subject:"Firewalls in FreeBSD\?"

Re: Firewalls in FreeBSD?

2008-10-31 Thread Jeremy Chadwick

On Fri, Oct 31, 2008 at 01:27:40PM -0400, Lowell Gilbert wrote:
> Jeremy Chadwick <[EMAIL PROTECTED]> writes:
> 
> > On Fri, Oct 31, 2008 at 12:35:30PM -0400, Lowell Gilbert wrote:
> 
> >> Okay, I guess I'm a little confused by the line about "ONLY allow data
> >> back on these ports IF the windows box has established the connection
> >> out first then deny everything else."  I read that as saying that the
> >> Windows box had sent a packet on the same connection (4-tuple, at
> >> least) that should be later accepted heading *to* the Windows box.
> >> That's just a stateful rule, and it seems to be at odds with what you
> >> wrote in your first message in the thread.  The apparent disagreement
> >> was why I said anything in the first place; it sounds like there's
> >> more than one model of how the game works.
> >
> > I understand the confusion.  Here's the actual protocol that the game
> > appears to be using (since the OP has stated forwarding a port range to
> > his LAN PC solves the problem -- meaning, his original description of
> > how the game protocol worked is accurate):
> 
> I see.  If that is the case, then the word "connection" in the line I
> quoted from Jack Barnett does *not* mean a TCP session, but something
> a little more nebulous.  "Game session" might cover it.  
> 
> [I *was* aware of that possible confusion, which was why I specified
> an address/port tuple as the definition of "connection."]
> 
> Sorry for the distraction; I see that (short of a deep-inspection
> snooping of the protocol), what has already been done is as good as
> you can get.

Nah, it's cool -- the misunderstanding is... understandable.  :-)

I've never seen a game behave this way (specifically, the gameserver
initiating a *brand new connection* rather than utilising an existing
one, or having the client initiate a connection to the server -- in
which case, a stateful firewall will work perfectly and no firewall
rules are needed).

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewalls in FreeBSD?

2008-10-31 Thread Lowell Gilbert

Jeremy Chadwick <[EMAIL PROTECTED]> writes:

> On Fri, Oct 31, 2008 at 12:35:30PM -0400, Lowell Gilbert wrote:

>> Okay, I guess I'm a little confused by the line about "ONLY allow data
>> back on these ports IF the windows box has established the connection
>> out first then deny everything else."  I read that as saying that the
>> Windows box had sent a packet on the same connection (4-tuple, at
>> least) that should be later accepted heading *to* the Windows box.
>> That's just a stateful rule, and it seems to be at odds with what you
>> wrote in your first message in the thread.  The apparent disagreement
>> was why I said anything in the first place; it sounds like there's
>> more than one model of how the game works.
>
> I understand the confusion.  Here's the actual protocol that the game
> appears to be using (since the OP has stated forwarding a port range to
> his LAN PC solves the problem -- meaning, his original description of
> how the game protocol worked is accurate):

I see.  If that is the case, then the word "connection" in the line I
quoted from Jack Barnett does *not* mean a TCP session, but something
a little more nebulous.  "Game session" might cover it.  

[I *was* aware of that possible confusion, which was why I specified
an address/port tuple as the definition of "connection."]

Sorry for the distraction; I see that (short of a deep-inspection
snooping of the protocol), what has already been done is as good as
you can get.

-- 
Lowell Gilbert, embedded/networking software engineer, Boston area
http://be-well.ilk.org/~lowell/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewalls in FreeBSD?

2008-10-31 Thread Jeremy Chadwick

On Fri, Oct 31, 2008 at 12:35:30PM -0400, Lowell Gilbert wrote:
> Jeremy Chadwick <[EMAIL PROTECTED]> writes:
> 
> > On Fri, Oct 31, 2008 at 12:05:28PM -0400, Lowell Gilbert wrote:
> >> Jeremy Chadwick <[EMAIL PROTECTED]> writes:
> >> 
> >> > On Thu, Oct 30, 2008 at 06:34:31PM -0500, Jack Barnett wrote:
> >> >>
> >> >> Ok, I had some progress with this last night. Basically what I do is:
> >> >>
> >> >> in natd - redirect_port 1000 to 1 to the internal windows box.
> >> >> set ipfw to "open" file wall.
> >> >>
> >> >> Obviously this isn't prefect - but gives some idea of what's going on.
> >> >>
> >> >> What I'd like to do, is a) keep the nat redirects since that works  
> >> >> pretty well.
> >> >> b) in ipfw, ONLY allow data back on these ports IF the windows box has  
> >> >> established the connection out first then deny everything else.
> >> >
> >> > This is called "port triggering" in the residential router world.  I
> >> > don't know how to do this on FreeBSD.
> >> 
> >> Stateful rules are the only way to do it.
> >> In fact, this is the main purpose of stateful rules.
> >
> > Read this part of the thread, where I outline protocol flow (based on
> > what the OP has stated about the protocol, which so far appears to be
> > accurate):
> >
> > http://lists.freebsd.org/pipermail/freebsd-questions/2008-October/thread.html
> >
> > Stateful rules will not solve this problem.
> >
> > The OP wants a feature that tells ipfw or pf "after the TCP handshake
> > has completed, dynamically add a port forward for port X on interface Y
> > to machine A on port Z; when the TCP session is FIN'd cleanly, or
> > extinguishes, dynamically remove that port forward".
> 
> Okay, I guess I'm a little confused by the line about "ONLY allow data
> back on these ports IF the windows box has established the connection
> out first then deny everything else."  I read that as saying that the
> Windows box had sent a packet on the same connection (4-tuple, at
> least) that should be later accepted heading *to* the Windows box.
> That's just a stateful rule, and it seems to be at odds with what you
> wrote in your first message in the thread.  The apparent disagreement
> was why I said anything in the first place; it sounds like there's
> more than one model of how the game works.

I understand the confusion.  Here's the actual protocol that the game
appears to be using (since the OP has stated forwarding a port range to
his LAN PC solves the problem -- meaning, his original description of
how the game protocol worked is accurate):

windows= 192.168.x.x machine on the LAN
natgwlan   = private LAN-facing IP of FreeBSD box (e.g. gateway IP)
natgwwan   = public Internet-facing IP of FreeBSD box
gameserver = game server (public Internet IP)

* = randomly-allocated port number
gameport  = some static port # for the game (OP hasn't disclosed this)
range = some specific range of port numbers (OP says 1000-1)

This is what would happen if the windows machine was on the Internet
directly (no NAT, no firewall):

Step 1)  windows:* -->  gameserver:gameport
Step 2)  gameserver:*  -->  windows:range

Note that the randomly-allocated port number is *not* identical
between all of the above steps; literally each is a new port and
unrelated to the previous -- hence why state tracking won't work.

Now with NAT in the way, this is what happens for Step 1:

windows:*  <-->  natgwlan
 natgwwan:*  <--> gameserver:gameport

Once the TCP handshake is completed for Step 1, the following happens
as a result of Step 2 -- again, note this is a *brand new connection*
being initiated from the gameserver:

gameserver:*  <-->  natgwwan:range

The problem is that these are all brand new connections being initiated,
and there's no way to cross-reference them, which is why state tracking
won't work to solve the OPs problem.

The "port triggering" method I described above, commonly available
on residential routers, is configured so that once the TCP handshake
is completed in Step 1, the router/natgw *immediately* adds a port
forward and firewall allow/pass rule (you have to configure it to
say what port range to forward, and what LAN IP to forward the packets
to).

Thus, the following would happen immediately after the TCP handshake was
completed in Step 1:

- natgw adds a firewall pass rule for natgwwan:range
- natgw adds a forwarding rule for natgwwan:1000 --> windows, where
  the port number matches (e.g. natgwwan:1000 --> windows:1000)

This pass/allow rule and the forward remains intact until the "port
triggered" connection is severed (FIN or expired).  It does not
expire/close based upon the connection made in Step 1.

This would allow Step to work, and would look like this with NAT
in the way:

gameserver:*  <-->  natgwwan:range
natgwlan   --> windows:range

This is as verbose as I can get, and based upon the forwarding and the
firewall rules the OP added, this does appear to be the protocol the

Re: Firewalls in FreeBSD?

