LimeCrusher
Explorer
- Joined
- Nov 25, 2018
- Messages
- 87
I have been trying to set IPFW as a killswitch for a VPN as detailed in Transmission with OpenVPN + IPFW Killswitch (and as explained there) but it seems that IPFW fails to block traffic as intended.
I have created a test jail (
I started IPFW and checked the loaded rules:
The output above seem to match my
Now I would expect IPFW to block every connection attempt as no VPN is started yet. But I can ping whatever I want, for instance:
What am I doing wrong here? I don't understand the IPv6 stuff. Is it messing with me?
EDIT: Solved it!!
According to IPFW documentation, the rules mention the protocol as it appears in
Fun part: I did so because the original guide was doing so. After refreshing the page, the
Also, people often circumvent this problem by using the keyword
I have created a test jail (
testjail
), copied the ipfw_rules
example in a file, enabled the firewall, defined the firewall_type
as the path to the ipfw_rules
config file. No VPN is started at this point! My config file is:Code:
# cat /path/to/ipfw_rules # From https://www.ixsystems.com/community/resources/fn11-3-iocage-jails-plex-tautulli-sonarr-radarr-lidarr-jackett-transmission-organizr.58/ # Allow internal traffic, jail is using DHCP and my router as given it the 192.168.0.111 static IP in the 192.168.0.0/24 network add 03000 allow IP from 192.168.0.111/32 to 192.168.0.0/24 keep-state add 03000 allow IP from 192.168.0.0/24 to 192.168.0.111/32 keep-state # Allow access to Entrace IP for VPN for latter use add 04000 allow IP from 192.168.0.111/32 to <My VPN IP>/32 keep-state # Allow any traffic over the VPN interface add 05000 allow IP from any to any via tun* # Deny any other traffic add 65534 deny IP from any to any
Code:
root@freenas[/]# iocage exec testjail service ipfw start Flushed all rules. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 03000 allow ip from 192.168.0.111 to 192.168.0.0/24 keep-state :default 03000 allow ip from 192.168.0.0/24 to 192.168.0.111 keep-state :default 04000 allow ip from 192.168.0.111 to <My VPN IP> keep-state :default 05000 allow ip from any to any via tun* 65534 deny ip from any to any Firewall rules loaded. root@freenas[/]# iocage exec testjail ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 03000 allow ip from 192.168.0.111 to 192.168.0.0/24 keep-state :default 03000 allow ip from 192.168.0.0/24 to 192.168.0.111 keep-state :default 04000 allow ip from 192.168.0.111 to <My VPN IP> keep-state :default 05000 allow ip from any to any via tun* 65534 deny ip from any to any 65535 allow ip from any to any
ipfw_rules
config file apart for the loopback, local IPv6 stuff and the last line to allow everything.Now I would expect IPFW to block every connection attempt as no VPN is started yet. But I can ping whatever I want, for instance:
Code:
root@freenas[/]# iocage exec testjail ping 1.1.1.1 PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=0.455 ms 64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.505 ms 64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.474 ms ^C --- 1.1.1.1 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.455/0.478/0.505/0.021 ms
What am I doing wrong here? I don't understand the IPv6 stuff. Is it messing with me?
EDIT: Solved it!!
According to IPFW documentation, the rules mention the protocol as it appears in
/etc/protocols
, namely, in lower case! In my ipfw_rules
, I used IP
instead of ip
as the protocol which was then never recognized by IPFW, even if an ipfw list
would show the rules in lower case.Fun part: I did so because the original guide was doing so. After refreshing the page, the
IP
had been changed to ip
Also, people often circumvent this problem by using the keyword
all
to match all protocols.
Last edited: