SOLVED IPFW failing to discard packets

LimeCrusher

Explorer
Joined
Nov 25, 2018
Messages
87
I have been trying to set IPFW as a killswitch for a VPN as detailed in Transmission with OpenVPN + IPFW Killswitch (and as explained there) but it seems that IPFW fails to block traffic as intended.

I have created a test jail (testjail), copied the ipfw_rules example in a file, enabled the firewall, defined the firewall_type as the path to the ipfw_rules config file. No VPN is started at this point! My config file is:
Code:
# cat /path/to/ipfw_rules
# From https://www.ixsystems.com/community/resources/fn11-3-iocage-jails-plex-tautulli-sonarr-radarr-lidarr-jackett-transmission-organizr.58/
# Allow internal traffic, jail is using DHCP and my router as given it the 192.168.0.111 static IP in the 192.168.0.0/24 network
add 03000 allow IP from 192.168.0.111/32 to 192.168.0.0/24 keep-state
add 03000 allow IP from 192.168.0.0/24 to 192.168.0.111/32 keep-state
# Allow access to Entrace IP for VPN for latter use
add 04000 allow IP from 192.168.0.111/32 to <My VPN IP>/32 keep-state
# Allow any traffic over the VPN interface
add 05000 allow IP from any to any via tun*
# Deny any other traffic
add 65534 deny IP from any to any
I started IPFW and checked the loaded rules:
Code:
root@freenas[/]# iocage exec testjail service ipfw start
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
03000 allow ip from 192.168.0.111 to 192.168.0.0/24 keep-state :default
03000 allow ip from 192.168.0.0/24 to 192.168.0.111 keep-state :default
04000 allow ip from 192.168.0.111 to <My VPN IP> keep-state :default
05000 allow ip from any to any via tun*
65534 deny ip from any to any                                                
Firewall rules loaded.
root@freenas[/]# iocage exec testjail ipfw list                  
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
03000 allow ip from 192.168.0.111 to 192.168.0.0/24 keep-state :default
03000 allow ip from 192.168.0.0/24 to 192.168.0.111 keep-state :default
04000 allow ip from 192.168.0.111 to <My VPN IP> keep-state :default
05000 allow ip from any to any via tun*
65534 deny ip from any to any
65535 allow ip from any to any
The output above seem to match my ipfw_rules config file apart for the loopback, local IPv6 stuff and the last line to allow everything.
Now I would expect IPFW to block every connection attempt as no VPN is started yet. But I can ping whatever I want, for instance:
Code:
root@freenas[/]# iocage exec testjail ping 1.1.1.1     
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=0.455 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.505 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.474 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.455/0.478/0.505/0.021 ms

What am I doing wrong here? I don't understand the IPv6 stuff. Is it messing with me?


EDIT: Solved it!!
According to IPFW documentation, the rules mention the protocol as it appears in /etc/protocols, namely, in lower case! In my ipfw_rules, I used IP instead of ip as the protocol which was then never recognized by IPFW, even if an ipfw list would show the rules in lower case.
Fun part: I did so because the original guide was doing so. After refreshing the page, the IP had been changed to ip :grin:
Also, people often circumvent this problem by using the keyword all to match all protocols.
 
Last edited:
Top