2008-10-31 Thread Lowell Gilbert

Jeremy Chadwick <[EMAIL PROTECTED]> writes:

> On Fri, Oct 31, 2008 at 12:05:28PM -0400, Lowell Gilbert wrote:
>> Jeremy Chadwick <[EMAIL PROTECTED]> writes:
>> 
>> > On Thu, Oct 30, 2008 at 06:34:31PM -0500, Jack Barnett wrote:
>> >>
>> >> Ok, I had some progress with this last night. Basically what I do is:
>> >>
>> >> in natd - redirect_port 1000 to 1 to the internal windows box.
>> >> set ipfw to "open" file wall.
>> >>
>> >> Obviously this isn't prefect - but gives some idea of what's going on.
>> >>
>> >> What I'd like to do, is a) keep the nat redirects since that works  
>> >> pretty well.
>> >> b) in ipfw, ONLY allow data back on these ports IF the windows box has  
>> >> established the connection out first then deny everything else.
>> >
>> > This is called "port triggering" in the residential router world.  I
>> > don't know how to do this on FreeBSD.
>> 
>> Stateful rules are the only way to do it.
>> In fact, this is the main purpose of stateful rules.
>
> Read this part of the thread, where I outline protocol flow (based on
> what the OP has stated about the protocol, which so far appears to be
> accurate):
>
> http://lists.freebsd.org/pipermail/freebsd-questions/2008-October/thread.html
>
> Stateful rules will not solve this problem.
>
> The OP wants a feature that tells ipfw or pf "after the TCP handshake
> has completed, dynamically add a port forward for port X on interface Y
> to machine A on port Z; when the TCP session is FIN'd cleanly, or
> extinguishes, dynamically remove that port forward".

Okay, I guess I'm a little confused by the line about "ONLY allow data
back on these ports IF the windows box has established the connection
out first then deny everything else."  I read that as saying that the
Windows box had sent a packet on the same connection (4-tuple, at
least) that should be later accepted heading *to* the Windows box.
That's just a stateful rule, and it seems to be at odds with what you
wrote in your first message in the thread.  The apparent disagreement
was why I said anything in the first place; it sounds like there's
more than one model of how the game works.

-- 
Lowell Gilbert, embedded/networking software engineer, Boston area
http://be-well.ilk.org/~lowell/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewalls in FreeBSD?

2008-10-31 Thread Jeremy Chadwick

On Fri, Oct 31, 2008 at 12:05:28PM -0400, Lowell Gilbert wrote:
> Jeremy Chadwick <[EMAIL PROTECTED]> writes:
> 
> > On Thu, Oct 30, 2008 at 06:34:31PM -0500, Jack Barnett wrote:
> >>
> >> Ok, I had some progress with this last night. Basically what I do is:
> >>
> >> in natd - redirect_port 1000 to 1 to the internal windows box.
> >> set ipfw to "open" file wall.
> >>
> >> Obviously this isn't prefect - but gives some idea of what's going on.
> >>
> >> What I'd like to do, is a) keep the nat redirects since that works  
> >> pretty well.
> >> b) in ipfw, ONLY allow data back on these ports IF the windows box has  
> >> established the connection out first then deny everything else.
> >
> > This is called "port triggering" in the residential router world.  I
> > don't know how to do this on FreeBSD.
> 
> Stateful rules are the only way to do it.
> In fact, this is the main purpose of stateful rules.

Read this part of the thread, where I outline protocol flow (based on
what the OP has stated about the protocol, which so far appears to be
accurate):

http://lists.freebsd.org/pipermail/freebsd-questions/2008-October/thread.html

Stateful rules will not solve this problem.

The OP wants a feature that tells ipfw or pf "after the TCP handshake
has completed, dynamically add a port forward for port X on interface Y
to machine A on port Z; when the TCP session is FIN'd cleanly, or
extinguishes, dynamically remove that port forward".

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewalls in FreeBSD?

