[HOWTO] - NAS4Free IPFW RULES

Only Admin's or Moderators can move thread's to this sub-forum.
Nobody should start a new thread on this sub-forum.
Anybody can reply to a thread on this sub-forum.
Forum rules
Set-Up GuideFAQsForum Rules
ldkraemer
Starter
Starter
Posts: 71
Joined: 26 Jun 2012 20:35

[HOWTO] - NAS4Free IPFW RULES

Postby ldkraemer » 01 Jul 2012 03:16

[HOWTO] - NAS4Free IPFW RULES for SSH & SFTP to your NAS4Free Server


NAS4Free Current Version - Embedded


What is a Computer Network?

If you simply connect your four computers at home together via Ethernet, you have what is called a LAN (Local Area Network).
If everything is within walking distance, it's usually called a LAN, however many machines are connected to it, and whatever
you've built the network out of. If your LAN has a Wifi Router and you are using Laptops, Phones, or Desktops with Wifi
capability, then you also have WLAN (Wireless Local Area Network).

The other end of the spectrum is a WAN (Wide Area Network). If you have one computer in Lahore, Pakistan, one in Birmingham,
UK and one in Santiago, Chile, and you manage to connect them, it's a WAN (Wide Area Network).

If you would like to know more see this site for more details:
http://www.netfilter.org/documentation/HOWTO/networking-concepts-HOWTO.html


What is the `Internet'?

The Internet is a "WAN" which spans the entire globe: it is the largest computer network in existence. The phrase `internetworking'
refers to connecting separate networks to build a larger one, hence `The Internet' is the connection of a whole pile of subnetworks.

So, now we look at the above items and ask ourselves: What is the Internet's size, physical details, and protocols?

The size is already established: it's global.

The physical details are varied however: each little sub-network is connected differently, with a different layout and physical nature.
Attempts to map it in a useful way have generally met with abject failure.

The protocols spoken by each link are also often different: all of the "link-level protocols" are used, and many more.


How Does The Internet Work?

The question then arises: how come every node on the Internet can talk to the others, if they all use different link-level protocols to
talk to each other?

The answer is fairly simple: we need another protocol which controls how stuff flows through the network. The link-level protocol describes
how to get from one node to another if they're connected directly: the `network protocol' tells us how to get from one point in the network
to any other, going through other links if necessary.

For the Internet, the network protocol is the Internet Protocol (version 4), or `IP'. It's not the only protocol out there (Apple's AppleTalk,
Novell's IPX, Digital's DECNet and Microsoft's NetBEUI being others) but it's the most widely adopted. There's a newer version of IP called
IPv6, but it's still not common.

So, to send a message from one side of the globe to another, your computer writes a bit of Internet Protocol, sends it to your modem,
which uses some modem link-level protocol to send it to the modem it's dialed up to, which is probably plugged into a terminal server
(basically a big box of modems), which sends it to a node inside the ISP's network, which sends it out usually to a bigger node, which
sends it to the next node... and so on. A node which connects two or more networks is called a `router': it will have one "interface"
for each network.


Groups of IP Addresses: Network Masks

There is one last detail: there is a standard notation for groups of IP addresses, sometimes called a `network address'. Just like a phone
number can be broken up into an area prefix and the rest, we can divide an IP address into a network prefix and the rest.

It used to be that people would talk about `the 1.2.3 network', meaning all 256 addresses from 1.2.3.0 to 1.2.3.255. Or if that wasn't a
big enough network, they might talk about the `1.2 network' which meant all addresses from 1.2.0.0 to 1.2.255.255.

We usually don't write `1.2.0.0 - 1.2.255.255'. Instead, we shorten it to `1.2.0.0/16'. This weird `/16' notation (it's called a `netmask')
requires a little explanation.

