# I have a server in hetzner and firewall is not working as sould be.



## icinemagr (Dec 16, 2020)

Hi all.

In hetzner they say I should allow the follow rule in their firewall.


Name: TCP_Out
Source IP: 0.0.0.0/0
Destination IP: 0.0.0.0/0
Destination port: 32768-65535
Protocol: tcp
TCP flags: ack
Action: accept

But when I activated the FreeBSD 12 has no internet access.
All other os like CentOS, windows works okey the problem is only with FreeBSD.

In my system I don't run ipfw and I don't understand why the problem exists.
If I deactivate Hetzner firewall everything looks okey.
With firewall enabled I can not even ping 8.8.8.8.

I understand must be something with kernel port range but I don't know where to configure it.
Also it is strange that even Midnight Commander doesn't start like he is trying to get a webpage or communicate with a port to outside.

Thank You.


----------



## wolffnx (Dec 16, 2020)

Im not familiar with cloud hosting , but they give you one ethernet interface right? I mean you have LAN and WAN ?


----------



## SirDice (Dec 16, 2020)

icinemagr said:


> In hetzner they say I should allow the follow rule in their firewall.


That rule, on its own, doesn't make sense. I'm pretty sure you didn't understand what they told you. That rule would only allow ACK packets (those are responses to other packets). It doesn't allow SYN (the start of a TCP session) or UDP (DNS uses UDP and TCP). So it would never work correctly. Not on FreeBSD or any of the other OSes you use.


----------



## icinemagr (Dec 16, 2020)

well i have also 20 more servers in hetzer with windows 2003,windows 2019, centos and all of them work fine.
here is the link https://docs.j7k6.org/hetzner-firewall-outgoing-tcp/
The rule is corect

when i change from 32768-65535 to 10000-65535 it works but is very slow to ssh or do anything.


​


----------



## SirDice (Dec 16, 2020)

icinemagr said:


> here is the link https://docs.j7k6.org/hetzner-firewall-outgoing-tcp/


That's completely wrong. That rule allows _responses_ to _incoming_ connections. It does NOT allow outgoing connections. Network packets with the ACK bit set are always a _response_. The destination ports don't make sense either. How is this supposed to allow an _outgoing_ SYN packet going to port 80 for example?



icinemagr said:


> The rule is corect


It's not. The rule doesn't do what the explanation says it does. Either the explanation is wrong or the rule. Either way it's not correct.


----------



## icinemagr (Dec 16, 2020)

Well here is the screen shot from "Their" predefined Firewall Rules and as i said it works to all other servers only Freebsd has the problem i call them they told my Freebsd is not supported on Hetzner servers.

In phone they told me that maybe i run a firewall inside the OS.
I disabled ipfw on rc.conf and i rebooted.
No luck I just ask here because maybe someone has a freebsd server at hetzner and he knwos what is the problem.

also here https://docs.hetzner.com/robot/dedicated-server/firewall/ it says it clear


Out-going TCP connections​A static firewall only _makes decisions_ about packets by inspecting individual packets. Therefore, the firewall doesn't "keep track of" whether or not an incoming packet belongs to an out-going connection from the server. For this reason, unless you enter an additional rule, all out-going connections from the server will not work. Server services (for example, enabling webservers for port 80) are not affected.

You can use the following rule to generally allow all responses to TCP connections:

 Source IP: No entry
Destination IP: No entry
Source port: No entry
Destination port: 32768-65535 (Ephemeral Port Range)
Protocol: tcp
TCP flags: ack
Action: accept
By entering IP addresses and TCP ports, you can, of course, make this rule more restrictive.


----------



## Kristof Provost (Dec 16, 2020)

SirDice said:


> It's not. The rule doesn't do what the explanation says it does. Either the explanation is wrong or the rule. Either way it's not correct.


I suspect the intent of that rule is to allow packets from the ephemeral port range. That may be a useful thing to do on a non-stateful firewall, as part of a larger ruleset (but honestly, non-stateful firewalls? In 2020?), but in isolation it makes no sense at all.

Hetzner machines work just fine with FreeBSD. They may not officially support it, but it does work. (And they have FreeBSD rescue images, so it's not totally unsupported either.) I have two machines of my own there.


----------



## SirDice (Dec 16, 2020)

icinemagr said:


> Well here is the screen shot from "Their" predefined Firewall Rules and as i said it works to all other servers only Freebsd has the problem i call them they told my Freebsd is not supported on Hetzner servers.


Has nothing to do with FreeBSD. It's wrong for any OS because it's the wrong thing to do for TCP/IP in general. The OS has nothing to do with it. 



icinemagr said:


> A static firewall only _makes decisions_ about packets by inspecting individual packets. Therefore, the firewall doesn't "keep track of" whether or not an incoming packet belongs to an out-going connection from the server. For this reason, unless you enter an additional rule, all out-going connections from the server will not work.