2008-10-31 Thread Lowell Gilbert

Jeremy Chadwick <[EMAIL PROTECTED]> writes:

> On Thu, Oct 30, 2008 at 06:34:31PM -0500, Jack Barnett wrote:
>>
>> Ok, I had some progress with this last night. Basically what I do is:
>>
>> in natd - redirect_port 1000 to 1 to the internal windows box.
>> set ipfw to "open" file wall.
>>
>> Obviously this isn't prefect - but gives some idea of what's going on.
>>
>> What I'd like to do, is a) keep the nat redirects since that works  
>> pretty well.
>> b) in ipfw, ONLY allow data back on these ports IF the windows box has  
>> established the connection out first then deny everything else.
>
> This is called "port triggering" in the residential router world.  I
> don't know how to do this on FreeBSD.

Stateful rules are the only way to do it.
In fact, this is the main purpose of stateful rules.

-- 
Lowell Gilbert, embedded/networking software engineer, Boston area
http://be-well.ilk.org/~lowell/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewalls in FreeBSD?

2008-10-30 Thread Jeremy Chadwick

On Thu, Oct 30, 2008 at 06:34:31PM -0500, Jack Barnett wrote:
>
> Ok, I had some progress with this last night. Basically what I do is:
>
> in natd - redirect_port 1000 to 1 to the internal windows box.
> set ipfw to "open" file wall.
>
> Obviously this isn't prefect - but gives some idea of what's going on.
>
> What I'd like to do, is a) keep the nat redirects since that works  
> pretty well.
> b) in ipfw, ONLY allow data back on these ports IF the windows box has  
> established the connection out first then deny everything else.

This is called "port triggering" in the residential router world.  I
don't know how to do this on FreeBSD.

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewalls in FreeBSD?

2008-10-30 Thread Jack Barnett



Ok, I had some progress with this last night. Basically what I do is:

in natd - redirect_port 1000 to 1 to the internal windows box.
set ipfw to "open" file wall.

Obviously this isn't prefect - but gives some idea of what's going on.

What I'd like to do, is a) keep the nat redirects since that works 
pretty well.
b) in ipfw, ONLY allow data back on these ports IF the windows box has 
established the connection out first then deny everything else.


I tried this, but it didn't work for anything (tried 5-6 differant games):

   ${fwcmd} add allow tcp from any to any out via x10 setup keep-state
   ${fwcmd} add allow udp from any to any out via xl0 keep-state
   ${fwcmd} add allow icmp from any to any out via xl0 keep-state
   ${fwcmd} add 100 check-state




mdh wrote:

--- On Wed, 10/29/08, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
  

From: Jeremy Chadwick <[EMAIL PROTECTED]>
Subject: Re: Firewalls in FreeBSD?
To: "Terry Sposato" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], "Polytropon" <[EMAIL PROTECTED]>, "Freebsd questions" 

Date: Wednesday, October 29, 2008, 11:25 PM
On Thu, Oct 30, 2008 at 01:36:58PM +1100, Terry Sposato
wrote:



It is most likely caused by your ruleset not being
  
stateful. If packets 


are going out certain sessions and your firewall
  
isn't then allowing back 


in you would see the issue you are seeing. I am not
  
sure how this is 


accomplished via ipfw as I use pf but there would be a
  
tonne of 


documentation out there on how to make your rules
  

stateful.

Are you sure about that?  Read his statement once more:



   For example, I load up a client (game) and it


connects out on XYZ


   port.  The server will send data back on ABC.


I assume based on this, the following is happening:

- 192.168.x.x:a sends packet to gameserver:xyz

- NAT gateway translates packet (where "natgw" is
a public WAN IP)

  192.168.x.x:a <--> natgw:b <-->
gameserver:xyz

- gameserver sees packet to port xyz, and initiates new
connection
  to natgw:abc
  
- NAT gateway drops packet destined to WAN IP port abc,

because the
  gameserver:abc connection is *new*, and does not relate
to the
  previous NAT'd gameserver:xyz connection.

If this is **truly** how the protocol works (the OP will
need to be
absolutely 100% positive of that fact; I recommend he
reconfirm how it
works), then the only solution is to set up a port forward
on the NAT
gateway for port abc to point to 192.168.x.x.