Each number between the dots in an IP address is actually 8 binary digits (00000000 to 11111111): we write them in decimal form to make
it more readable for humans. The `/16' means that the first 16 binary digits is the network address, in other words, the `1.2.' part is the
the network (remember: each digit represents 8 binary digits). This means any IP address beginning with `1.2.' is part of the
network: `1.2.3.4' and `1.2.3.50' are, and `1.3.1.1' is not.

To make life easier, we usually use networks ending in `/8', `/16' and `/24'. For example, `10.0.0.0/8' is a big network containing any
address from 10.0.0.0 to 10.255.255.255 (over 16 million addresses!). 10.0.0.0/16 is smaller, containing only IP addresses from
10.0.0.0 to 10.0.255.255. 10.0.0.0/24 is smaller still, containing addresses 10.0.0.0 to 10.0.0.255.

To make things confusing, there is another way of writing netmasks. We can write them like IP addresses: 10.0.0.0/255.0.0.0

Finally, it's worth noting that the very highest IP address in any network is reserved as the `broadcast address', which can be used to send
a message to everyone on the network at once.

Here is a table of network masks:

Code: Select all

       Short   Full                    Maximum        Comment
       Form    Form                   #Machines

       /8      /255.0.0.0             16,777,215      Used to be called an `A-class'
       /16     /255.255.0.0               65,535      Used to be called an `B-class'
       /17     /255.255.128.0             32,767
       /18     /255.255.192.0             16,383
       /19     /255.255.224.0              8,191
       /20     /255.255.240.0              4,095
       /21     /255.255.248.0              2,047
       /22     /255.255.252.0              1,023
       /23     /255.255.254.0                511
       /24     /255.255.255.0                255      Used to be called a `C-class'
       /25     /255.255.255.128              127
       /26     /255.255.255.192               63
       /27     /255.255.255.224               31
       /28     /255.255.255.240               15
       /29     /255.255.255.248                7
       /30     /255.255.255.252                3
       /31     /255.255.255.253                2
       /32     /255.255.255.254                1


As an example, an address specified as 1.2.3.4/24{128,35-55,89} or 1.2.3.0/24{128,35-55,89}
will match the following IP addresses: 1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89


ENABLE NAS4Free SERVICES:

To properly setup CIFS, FTP, SSH, and NFS refer to the Setup Guide, Sections 2 & 6 at:
http://wiki.nas4free.org/doku.php?id=documentation:setup_and_user_guide

I decided to setup my NAS4Free services in an orderly fashion, and I started with NFS. Once NFS was working I setup SSH, FTP, and CIFS/SMB.
I tested each as I enabled the service, and after I FORWARDED my Router Port 22, I kept an eye on the Diagnostics | Log files so I knew
what was happening with my server. I also scanned my Ports after turning on each service so I knew what Ports were OPEN on my NAS4Free Server.

NAS4Free_OpenPorts.gif


Now, realizing that your NAS4Free ports must have access to the Internet before anyone from the outside can access your NAS4Free Server, we can
DELAY Forwarding any Router Ports until the NAS4Free Setup and Configuration is complete. The NAS4Free Ports will be “OPEN” to any LOCAL
Computer that is connected to our Local Area Network (LAN), but not the WAN because your Router Port must be MANUALLY FORWARDED allowing
Server access via WAN.

There is one thing you need to understand about setting up your router. If your Client Software is accessing your neighbors NAS4Free Server sitting
behind your neighbors router on the WAN, ONLY your neighbor needs to FORWARD his router's Port 22 to his NAS4Free Server for you to be able to
access it via ssh. Your router doesn't need Port 22, or any others FORWARDED. So, with your Router Ports CLOSED, you are now ready to setup
your NAS4Free Server with some computer connected to your Local Area Network.

