Listing our rules
After we've entered our rules, we ask ipfwadm to list them for us using the command:
# ipfwadm -F -l
This command will list all of the configured forwarding rules. The output should look something like this:
# ipfwadm -F -l
IP firewall forward rules, default policy: accept
type prot source destination ports
deny tcp anywhere 172.16.10.0/24 www -> any
acc tcp 172.16.1.0/24 anywhere any -> www
The ipfwadm command will attempt to translate the port number into a service name using the /etc/services if an entry exists there.
The default output is lacking in some important detail for us. In the default listing output, we can't see the effect of the -y argument. The ipfwadm command is able to produce a more detailed listing output if you specify the -e (extended output) argument too. We won't show the whole output here because it is too wide for the page, but it includes an opt (options) column that shows the -y option controlling SYN packets:
# ipfwadm -F -l -e
P firewall forward rules, default policy: accept
pkts bytes type prot opt tosa tosx ifname ifaddress source ...
0 0 deny tcp --y- 0xFF 0x00 any any anywhere ...
0 0 acc tcp b--- 0xFF 0x00 any any 172.16.1.0/24 ...
A More Complex Example
The previous example was a simple one. Not all network services are as simple as the WWW service to configure; in practice, a typical firewall configuration would be much more complex. Let's look at another common example, this time FTP. We want our internal network users to be able to log into FTP servers on the Internet to read and write files. But we don't want people on the Internet to be able to log into our FTP servers.
We know that FTP uses two TCP ports: port 20 (ftp-data) and port 21 (ftp), so:
# ipfwadm -a deny -P tcp -S 0/0 20 -D 172.16.1.0/24 -y
# ipfwadm -a accept -P tcp -S 172.16.1.0/24 -D 0/0 20 -b
#
# ipfwadm -a deny -P tcp -S 0/0 21 -D 172.16.1.0/24 -y
# ipfwadm -a accept -P tcp -S 172.16.1.0/24 -D 0/0 21 -b
Right? Well, not necessarily. FTP servers can operate in two different modes: passive mode and active mode.[61] In passive mode, the FTP server listens for a connection from the client. In active mode, the server actually makes the connection to the client. Active mode is usually the default. The differences are illustrated in Figure 9.3.
Figure 9.3: FTP server modes
Many FTP servers make their data connection from port 20 when operating in active mode, which simplifies things for us a little, but unfortunately not all do.[62]
But how does this affect us? Take a look at our rule for port 20, the FTP-data port. The rule as we have it now assumes that the connection will be made by our client to the server. This will work if we use passive mode. But it is very difficult for us to configure a satisfactory rule to allow FTP active mode, because we may not know in advance what ports will be used. If we open up our firewall to allow incoming connections on any port, we are exposing our network to attack on all services that accept connections.
The dilemna is most safely resolved by insisting that our users operate in passive mode. Most FTP servers and many FTP clients will operate this way. The popular ncftp client also supports passive mode, but it may require a small configuration change to make it default to passive mode. Many World Wide Web browsers such as the Netscape browser also support passive mode FTP, so it shouldn't be too hard to find appropriate software to use. Alternatively, you can avoid the issue entirely by using an FTP proxy server that accepts a connection from the internal network and establishes connections to the outside network.
In building your firewall, you will probably find a number of these sorts of problems. You should always give careful thought to how a service actually operates to be sure you have put in place an appropriate ruleset for it. A real firewall configuration can be quite complex.
Summary of ipfwadm Arguments
The ipfwadm has many different arguments that relate to IP firewall configuration. The general syntax is:
ipfwadm category command parameters [options]
Let's take a look at each of these.
Categories
One and only one of the following must be supplied. The category tells the firewall what sort of firewall rule you are configuring:
- I
Input rule
- O
Output rule
- F
Forwarding rule
Commands
At least one of the following must be supplied and applies only to those rules that relate to the supplied category. The command tells the firewall what action to take.
- a [policy]
Append a new rule
- i [policy]
Insert a new rule
- d [policy]
Delete an existing rule
- p policy
Set the default policy
- l
List all existing rules
- f
Flush all existing rules
The policies relevant to IP firewall and their meanings are:
accept
Allows matching datagrams to be received, forwarded, or transmitted
deny
Blocks matching datagrams from being received, forwarded, or transmitted
reject
Blocks matching datagrams from being received, forwarded, or transmitted, and sends the host that sent the datagram and ICMP error message
Parameters
At least one of the following must be supplied. Use the parameters to specify to which datagrams this rule applies:
- P protocol
Can be TCP, UDP, ICMP, or all. Example:
- P tcp
- S address[/mask] [port]
Source IP address that this rule will match. A netmask of "/32" will be assumed if you don't supply one. You may optionally specify which ports this rule will apply to. You must also specify the protocol using the -P argument described above for this to work. If you don't specify a port or port range, "all" ports will be assumed to match. Ports may be specified by name, using their /etc/services entry if you wish. In the case of the ICMP protocol, the port field is used to indicate the ICMP datagram types. Port ranges may be described; use the general syntax: lowport:highport. Here is an example:
- S 172.29.16.1/24 ftp:ftp-data
- D address[/mask] [port]
Specify the destination IP address that this rule will match. The destination address is coded with the same rules as the source address described previously. Here is an example:
61
FTP active mode is somewhat nonintuitively enabled using the PORT command. FTP passive mode is enabled using the PASV command.
62
The ProFTPd daemon is a good example of an FTP server that doesn't, at least in older versions.