This also means that only one computer on the LAN will be
capable of
playing this game.  Not much one can do about that, other
than write
the authors of the game and explain that their protocol is
absolutely
disgusting.



Does the game support IPv6?  This may be a work-around for you, since you can get a relatively large chunk of IPs for free via any one of a number of tunnel brokers.  If possible, ask your IP provider if they provide native IPv6 transport first.  A few do, in North America and Europe, and a surprising lot do in Asia, especially Japan and South Korea.  If you're on a North American consumer ISP, chances are a tunnel broker is your only option for v6 connectivity, however.  

If the game doesn't support IPv6, however, then you are likely stuck with playing with port forwarding from the public routable address, however.  It stinks, so feel free to lobby your ISP, the game's designers, and any other involved parties, about supporting IPv6 connectivity.  

In essence, a problem like the one Mr. Chadwick is eluding to is one of the primary motivating forces behind the adoption of IPv6 to begin with.  


- mdh



  
___

freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
  

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewalls in FreeBSD?

2008-10-30 Thread mdh

--- On Wed, 10/29/08, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> From: Jeremy Chadwick <[EMAIL PROTECTED]>
> Subject: Re: Firewalls in FreeBSD?
> To: "Terry Sposato" <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED], "Polytropon" <[EMAIL PROTECTED]>, "Freebsd questions" 
> 
> Date: Wednesday, October 29, 2008, 11:25 PM
> On Thu, Oct 30, 2008 at 01:36:58PM +1100, Terry Sposato
> wrote:
>
> > It is most likely caused by your ruleset not being
> stateful. If packets 
> > are going out certain sessions and your firewall
> isn't then allowing back 
> > in you would see the issue you are seeing. I am not
> sure how this is 
> > accomplished via ipfw as I use pf but there would be a
> tonne of 
> > documentation out there on how to make your rules
> stateful.
> 
> Are you sure about that?  Read his statement once more:
> 
> >>For example, I load up a client (game) and it
> connects out on XYZ
> >>port.  The server will send data back on ABC.
> 
> I assume based on this, the following is happening:
> 
> - 192.168.x.x:a sends packet to gameserver:xyz
> 
> - NAT gateway translates packet (where "natgw" is
> a public WAN IP)
> 
>   192.168.x.x:a <--> natgw:b <-->
> gameserver:xyz
> 
> - gameserver sees packet to port xyz, and initiates new
> connection
>   to natgw:abc
>   
> - NAT gateway drops packet destined to WAN IP port abc,
> because the
>   gameserver:abc connection is *new*, and does not relate
> to the
>   previous NAT'd gameserver:xyz connection.
> 
> If this is **truly** how the protocol works (the OP will
> need to be
> absolutely 100% positive of that fact; I recommend he
> reconfirm how it
> works), then the only solution is to set up a port forward
> on the NAT
> gateway for port abc to point to 192.168.x.x.
> 
> This also means that only one computer on the LAN will be
> capable of
> playing this game.  Not much one can do about that, other
> than write
> the authors of the game and explain that their protocol is
> absolutely
> disgusting.

Does the game support IPv6?  This may be a work-around for you, since you can 
get a relatively large chunk of IPs for free via any one of a number of tunnel 
brokers.  If possible, ask your IP provider if they provide native IPv6 
transport first.  A few do, in North America and Europe, and a surprising lot 
do in Asia, especially Japan and South Korea.  If you're on a North American 
consumer ISP, chances are a tunnel broker is your only option for v6 
connectivity, however.  

If the game doesn't support IPv6, however, then you are likely stuck with 
playing with port forwarding from the public routable address, however.  It 
stinks, so feel free to lobby your ISP, the game's designers, and any other 
involved parties, about supporting IPv6 connectivity.  

In essence, a problem like the one Mr. Chadwick is eluding to is one of the 
primary motivating forces behind the adoption of IPv6 to begin with.  

- mdh



  
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewalls in FreeBSD?

2008-10-30 Thread Reko Turja


Hi Jack!


  Right now I have a Windows machine a FreeBSD natd/firewall then a
  cable modem.
  This is working for web surfing.  But I've been playing a lot of 
games
  lately and it doesn't work at all (for multiplayer/internet 
games).