For more detailed information on the Port Number Usage see: http://www.iana.org/assignments/port-numbers


MY TYPICAL LAN:

So, what does a typical LAN look like? The following photo shows what my present LAN contains. We should have covered in some detail
all the items in the photo except for the External IP Addresses. The External IP Address is the IP address returned by http://www.whatismyip.com
These IP Addresses will be used in your IPFW (IP FireWall Rules)

Notice that my Galaxy Tablet (192.168.1.206) can connect to my server on my LAN, and likewise it can connect to my neighbors OPEN Linksys Router,
and access my NAS4Free Server. This makes it nice for testing my IPFW Rules. All of the network devices attached to my Router will be in the range
of 200 thru 250 (192.168.1.200 – 192.168.1.250) 192.168.1.0/24

ipfw0a.gif



TESTING WITH NO PORTS FORWARDED:

At this point you are ready to use a Computer on your LAN to test your NFS Service. When that is working properly, you may want to start with
CIFS/SMB or SSH. CIFS/SMB was easily setup by using my Galaxy Tablet with Android FTP (AndFTP) and worked well on my LAN. You won't be
able to use CIFS/SMB from the WAN as most ISP Providers have those Port automatically Blocked to reduce SPAM, and Security concerns.

So, you should now have tested, and setup your Services from your LAN and the last step is to FORWARD your Router External Port 22 to Internal
Port 22 to allow you access to your NAS4Free Server from the WAN. BE VERY CAREFUL, because as soon as you do this your system will be attacked,
and Port 22 will receive numerous attempts to gain entry. You should be using a DSA Key and not have Password Authentication ENABLED.



Here is a listing of the IP addresses that immediately started probing my system, trying to gain access.
49.212.28.207
61.195.161.6
81.92.157.210
82.165.140.93
112.140.186.138
116.125.127.119
119.62.128.115
121.14.119.135
122.76.209.28
170.225.97.22
188.127.251.205
205.214.192.101
221.0.0.0
222.124.34.60
222.240.224.43


As you can see they needed to be immediately blocked, and I initially started adding each IP address to the Network|Hosts Host access control list.


Unauthorized Login Attempts:

If your ssh Diagnostics|Log show multiple login attempts by 49.212.28.207 & 116.125.127.119, you can “DENY” their access by adding their
IP address to (/etc/hosts.allow as hosts.deny is depreciated). By adding these IP addresses to NAS4Free you will actually be inserting the specific
IP Address in /etc/hosts.allow as DENY.

Network | Hosts

Code: Select all

#ftpd : xxx.xxx.xxx.xxx : deny
#sshd : .example.com : deny
#in.tftpd : xxx.xxx.xxx.xxx : deny
#bsnmpd : xxx.xxx.xxx.xxx : deny
sshd : 49.212.28.207 : deny
sshd : 116.125.127.119 : deny
sshd : 205.214.192.101 : deny
sshd : 222.240.224.43 : deny
ALL : ALL : allow


But, as you can also see, this listing grew day by day, and I soon figured out there had to be a better way to BLOCK all the unwanted IP Addresses,
while still allowing myself, and my specific IP Addresses NAS4Free access while BLOCKING all others.


IP FIREWALL:

If you have searched the old FreeNAS forum for an answer to your IPFW Rule Problems you have found the following typical answers:
1. You can use the firewall to limit access, see WebGUI|Network|Firewall|Rule|Add
2. See ipfw manual.
3. FreeBSD Handbook > Chapter 31 Firewalls > 31.6 IPFW

Now, while these typical answers didn't help me define my IPFW Rules, or help me with any of my problems, it did help me understand
that the IPFW Manual is written for the underlying system, and the Network | Firewall Rules is just a User GUI allowing easy setup of
the Rules, once you have an understanding of the system.

Once I had printed out that section of the manual, and read it over about 50 times, and tried to define some rules to test my system,
I did brute force my way through the process and got a functional system.

So, lets see what we can do to assist you to get through the painful process.........


