.168.0'
ifout='rl0'
ifuser='rl1'
${ipfw} flush
${ipfw} add 100 check-state
${ipfw} add 200 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${ipfw} add 210 reject ip from ${ournet} to any in via ${ifout}
${ipfw} add 300 allow ip from any to any via lo
${ipfw} add 310 allow tcp from me to any keep-state via ${ifout}
${ipfw} add 320 allow icmp from any to any
${ipfw} add 330 allow udp from me to any domain keep-state
${ipfw} add 340 allow udp from any to me domain
${ipfw} add 350 allow ip from me to any
${ipfw} add 400 allow tcp from any to me http,https,ssh
${ipfw} add 410 allow tcp from not ${ournet} to me smtp
${ipfw} add 500 fwd 127.0.0.1,3128 tcp from ${ournet} to any http out via ${ifout}
${ipfw} add 510 divert natd ip from ${ournet} to any out via ${ifout}
${ipfw} add 511 divert natd ip from any to ${REAL_IP} in via ${ifout}
${ipfw} add 1002 allow ip from ${uprefix}.2 to any via ${ifuser}
${ipfw} add 1002 allow ip from any to ${uprefix}.2 via ${ifuser}
${ipfw} add 1003 allow ip from ${uprefix}.3 to any via ${ifuser}
${ipfw} add 1003 allow ip from any to ${uprefix}.3 via ${ifuser}
${ipfw} add 1004 allow ip from ${uprefix}.4 to any via ${ifuser}
${ipfw} add 1004 allow ip from any to ${uprefix}.4 via ${ifuser}
#${ipfw} add 65535 deny ip from any to any

��, �� ! �� , �� , �� . �� 1-� �� 4.4.4.5 -> I.N.E.T �� rl2 � �� 6 �� (75% �� ) �� 2 (25%). � �� I.N.E.T -> 2.2.2.2 (I.N.E.T -> 4.4.4.5 �� undiverta) �� (100%), �� (12%).

�� 2 �� . �� 192.168.0.4 -> I.N.E.T �� 13 �� (68%), �� 2 �� (10%). � �� I.N.E.T -> 192.168.0.4 19 �� (100%), �� 2 (10%)

�� , ��
${ipfw} add 511 divert natd ip from any to ${REAL_IP} in via ${ifout}
�� ${REAL_IP} �� ${ifout} �� (� �� rl0)
�� 65535-� ��

�� , �� , �� . � �� ... �� . �� . �� , �� in recv/out xmit/via ${iface} � �� /��/�� tcpdump'��, �� .

�� VS ��

�� firewall �� "�� ", �.�. �� . � �� IPFIREWALL_DEFAULT_TO_ACCEPT. �.�. � �� =) �, ��, � �� . �� ! �� , �� -�� :
ipfw add xxx deny all from 192.168.0.0/16 to any
ipfw add xxx deny all from 172.16.0.0/12 to any
... � ��

ipfw add 65535 allow all from any to any

�� . �� , �� -�� . �.�. �� �� ��, �� . �� , �� , �� . �� . �.�. ��
ipfw add 65535 deny all from any to any

��

�� "�� ". �� "��" �� .

ipfw add 09999 skipto 10000 all from any to any via em
ipfw add 09999 skipto 11000 all from any to any via rl0
ipfw add 09999 skipto 12000 all from any to any via rl1
ipfw add 09999 skipto 13000 all from any to any via rl2
ipfw add 09999 skipto 65000 ip from any to any
ipfw add 10999 skipto 65000 ip from any to any
ipfw add 11999 skipto 65000 ip from any to any
ipfw add 12999 skipto 65000 ip from any to any
ipfw add 13999 skipto 65000 ip from any to any

�� . �� 00001-99998 �� . �� 10.0.0.0/8 � �� . �� icmp �� , ��
ipfw add 9010 deny all from 10.0.0.0/8 to any
ipfw add 9010 deny icmp from any to any

�� .
��!!! �� , �� . �� .
ipfw add 910 deny tcp from any 135 to any in recv ng0
ipfw add 910 count tcp from any to any in recv ng0

� �� 135 �� , �� . � �� , �� .