As a fellow gamer, I've found that PF with stateful filtering has been 
a good firewall for my needs. Usually with stateful ruleset the games 
work out of the box, just when outgoing traffic is allowed and state 
is kept. There are some special situations where PF shines though, 
Asherons Call (or any other game using bidirectional UDP traffic) can 
be made to work with following configuration:


This to nat section:
binat on $ext_if from  to or IP> -> $ext_if


Which should do the trick with some of the silly games out there using 
standard defined, but really rare kind of traffic.


-Reko 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewalls in FreeBSD?

2008-10-29 Thread Terry Sposato


Quoting Jeremy Chadwick <[EMAIL PROTECTED]>:


On Thu, Oct 30, 2008 at 01:36:58PM +1100, Terry Sposato wrote:

Quoting Jack Barnett <[EMAIL PROTECTED]>:



   yes, that is my setup.
   hrm... well, I disabled the firewall completely, restarted, but still
   doesn't work.
   I have gateway and natd both enabled.  x10 is the "external" interface
   (the one that is dhcp and connects to the cable modem).
   I don't want to redirect anything to my windows box.  I just want
   anything that connects out from my windows box to be able to connect
   or send data back in.
   For example, I load up a client (game) and it connects out on XYZ
   port.  The server will send data back on ABC.
   The problem, from what I can tell; is that I can get a connection out
   - but when the server tries to send data back on ABC it is discarded.
   Polytropon wrote:

If I understood you correctly, your setting is:

(Modem/Router)---DHCP---(FreeBSD)---("Windows")

I may respond directly on your configuration settings:

On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett
[1]<[EMAIL PROTECTED]> wro
te:


 gateway_enable="YES"
 #firewall_enable="YES"
 #firewall_type="open"
 firewall_type="simple"
 #firewall_type="open"
 firewall_logging="YES"


Use instead:

gateway_enable="YES"
natd_enable="YES"
natd_interface="xl0"

You may add special redirect directives to NATD's settings, such
as
natd_flags="-redirect_port tcp 192.168.1.2:5900 5900"
natd_flags="-redirect_port tcp 192.168.1.5:23 "

or
natd_flags="-redirect_address 192.168.1.2 141.44.165.58 \
-redirect_address 192.168.1.5 141.44.165.58"

Examples taken from a very old configuration. :-)

Then,

firewall_enable="YES"
firewall_type="/etc/ipfw.conf"

Then, be sure to have nice firewall settings, you can use things
similar to this, enabling just the services you really need and want,
it's easy to write your own one or to rewrite this:

-f flush
add divert natd ip  from any to any via xl0
add allow   tcp from any to any ftp in recv xl0
add allow   tcp from any to any ssh in recv xl0
add allow   tcp from any to any authin recv xl0
add allow   udp from any to any ntp in recv xl0
add allow   udp from any to any ntalk   in recv xl0
add denyudp from any to any x11 in recv xl0
add reset   tcp from any to any x11 in recv xl0
add allow   ipencap from any to any
add allow   ip  from any to any

This should work fine. NB to use the correct interface names.

References

   1. mailto:[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to  
"[EMAIL PROTECTED]"




Jack,

It is most likely caused by your ruleset not being stateful. If packets
are going out certain sessions and your firewall isn't then allowing back
in you would see the issue you are seeing. I am not sure how this is
accomplished via ipfw as I use pf but there would be a tonne of
documentation out there on how to make your rules stateful.


Are you sure about that?  Read his statement once more:


   For example, I load up a client (game) and it connects out on XYZ
   port.  The server will send data back on ABC.


Ahh yes correct, I was going on the assumption that the traffic is  
trying to return using the same session details. This is usually how  
it is with gaming traffic and the non stateful ruleset is usually the  
cause of why this sort of traffic get's blocked. Would like to see if  
the OP has actually sniffed the traffic and can say without a shadow  
of a doubt that different ports are being used ingoing & outgoing.




