Solved IPFW for Unbound DNS resolver ipv4/v6

rphanikrishna

rphanikrishna

Am trying to Build a Firewall for Unbound DNS resolver since a month and was not successful, solved almost all the configs except the IPFW rules, using FreeBSD 12.1-RELEASE-p5
Below are my rule list
NOTE: a.a.a.a , b.b.b.b, c.c.c.c and d.d.d.d are my ipv4 Public IP pools
hhhh:hhhh::/32 is my ipv6 public IP pool

Problems I have
a) IPV6 host are unable to connect/establish to port 53 (no count in IPFW SHOW)
b) ping6 doesn't work (there is count in IPFW SHOW but can't ping Facebook.com yahoo.com and ipv6.google.com)
c) can't establish IPV6 connectivity over TLS at port 853 (there is count in IPFW SHOW but can establish the connection once verified with netstat -b)

if I stop/disable IPFW every works amazingly fine, kindly help me where did i go wrong in the below rule set.


copy of my IPFW.rules below

Code: 
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="vtnet0"     # interface name of NIC attached to Internet

#  Loopback 
$cmd 00009 allow ip6 from any to any via lo0
$cmd 00010 allow all from any to any via lo0
$cmd 00101 check-state

# Allow access to public DNS over TLS using Unbound
$cmd 00111 allow ip6 from me6 to any proto tcp dst-port 853 out via $pif setup keep-state    
$cmd 00112 allow tcp from me to any 853 out via $pif setup keep-state

# Allow outbound Ping
$cmd 00249 allow ipv6-icmp from me6 to any out via $pif keep-state
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow outbound NTP
$cmd 00260 allow udp from any to any 123 out via $pif keep-state

# deny and log all other outbound connections
$cmd 00299 deny log all from any to any out via $pif

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif     #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif      #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif         #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif        #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif          #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif     #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif       #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif    #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif        #Class D & E multicast


# allow ping only ip pools
$cmd 00310 allow icmp from a.a.a.a/24 to any in via $pif
$cmd 00311 allow icmp from b.b.b.b/22 to me in via $pif
$cmd 00312 allow icmp from c.c.c.c/22 to me in via $pif
$cmd 00313 allow icmp from d.d.d.d/22 to me in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif


# Deny all Netbios services.
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny fragments
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow inbound SSH connections from Office pool
$cmd 00410 allow tcp from a.a.a.a/24 to me 22 in via $pif setup limit src-addr 2

#Allow Inbound DNS requests from Public IP Pools
$cmd 00440 allow ip6 from hhhh:hhhh::/32 to me6 53 proto udp in via $pif keep-state
$cmd 00441 allow ip6 from hhhh:hhhh::/32 to me6 53 proto tcp in via $pif setup keep-state
$cmd 00450 allow udp from b.b.b.b/22 to me 53 in via $pif keep-state
$cmd 00451 allow udp from c.c.c.c/22 to me 53 in via $pif keep-state
$cmd 00452 allow udp from d.d.d.d/22 to me 53 in via $pif keep-state
$cmd 00453 allow tcp from b.b.b.b/22 to me 53 in via $pif setup  keep-state
$cmd 00454 allow tcp from c.c.c.c/22 to me 53 in via $pif setup keep-state
$cmd 00455 allow tcp from d.d.d.d/22 to me 53 in via $pif setup keep-state

# Allow SNMPD Server
$cmd 00475 allow udp from a.a.a.a/24 to me 161 in via $pif keep-state

# Reject and log all other incoming connections
$cmd 00499 deny log all from any to any in via $pif

# Everything else is denied and logged
$cmd 00999 deny log all from any to any
 
Last edited by a moderator:
You need to allow outgoing traffic from your IP address. Open /etc/rc.firewall and read the file for good example.
 
Will this rule help for both IPV4 and IPV6 ?
Code: 
$cmd 00005 allow all from any to any via $pif
 
Last edited by a moderator:
Yes it will allow both IPv4 and IPv6 protocols but it's better to deny all traffic and allow only the traffic of interest.