�� 00001-09999

00001- 00089 ��. �� . �� -�� . �� : ipfw add 1 deny all from any 135 to any

00090 - 00099 �� (�� ) ��. ��: �� !

00100 - 00899 �� .

00900 - 00999 �� . ��: �� .

01000 - 09998 ��

09999 �� . �� ipfw add 09999 skipto 65000 ip from any to any

10000 - 10999 �� lo

11000 - 11999 �� 1

11000 - 11999 �� 2 ...

64000 - 64999 �� 2

65000 - 65534 �� /��

65535 ��
��:
�) 5 �� , �� 00001 0001 001 � 1 ��
�) �� 999 �� ipfw add ��999 skipto 65000 ip from any to any
�� , �� . ��! �� ��999 �� �� , �� -�� . �� , �� . (��. ��998 ��)

��

� �� xx000 - xx998
xx999 �� ipfw add ��999 skipto 65000 ip from any to any
�� y00: ��100, ��200, ..., ��900

��000 - ��099 ��. �� 00001- 00089 �� "��" ��

��101 - ��199 �� . �� 192.168.0.0/24, �� , �� :
ipfw add 11101 deny all from not 192.168.0.0/24 to any in recv rl0

��201 - ��299 �� (count) �� , ��. �� (�� src-ip)

xx301 - xx399 �� skipto xx500 ��, �� /�� . �� . (�� )

��401 - ��499 �� /�� . �� , ��. �� . � �� src-ip.

��501 - ��599 �� /�� .

��601 - ��699 �� (count) �� , ��. �� (�� dst-ip)

��701 - ��799 �� skipto ��900 ��, �� /�� . �� . (��. �� )

��801 - ��899 �� /�� . �� , ��. �� IP � �� . � �� dst-ip. (��. �� ALTQ)

��901 - ��997 �� . �.�. � �� , �� , �� . �� , �� IP I.N.E.T:

ipfw add 11903 allow all from I.N.E.T to any out xmit rl0
ipfw add 11903 allow all from any to I.N.E.T in recv rl0

�� 192.168.0.1/255.255.255.0 (�� ), �� :

ipfw add 11903 allow all from 192.168.0.0/24 to 192.168.0.1 in recv rl1
ipfw add 11903 allow all from 192.168.0.1 to 192.168.0.0/24 out xmit rl1

�� , �� . �� , �� , �� , ��, �� .
�� 5 �� 10. � �� . �� 6-8 �� , �� (��10) ��03, ��13, ��23 � ��. �� : ��01, ��02, ��03, �.�. �� /�� -�� 01 � ��02, �� 01 ��. �� , �� . �� /�� 5/10. �� .

��998 �� : deny log all from any to any via IFACE
�� . �� /var/log/security
Jun 21 15:58:02 kes kernel: ipfw: 10998 Deny ICMP:5.1 10.0.16.3 172.16.128.61 in via rl0
Jun 21 15:58:02 kes kernel: ipfw: 10998 Deny ICMP:5.1 10.0.16.3 172.16.128.61 in via rl0
� �� /etc/newsyslog.conf, �� :
/var/log/security 600 10 100 * JC
�� =)

��999 �� : skipto 65000 ip from any to any
�� 65000 - 65535 ��.
�� . �� , �� 998 �� .
�� =)

��!!!
�� .
�� .
��, �� !

�� :
65534 ipfw add deny log all from any to any

�� .