I assume based on this, the following is happening:

- 192.168.x.x:a sends packet to gameserver:xyz

- NAT gateway translates packet (where "natgw" is a public WAN IP)

  192.168.x.x:a <--> natgw:b <--> gameserver:xyz

- gameserver sees packet to port xyz, and initiates new connection
  to natgw:abc

- NAT gateway drops packet destined to WAN IP port abc, because the
  gameserver:abc connection is *new*, and does not relate to the
  previous NAT'd gameserver:xyz connection.

If this is **truly** how the protocol works (the OP will need to be
absolutely 100% positive of that fact; I recommend he reconfirm how it
works), then the only solution is to set up a port forward on the NAT
gateway for port abc to point to 192.168.x.x.

This also means that only one computer on the LAN will be capable of
playing this game.  Not much one can do about that, other than write
the authors of the game and explain that their protocol is absolutely
disgusting.

--
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking

Re: Firewalls in FreeBSD?

2008-10-29 Thread Jeremy Chadwick

On Thu, Oct 30, 2008 at 01:36:58PM +1100, Terry Sposato wrote:
> Quoting Jack Barnett <[EMAIL PROTECTED]>:
>
>>
>>yes, that is my setup.
>>hrm... well, I disabled the firewall completely, restarted, but still
>>doesn't work.
>>I have gateway and natd both enabled.  x10 is the "external" interface
>>(the one that is dhcp and connects to the cable modem).
>>I don't want to redirect anything to my windows box.  I just want
>>anything that connects out from my windows box to be able to connect
>>or send data back in.
>>For example, I load up a client (game) and it connects out on XYZ
>>port.  The server will send data back on ABC.
>>The problem, from what I can tell; is that I can get a connection out
>>- but when the server tries to send data back on ABC it is discarded.
>>Polytropon wrote:
>>
>> If I understood you correctly, your setting is:
>>
>> (Modem/Router)---DHCP---(FreeBSD)---("Windows")
>>
>> I may respond directly on your configuration settings:
>>
>> On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett  
>> [1]<[EMAIL PROTECTED]> wro
>> te:
>>
>>
>>  gateway_enable="YES"
>>  #firewall_enable="YES"
>>  #firewall_type="open"
>>  firewall_type="simple"
>>  #firewall_type="open"
>>  firewall_logging="YES"
>>
>>
>> Use instead:
>>
>> gateway_enable="YES"
>> natd_enable="YES"
>> natd_interface="xl0"
>>
>> You may add special redirect directives to NATD's settings, such
>> as
>> natd_flags="-redirect_port tcp 192.168.1.2:5900 5900"
>> natd_flags="-redirect_port tcp 192.168.1.5:23 "
>>
>> or
>> natd_flags="-redirect_address 192.168.1.2 141.44.165.58 \
>> -redirect_address 192.168.1.5 141.44.165.58"
>>
>> Examples taken from a very old configuration. :-)
>>
>> Then,
>>
>> firewall_enable="YES"
>> firewall_type="/etc/ipfw.conf"
>>
>> Then, be sure to have nice firewall settings, you can use things
>> similar to this, enabling just the services you really need and want,
>> it's easy to write your own one or to rewrite this:
>>
>> -f flush
>> add divert natd ip  from any to any via xl0
>> add allow   tcp from any to any ftp in recv xl0
>> add allow   tcp from any to any ssh in recv xl0
>> add allow   tcp from any to any authin recv xl0
>> add allow   udp from any to any ntp in recv xl0
>> add allow   udp from any to any ntalk   in recv xl0
>> add denyudp from any to any x11 in recv xl0
>> add reset   tcp from any to any x11 in recv xl0
>> add allow   ipencap from any to any
>> add allow   ip  from any to any
>>
>> This should work fine. NB to use the correct interface names.
>>
>> References
>>
>>1. mailto:[EMAIL PROTECTED]
>> ___
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>>
>
> Jack,
>
> It is most likely caused by your ruleset not being stateful. If packets 
> are going out certain sessions and your firewall isn't then allowing back 
> in you would see the issue you are seeing. I am not sure how this is 
> accomplished via ipfw as I use pf but there would be a tonne of 
> documentation out there on how to make your rules stateful.