The wording is rather wonky here. It's not a _static_ firewall, it's called _stateless_. And they're mixing up _incoming_ and _outgoing_ in various places. I understand what they're trying to say but the explanation is pretty bad so I certainly understand the confusion on your side.



> Server services (for example, enabling webservers for port 80) are not affected.


This refers to _incoming_ connections to a webserver running on your Hertzner host. Apparently they have some implied rules already in place to allow this. However, this has nothing to do with _outgoing_ connections that are initiated on the Hertzner host. 



> You can use the following rule to generally allow all responses to TCP connections:


That should have said: "You can use the following rule to generally allow all responses to _incoming_ TCP connections"

With firewalls (regardless if it's stateful or stateless) it's very important to understand the difference between _incoming_ and _outgoing_ connections. In other words, which side _initiates_ the connection. Generally speaking _incoming_ connections come from somewhere else (the internet for example) to your host, _outgoing_ connections are from the host to elsewhere (i.e. the internet or some other host on the network).


----------



## icinemagr (Dec 16, 2020)

I know that hetzner servers work fine because i use FreeBSD as a production Proxy server But my problem is that i use the IPFW firewell.
it has to be something with net.inet.ip.portrange because as soon as i enable it i lost connectivity on internet.

how can i force Freebsd fot each Request to Outside world to use a Local Port in range 32768-65535 ?????

i try sysctl net.inet.ip.portrange.first=32768 i get response
net.inet.ip.portrange.first: 10000 -> 32768

Sould I restart is it that setting permenent now?


*edit*

problem fixed.

i add 4 l Rules in ipfw.rules

```
$cmd 00110 allow tcp from any to me 53 in via $pif setup keep-state
$cmd 00111 allow UDP from any to me 53 in via $pof setup keep-state

$cmd 00112 allow tcp from me to any 53 out via $pif setup keep-state
$cmd 00113 allow UDP from me to any 53 out via $pof setup keep-state
```
then in hetzner firewall I did The follow


Allowed TCP  53 for Incoming to Me
Allowed UDP 53 for Incoming to Me

Allowed TCP  53 from me to out
Allowed UDP 53 from me to out

and After 2 YEARS with no SSH but only from LAN problem fixed.

Thank YOU !!!!!!!
the problem was the port 53 but strange that in other OS works without to enable this rule.
But i do not care about other os as i Love Freebsd )))))))))


Thank You all.


----------



## SirDice (Dec 16, 2020)

icinemagr said:


> I add 4 l Rules in ipfw.rules
> 
> ```
> $cmd 00110 allow tcp from any to me 53 in via $pif setup keep-state
> ...


Are you hosting an authoritative DNS server? If not, then remove those. You don't want external connections to your DNS server, if you have a DNS server at all. I assume you don't have one. Then you certainly don't need to allow _incoming_ connections to port 53. 


```
$cmd 00112 allow tcp from me to any 53 out via $pif setup keep-state
$cmd 00113 allow UDP from me to any 53 out via $pof setup keep-state
```
These rules look correct. They allow your host to do DNS queries, you usually want to allow those so it's able to resolve hostnames to IP addresses and vice versa.

IPFW is a _stateful_ firewall, as opposed to the _stateless_ firewall Hertzner has. This means the FreeBSD firewall does keep track of responses and will automatically allow them.


----------



## icinemagr (Dec 16, 2020)

SirDice said:


> Are you hosting an authoritative DNS server? If not, then remove those. You don't want external connections to your DNS server, if you have a DNS server at all. I assume you don't have one. Then you certainly don't need to allow _incoming_ connections to port 53.
> 
> 
> ```
> ...



I remove them thank you!


----------



## PMc (Dec 16, 2020)

SirDice said:


> With firewalls (regardless if it's stateful or stateless) it's very important to understand the difference between _incoming_ and _outgoing_ connections. In other words, which side _initiates_ the connection.



Yes, the misunderstandings come from mixing two different things: "incoming connections" and "incoming packets". I do usually advise to use a different wording here: we have incoming and outgoing packets, while we have originating and responding peers of a flow:

Where your machine acts as a client, you have outgoing-originate and incoming-response. 
Where your machine acts as a server, you have incoming-originate and outgoing-response.

In the firewalls the packet direction is usually coined as "in" and "out", while the originate/response decision is coded in things like "ACK", "setup/established", "keepstate" etc. - and is somehow dependent on the protocol used.


----------



## SirDice (Dec 16, 2020)

I probably could have used better wording myself but I tried to keep it fairly simple and understandable. I certainly hope it was better than the explanation Hertzner gave because theirs made my brain hurt


----------



## Jose (Dec 16, 2020)

PMc said:


> Where your machine acts as a client, you have outgoing-originate and incoming-response.
> Where your machine acts as a server, you have incoming-originate and outgoing-response.


This is an accurate, simple, and succinct explanation. I'm going to use it from now on.


----------



## Geezer (Dec 17, 2020)

You don't have to use their firewall. I have got a server with Hetzner and I have ipfw running on it. You can install it with thier KVM in case you make any mistakes in ipfw.


----------