�� , �� : rl0, rl1, em0, ng*. �� ng* �� VPN ��. �� ng0, ng1 ... ngX � �� "ng*", �� "ng". �� =)

�� :
#mkdir /usr/local/etc/firewall
#cd /usr/local/etc/firewall
#touch firewall
#chmod 700 firewall

� �� :

#!/bin/sh
#������ �������� � ������� ��� start|stop|reload
#��������� ������ ���� � ipfw
if [ -n "${2}" ]; then
  fwcmd=${2}
else
  fwcmd="/sbin/ipfw" #���� ������ �� ������
fi
workDir="/usr/local/etc/firewall"
start () {
#This rule set are independed. So run it first.
#��������� ���� � ������� �������
 . $workDir/f-pipes.ipfw
#We wanna count something???
#���� � ������� ���������
 if [ -f $workDir/f-count.ipfw ]; then
  . $workDir/f-count.ipfw
 fi
#���� � ������� �� ���������
 if [ -f /$workDir/f-defaults.ipfw ]; then
     num=00
     . $workDir/f-defaults.ipfw
 fi
#��������� rl0 ����� ��������� �� 10000, ������� num = 10
 num=10
 . $workDir/f_rl0
#��������� tun0 ����� ��������� �� 11000, ������� num = 11
 num=11
 . $workDir/f_tun0
 num=13
 . $workDir/f_ng*
#�������� �������� ������� ����� � ������� � ��������  ". $workDir/f_tun0" �����������
#��� ��� �������� ������ �� �����
#this rule must be runned last to be the last record in 9999 rule
#�� ��������� ���� ������ ���� �� 65000 �������
 ${fwcmd} add 9999 skipto 65000 all from any to any
#�� ��������� ������� �� � ����� � ���
 ${fwcmd} add 65534 deny log all from any to any
}
#������� ��� �������, �����, �������
stop () {
 ${fwcmd} -f flush
 ${fwcmd} -f pipe flush
 ${fwcmd} -f queue flush
}
#��������� ������ �������� �����. ������� 99!
setup_loopback () {
############
# Only in rare cases you want to change these rules
#
${fwcmd} add 99 pass all from any to any via lo0
${fwcmd} add 99 deny all from any to 127.0.0.0/8
${fwcmd} add 99 deny ip from 127.0.0.0/8 to any
}
#���������� ����������� �������� =)
echo `date` >> /etc/reboot
case ${1} in
start)
    setup_loopback
    start
    ;;
stop)
    stop
    ;;
reload)
    stop
    setup_loopback
    start
    ;;
*)
    echo "Usage: `basename ${0}` { start | stop | reload& } "
    echo "WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!!"
    echo "Don't foget to add '&' if you reload the firewall remoutly"
    ;;
esac

�� , �� �� & �� . �� .
�� :`-((

�� :
# touch f-count.ipfw
# touch f-pipes.ipfw
# touch "f_ng*"
# touch f_rl0
# touch f_tun0

�� :

#!/bin/sh
iface="���_����������"
#�������������� ������ � ������ ������ �� ������� ������� �������� �� ��������� ${iface}
 ${fwcmd} add 9999 skipto ${num}000 all from any to any via "${iface}"

�� , �� , �� , �� rl2 -> em0, � �� . �� ;-)

�� $fwcmd � $num �� firewall
�� ng*
f_ng*

#!/bin/sh
iface="���_����������"
#�������������� ������ � ������ ������ �� ������� ������� �������� �� ��������� ${iface}
 ${fwcmd} add 9999 skipto ${num}000 all from any to any via "${iface}"
#�� VPN ��� �������� ������ � ���� 192.168.0.0/16, ������� �� ��� �� ���� �������
#���������� ���� �� ����������� ������ ������� ��998 ��������, �� ����� ��� ����� �� ����������� � ������������������
 ${fwcmd} add ${num}101 deny all from not 192.168.0.0/16 to any in recv "${iface}"
#������
 ${fwcmd} add ${num}406 pipe 1 all from 192.168.7.0/24 to any in recv "${iface}"
 ${fwcmd} add ${num}406 pipe 2 all from any to 192.168.7.0/24 out xmit "${iface}"
 ${fwcmd} add ${num}406 pipe 3 all from 192.168.8.0/24 to any in recv "${iface}"
 ${fwcmd} add ${num}406 pipe 4 all from any to 192.168.8.0/24 out xmit "${iface}"
 ${fwcmd} add ${num}406 pipe 5 all from 192.168.5.0/24 to any in recv "${iface}"
 ${fwcmd} add ${num}406 pipe 6 all from any to 192.168.5.0/24 out xmit "${iface}"
#��������� ������
 ${fwcmd} add ${num}901 allow all from any to 192.168.0.0/16 out xmit "${iface}"
 ${fwcmd} add ${num}902 allow all from 192.168.0.0/16 to any in recv "${iface}"
#������� �� ��������
 ${fwcmd} add ${num}998 deny log all from any to any via "${iface}"
 ${fwcmd} add ${num}999 skipto 65000 all from any to any

f_rl0

#!/bin/sh
iface="rl0"
#Isolate traffic via "${iface}" for decrease number of passing via firewall rules
 ${fwcmd} add 9999 skipto ${num}000 all from any to any via "${iface}"
#DENY all unwanted traffic
 ${fwcmd} add ${num}101 deny all from 192.168.0.0/16to any in recv "${iface}"
 ${fwcmd} add ${num}101 deny all from 172.16.0.0/12 to any in recv "${iface}"
#��� ��������� ��� VPN ������� ��� ���������
 ${fwcmd} add ${num}401 queue 31 gre from 10.0.0.0/8 to 10.0.0.0/8 out xmit "${iface}"
 ${fwcmd} add ${num}401 queue 32 not gre from 10.0.0.0/8 to 10.0.0.0/8 out xmit "${iface}"
 ${fwcmd} add ${num}801 queue 33 gre from 10.0.0.0/8 to 10.0.0.0/8 in recv "${iface}"
 ${fwcmd} add ${num}801 queue 34 not gre from 10.0.0.0/8 to 10.0.0.0/8 in recv "${iface}"
#ALLOW rules
 ${fwcmd} add ${num}901 allow all from I.N.E.T to any out xmit "${iface}"
 ${fwcmd} add ${num}902 allow all from any to I.N.E.T in recv "${iface}"
#Allow LAN traffic
 ${fwcmd} add ${num}904 allow all from any to 10.11.0.0/16 via "${iface}"
 ${fwcmd} add ${num}904 allow all from any to 10.10.0.0/16 via "${iface}"
#��� ������ samba, ����� ����������
#����� ����������� ����� ���� �����, ������� � ������ via
 ${fwcmd} add ${num}906 allow all from any to 255.255.255.255 via "${iface}"
 ${fwcmd} add ${num}906 allow all from 255.255.255.255 to any via "${iface}"
#�� ��������
#Deny all other traffic
 ${fwcmd} add ${num}998 deny log all from any to any via "${iface}"
 ${fwcmd} add ${num}999 skipto 65000 all from any to any