DEFINING IP FIREWALL RULES:

When you install NAS4Free, there are three Rules that are already defined, but not ENABLED. Let's have a look at these rules as shown below.

ipfw1.gif


I have ENABLED the SYSTEM FIREWALL, and also ENABLED the first RULE shown here as (100). Notice that Rules (200) & (300) have not been
ENABLED and they are grey, while the ENABLED Rule is WHITE. Now, the actual IPFW Rules that are stored for the NAS4Free System are located
at /etc/rc.firew~uxrules and these rules are explained in the IPFW Manual. WHEW! Now we are making progress, and we have a clue as to
where these rules are stored on our NAS4Free System, and the IPFW Manual explains the Rules.

The choices for Protocol are UDP, TCP, ICMP, and ALL. SSH typically uses TCP.
The Choices for Direction are IN, OUT, and ANY. SSH typically uses IN.
You can also “Log packets that are handled by this rule to syslog”.

So, we need to add a Rule to BLOCK all of the ssh access as shown below. Notice that this rule is ENABLED, and a duplicate of the rule (200)
which was one of our pre-defined rules. This is OK for the time being. This Rule allows us to BLOCK ALL SSH access to our NAS4Free Server.
But, this situation isn't exactly what we want to end up with because we don't have access to our own Server.

ipfw2.gif



UNWANTED IPFW RULE:

While defining your Rules, you never want to end up defining a rule as shown below because you will never have access to your NAS4Free SYSTEM.
If you make this mistake you can use the NAS4Free Console to restore the system to DEFAULT, then reload your saved Configuration.

ipfw2a.gif



IPFW RULE ORDERING:

The Ordering of your IPFW Rules is very important, as the rules are evaluated First to Last, and the First Matching rule applies.

Allow
Allow
..more rules
..
..
Deny
Deny
..more rules
..
..


IPFW RULE TO ALLOW US WAN ACCESS:

To allow us WAN access to our own NAS4Free Server we will add the Rule shown below. Remember that I am jumping in on my neighbors Syslink
Router that has an External IP address of: 96.46.242.46 and we will be accessing our NAS4Free Server via Port 22 with SSH. So, we just need
to make the appropriate entries in the ALLOW Rule.

At this point we can toggle rule (400) ON/OFF and try to access the NAS4Free Server via my Galaxy Android Tablet with AndFTP. DISABLING Rule (400)
BLOCKS access, and ENABLING Rule (400) ALLOWS me WAN Access. So, now we just need to add another ALLOW Rule for LAN Access.

ipfw3.gif



IPFW RULE TO ALLOW US LAN ACCESS:

To allow us LAN access to our own NAS4Free Server we will add the ALLOW Rule shown below. This Rule is a bit different and needs some explanation.
As you can see the rule uses the Network Addressing Scheme, and allows lots of flexibility in defining who on my LAN can have access.

The IP Address is specified as 192.168.1.0/24{200,203-206} which will match the following IP address's:
192.168.1.200, 192.168.1.203 to 192.168.1.206. I could just as easily have skipped around selecting exactly the IP's I wanted
such as 192.168.1.0/24{200,202-204,207}

At this point we can toggle rule (500) ON/OFF, and try to access the NAS4Free Server via my Galaxy Android Tablet with AndFTP.
DISABLING Rule (500) BLOCKS access, and ENABLING Rule (500) ALLOWS me LAN Access.

At this point we have ALLOW Rules for LAN, WLAN, and WAN. Rules (600) and (700) haven't been discussed, but are just other folks that I have given
access to my NAS4Free Server. You shouldn't have any trouble figuring out these rules.

ipfw4.gif


My complete IPFW Rule listing is shown below.

ipfw6.gif


I've added one more DENY Rule showing one way to DENY Access to a Block of IP Addresses. You may not want to use it, or have another method
of doing the same sort of Group Blocking.

ipfw5a.gif


And with this information it pretty well wraps up what I know about the IPFW Rules. If you have suggestions and/or other ideas that need to be
incorporated please add that feedback and it will make the tutorial better.