Did you read the man of ipfw(8) ?
 
Thank you am able to establish DNS request from IPV6 pools and also ping all IPV6 with below but am not able to connect the DNS servers over TLS on port 853 which is rule number 113 for IPV6 Am able to connect the same IPV4 ips via rule 112 .
Code: 
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="em0"     # interface name of NIC attached to Internet
setup_loopback()
setup_ipv6_mandatory()

#loopback and icmp
$cmd 00011 allow all from any to any via lo0
$cmd 00012 allow ip6 from any to any via lo0
$cmd 00013 deny all from any to 127.0.0.0/8
$cmd 00014 deny ip from 127.0.0.0/8 to any
$cmd 00015 deny all from any to ::1
$cmd 00016 deny all from ::1 to any
$cmd 00017 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 00018 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 00019 allow ipv6-icmp from any to any icmp6types 1
$cmd 00020 pass ipv6-icmp from any to any icmp6types 2,135,136

$cmd 00050 allow tcp from any to any established via $pif
$cmd 00051 allow all from any to any frag via $pif
$cmd 00052 check-state

# Allow DNS replies to Office pool  and DNS requests over TLS
$cmd 00108 allow ip6 from me6 53 to any proto udp out via $pif keep-state
$cmd 00109 allow ip6 from me6 53 to any proto tcp out via $pif setup keep-state
$cmd 00110 allow udp from me 53 to any out via $pif keep-state
$cmd 00111 allow tcp from me 53 to any out via $pif setup keep-state
$cmd 00112 allow tcp from me to any 853 out via $pif setup keep-state
$cmd 00113 allow ip6 from me6 to any 853 proto tcp out via $pif setup keep-state
 
Last edited by a moderator:
Code: 
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 1
01000 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 2,135,136
01100 check-state :default
01200 allow tcp from me to any established
01250 allow tcp from me6 to any established
01300 allow tcp from me to any setup keep-state :default
01350 allow tcp from me6 to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01450 allow udp from me6 to any keep-state :default
01500 allow icmp from me to any keep-state :default
01600 allow ipv6-icmp from me to any keep-state :default
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800 allow udp from any 67 to me 68 in
01900 allow udp from any 67 to 255.255.255.255 68 in
02000 allow udp from fe80::/10 to me 546 in
02100 allow icmp from any to me icmptypes 8
02200 allow ip6 from any to me proto ipv6-icmp ip6 icmp6types 128,129
02300 allow icmp from any to me icmptypes 3,4,11
02400 allow ip6 from any to me proto ipv6-icmp ip6 icmp6types 3

Your rules goes here like "02500 allow tcp from any to me 22"

65535 deny ip from any to any # This is default rule not included in your conf.
 
Last edited by a moderator:
Did you try to use /etc/rc.firewall and just feed it from your /etc/rc.conf? What's so special about your setup or needs? Did you RTFM firewall(7)? I guess you just need to set in rc.conf
Code: 
firewall_simple_iif="em0"
firewall_simple_inet="a.a.a.a/24 b.b.b.b/22 c.c.c.c/22 d.d.d.d/22"
firewall_simple_oif="em1"
firewall_simple_onet="xxy..."
#  firewall_simple_iif_ipv6:    defaults to same as IPv4 iif
firewall_simple_inet_ipv6="hhhh:hhhh::/32"
#  firewall_simple_oif_ipv6:    defaults to same as IPv4 oif
#  firewall_simple_onet_ipv6:    Outside IPv6 network prefix.
try that (backup rc.firewall to *.orig), and then insert rules for SSH (copy from "workstation" section), SNMPD and TLS port 853. You will even quickly be able to add your own "my_services" like in the"workstation" section and voilà you have what you want.
 
  • Thanks
Reactions: a6h
You must log in or register to reply here.
Back
Top