f_tun0

#!/bin/sh
iface="tun0"
#Isolate traffic via "${iface}" for decrease number of passing via firewall rules
 ${fwcmd} add 9999 skipto ${num}000 all from any to any via "${iface}"
#DENY all unwanted traffic
 ${fwcmd} add ${num}103 deny all from 10.0.0.0/8 to any out xmit "${iface}"
 ${fwcmd} add ${num}103 deny all from 192.168.0.0/16 to any in recv "${iface}"
 ${fwcmd} add ${num}103 deny all from 10.0.0.0/8 to any in recv "${iface}"
 ${fwcmd} add ${num}103 deny all from 172.16.0.0/16 to any in recv "${iface}"
#Put out traffic into pipe
#�������� �������� �� ��� ����, ��� ����� ������ � ������� � �������� � ������� 
#�� ��������� �������, �� � ��������� �������!
#��� ����� ����� � ������� 22 ������ ����� � ������� ��803
 ${fwcmd} add ${num}403 queue 21 all from 192.168.1.0/24 to any out xmit "${iface}"
 ${fwcmd} add ${num}403 queue 27 all from any to 192.168.0.0/16 in recv "${iface}" 
 ${fwcmd} add ${num}803 queue 26 all from any to 192.168.1.0/24 in recv "${iface}" 
 ${fwcmd} add ${num}803 queue 27 all from any to 192.168.0.0/16 in recv "${iface}" 
#ALLOW rules
#� ������� � ��� ������� �� ��������� ����� tun0 ���������
#�� ����� ���� ����� � �-��� ����� ��������� rl0. ��� �� ��������� �� ���� ���������� (G.A.T.E) ������ ������� ������ � ��������� IP ���������� rl0 I.N.E.T
#�������� �������� ��� ����� ����� ����� �� ���� ���������� ����� rl0 � �� ����� ��������� ���� ��� ��� ���
 ${fwcmd} add ${num}901 fwd G.A.T.E all from I.N.E.T to any via "${iface}"
#������ ��������� ���� ������ ����� ���������, ��. �� tun0 IP ������������
#��� ������� - ���� � ��������!! �.�. ����� ����� ������� ���� ������ ������ � ���������� ������ � �-���
#������� �� �� �� ����� ������� � ������ ��100-��199
#������ �� 100% ���� ��������� ������, ��� ������� �� ��������. ��� ������� ������ ��������� �� ��������� �� �����!
 ${fwcmd} add ${num}902 allow all from any to any out xmit "${iface}" 
#Deny all other traffic
 ${fwcmd} add ${num}998 deny log all from any to any via "${iface}"
 ${fwcmd} add ${num}999 skipto 65000 all from any to any

��
f-pipes.ipfw

#!/bin/sh
 ${fwcmd} pipe 1 config bw 8Kbytes queue 15 mask src-ip 0xffffffff gred 0.002/10/30/0.1#in
 ${fwcmd} pipe 2 config bw 8Kbytes queue 15 mask dst-ip 0xffffffff gred 0.002/10/30/0.1#out
 ${fwcmd} pipe 3 config bw 16Kbytes queue 25 mask src-ip 0xffffffff gred 0.002/10/30/0.1#in
 ${fwcmd} pipe 4 config bw 16Kbytes queue 25 mask dst-ip 0xffffffff gred 0.002/10/30/0.1#out
 ${fwcmd} pipe 5 config bw 32Kbytes queue 50 mask src-ip 0xffffffff gred 0.002/10/30/0.1#in
 ${fwcmd} pipe 6 config bw 32Kbytes queue 50 mask dst-ip 0xffffffff gred 0.002/10/30/0.1#out
 ${fwcmd} pipe 7 config bw 4096Kbits #in
 ${fwcmd} pipe 8 config bw 1024Kbits #out
#��� ��� ��� ������� ����� ������ ���������, �� ������ � ������� 21 ������ �������������� ������ ����� ������� 22
#���� �� 22 ����� ��������� ����� �� 100%, �� ������ � ������� 21 ������� �� ������������
 ${fwcmd} queue 21 config pipe 8 weight   1 mask src-ip 0xffffffff gred 0.002/10/30/0.1
 ${fwcmd} queue 22 config pipe 8 weight  50 mask src-ip 0xffffffff gred 0.002/10/30/0.1
 ${fwcmd} queue 26 config pipe 7 weight   1 mask dst-ip 0xffffffff gred 0.002/10/30/0.1
 ${fwcmd} queue 27 config pipe 7 weight  50 mask dst-ip 0xffffffff gred 0.002/10/30/0.1
 ${fwcmd} pipe 9 config bw 2312Kbits #Out
 ${fwcmd} pipe 10 config bw 2312Kbits #In
 ${fwcmd} pipe 11 config bw 256Kbits #Out
 ${fwcmd} pipe 12 config bw 256Kbits #In
 ${fwcmd} queue 31 config pipe 9 mask dst-ip 0xffffffff gred 0.002/10/30/0.1
 ${fwcmd} queue 32 config pipe 11 mask dst-ip 0xffffffff gred 0.002/10/30/0.1
 ${fwcmd} queue 33 config pipe 10 mask src-ip 0xffffffff gred 0.002/10/30/0.1
 ${fwcmd} queue 34 config pipe 12 mask src-ip 0xffffffff gred 0.002/10/30/0.1

��

�� .
��, �� /�� . �� queue 50, �.�. 50 �� 1500 ��.
�� , ��
�� (roundrobin), �� (��?) � �� . ��
�� , �� .

ipfw pipe 1 config bw 512Kbits
ipfw add queue 1 config pipe 1 weight 10
ipfw add queue 2 config pipe 1 weight 10
ipfw add queue 3 config pipe 1 weight 10

� �� :

�� 1
�� 2
�� 3
�� 1
�� 2
�� 3
� ��.