WAN ACCESS OF WEBGUI:

There is one other small detail that you may need to help you access your NAS4Free Server from the WAN. Since you can't log into the WebGUI,
and change settings while you are on the road, you may find times when you really need to be able to modify your Rules, or access your Server.

If you are using SSH to connect to your NAS4Free Server you can access the WebGUI by doing SSH tunneling from your Linux Box:

Code: Select all

    ssh -v -p 22 -L 8888:localhost:443 username@your.NAS4FreeorRouter.IP.address


Then open your Linux Box's web browser, and type this address:

Code: Select all

    https://localhost:8888/


and you are at the WebGUI Login screen.

Unfortunately, I couldn't get this to work if I was forwarding an External Router Port of 51001 to Internal Router Port 22, without adding another
IPFW Rule. By adding my IP to the Firewall Rules I was able to access the system remotely.

ipfw8.gif


So, now I can access my NAS4Free Server by using the new External Port with:

Code: Select all

ssh -v -p 51001 -L 8888:localhost:443 username@your.NAS4FreeorRouter.IP.address


Then open your Linux Box's web browser, and type this address:

Code: Select all

https://localhost:8888/


and you are at the WebGUI Login screen.

Larry
06-30-2012
You do not have the required permissions to view the files attached to this post.
Last edited by ldkraemer on 06 Dec 2012 01:43, edited 4 times in total.

sleid
Engaged User
Engaged User
Posts: 244
Joined: 23 Jun 2012 05:36
Location: FRANCE LIMOUSIN CORREZE VARETZ

Re: [HOWTO] - NAS4Free IPFW RULES

Postby sleid » 01 Jul 2012 14:11

Hi,
For remote access from dynamic address

With a cron job like this "/etc/rc.d/ipfw restart " every hours you can replace in rule the fixed address by a dynamic (myname.dyndns.org).
One dynamic address by rule only.

cordially
9.3.0.2 - Nayla (revision 1213) x64-embedded on Intel(R) Core(TM) i3-3225 CPU @ 3.30GHz
ASUSTeK COMPUTER INC. P8H77-I 2 X 4GB DDR3
Pool of 2 vdev each = Raidz1 3 x WDC WD20EARS
Intel PRO/1000 PT Dualport 2x Gigabit-LAN PCIe x4

ldkraemer
Starter
Starter
Posts: 71
Joined: 26 Jun 2012 20:35

Re: [HOWTO] - NAS4Free IPFW RULES

Postby ldkraemer » 02 Jul 2012 11:28

sleid,
Thanks for the reply............I'm having a hard time understanding what restarting ipfw every hour and using a dynamic address would do for me.

Can you supply a typical Rule with more details?

Then I'll add it to my posting.

Thanks.

Larry

sleid
Engaged User
Engaged User
Posts: 244
Joined: 23 Jun 2012 05:36
Location: FRANCE LIMOUSIN CORREZE VARETZ

Re: [HOWTO] - NAS4Free IPFW RULES

Postby sleid » 02 Jul 2012 20:41

ldkraemer,
Cron job for restarting ipfw is for solve ip when it changes. One hour gives good chance to retain access.

in this case the NAS address is 10.10.10.10.

for example to allow an external SFTP user with a dynamic ip and a dyndns account.

Protocole Source Port Destination Port <-> Description
TCP xxxxx.dyndns.org * 10.10.10.10 22 IN François SFTP


If the router has a firewall do not forget to open port 22 to the address of the NAS.
9.3.0.2 - Nayla (revision 1213) x64-embedded on Intel(R) Core(TM) i3-3225 CPU @ 3.30GHz
ASUSTeK COMPUTER INC. P8H77-I 2 X 4GB DDR3
Pool of 2 vdev each = Raidz1 3 x WDC WD20EARS
Intel PRO/1000 PT Dualport 2x Gigabit-LAN PCIe x4


Return to “[HowTo]”

Who is online

Users browsing this forum: No registered users and 1 guest