�� , �� 512��.
�� , �� 256��.
�� 3 ��, �� 128��, � �� , �� (512-128)/2 = 192��

�� , �� . �� 0�00000000 � �� . �� mask src-ip 0xffffffff, �� (IP) �� . �� mask src-ip 0xffffff00 �� /24 �� . ��:

������ � ������� �������� 192.168.0.5, 192.168.0.17, 192.168.0.33 ������� � ���� ������� (����� ����� 192.168.0)
� ������ � ������� �������� 192.168.1.7, 192.168.1.15 ������� � ������ (������ ����� ����� 192.168.7, ������� ������ �������)
���� ��� ������� � ������� �������� 10.0.7.1, 10.0.7.3 ����� ������� � ���� ������� (����� ����� 10.0.7)

�� 0 �� , �� . �� =)

�� :

ipfw pipe 1 config bw 512Kbits mask src-ip 0xffffff00
ipfw add queue 1 config pipe 1 mask src-ip 0xffffffff
ipfw add 1 queue 1 all from any to any out xmit rl0 #�������� �� ������ � ����������

�� roundrobin � �� 255.255.255.0 �� 512��

f-count.ipfw

#!/bin/sh
#������� ��� ������ �/�� ����������
ipfw add 103 count all from any to any in recv rl0
ipfw add 104 count all from any to any out xmit rl0
#������ �� ���������� ����� ������� ������ ������ ���� router discovery, DHCP, ����������, ������� ����� �������� ������ ���� ������
ipfw add 105 count all from any to I.N.E.T in recv rl0 #�������� �� ��� IP
ipfw add 106 count all from I.N.E.T to any out xmit rl0 #��������� � ������ IP

�� num= "00" (�� 27 � firewall)
f-defaults.ipfw

#!/bin/sh
#��������� ������ � ��������� ���� � ��������
${fwcmd} add ${num}901 deny ip from 10.0.0.0/8 to any via tun0

ipfw vs pf

�� ALTQ

� �� ALTQ � �� : �� . �� , �� ! �� ALTQ. �� :
MB> �� =)
�� �� - ��  �� !!!
�� . �� -- �� -- �� -- ��
�� �� � �� �� , �� , �� �� � �� �� (roundrobin). �.�. �� ��  �� �� � ��
��?
�� �� �� (�� ) � �� ALTQ.
�� �� �� ��.
�� .
� �� ! �� TCP/IP.
�� ��  �� , �� . �� www �� , �� . �� , �� .
�� �� , �� , �� . �� �� �� K% ��. �� , �� ,
�� !

��

1. �� :

  ipfw add 1 divert natd all from any to any
  ipfw add 2 allow all from any to any

2.�� . �� : �� - �� 
� �� 115200bit � �� , �� Sirius. �� , �� :-D

3. �� , �� ��  �.�. �� (�� RED) �� (pipe) �� . �� 256�� 256�� . �� .
�� -�� , �� . �� , �� 128��, � �� , �� , �� 192��. � �� , �� 256�� ��  ��, � �� , �.�. �� 256��, � �� 128+192=320��!!!

Advanced ipfw configuring

������� ������������

�������� ������� VS �������� �������

�������� � ��������

������������� ��������� 00001-09999

��������� ������ ��� ����������

�������� �� �� ����.

������� ���� � ������� ��������� �������

ipfw vs pf

���������� ALTQ

��� �� ����� ������

��

�� VS ��

��

�� 00001-09999

��

�� .

��

�� ALTQ

��