Are you sure about that?  Read his statement once more:

>>For example, I load up a client (game) and it connects out on XYZ
>>port.  The server will send data back on ABC.

I assume based on this, the following is happening:

- 192.168.x.x:a sends packet to gameserver:xyz

- NAT gateway translates packet (where "natgw" is a public WAN IP)

  192.168.x.x:a <--> natgw:b <--> gameserver:xyz

- gameserver sees packet to port xyz, and initiates new connection
  to natgw:abc
  
- NAT gateway drops packet destined to WAN IP port abc, because the
  gameserver:abc connection is *new*, and does not relate to the
  previous NAT'd gameserver:xyz connection.

If this is **truly** how the protocol works (the OP will need to be
absolutely 100% positive of that fact; I recommend he reconfirm how it
works), then the only solution is to set up a port forward on the NAT
gateway for port abc to point to 192.168.x.x.

This also means that only one computer on the LAN will be capable of
playing this game.  Not much one can do about that, other than write
the authors of the game and explain that their protocol is absolutely
disgusting.

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

_

Re: Firewalls in FreeBSD?

2008-10-29 Thread Terry Sposato


Quoting Jack Barnett <[EMAIL PROTECTED]>:



   yes, that is my setup.
   hrm... well, I disabled the firewall completely, restarted, but still
   doesn't work.
   I have gateway and natd both enabled.  x10 is the "external" interface
   (the one that is dhcp and connects to the cable modem).
   I don't want to redirect anything to my windows box.  I just want
   anything that connects out from my windows box to be able to connect
   or send data back in.
   For example, I load up a client (game) and it connects out on XYZ
   port.  The server will send data back on ABC.
   The problem, from what I can tell; is that I can get a connection out
   - but when the server tries to send data back on ABC it is discarded.
   Polytropon wrote:

If I understood you correctly, your setting is:

(Modem/Router)---DHCP---(FreeBSD)---("Windows")

I may respond directly on your configuration settings:

On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett  
[1]<[EMAIL PROTECTED]> wro

te:


 gateway_enable="YES"
 #firewall_enable="YES"
 #firewall_type="open"
 firewall_type="simple"
 #firewall_type="open"
 firewall_logging="YES"


Use instead:

gateway_enable="YES"
natd_enable="YES"
natd_interface="xl0"

You may add special redirect directives to NATD's settings, such
as
natd_flags="-redirect_port tcp 192.168.1.2:5900 5900"
natd_flags="-redirect_port tcp 192.168.1.5:23 "

or
natd_flags="-redirect_address 192.168.1.2 141.44.165.58 \
-redirect_address 192.168.1.5 141.44.165.58"

Examples taken from a very old configuration. :-)

Then,

firewall_enable="YES"
firewall_type="/etc/ipfw.conf"

Then, be sure to have nice firewall settings, you can use things
similar to this, enabling just the services you really need and want,
it's easy to write your own one or to rewrite this:

-f flush
add divert natd ip  from any to any via xl0
add allow   tcp from any to any ftp in recv xl0
add allow   tcp from any to any ssh in recv xl0
add allow   tcp from any to any authin recv xl0
add allow   udp from any to any ntp in recv xl0
add allow   udp from any to any ntalk   in recv xl0
add denyudp from any to any x11 in recv xl0
add reset   tcp from any to any x11 in recv xl0
add allow   ipencap from any to any
add allow   ip  from any to any

This should work fine. NB to use the correct interface names.

References

   1. mailto:[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"



Jack,

It is most likely caused by your ruleset not being stateful. If  
packets are going out certain sessions and your firewall isn't then  
allowing back in you would see the issue you are seeing. I am not sure  
how this is accomplished via ipfw as I use pf but there would be a  
tonne of documentation out there on how to make your rules stateful.



Regards,

Terry Sposato
[EMAIL PROTECTED]
Have you been sucked in?
http://www.sucked-in.com

-
This message was sent from the Sucked In Webmail Interface -  
http://www.sucked-in.com


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewalls in FreeBSD?

2008-10-29 Thread Jack Barnett


   yes, that is my setup.
   hrm... well, I disabled the firewall completely, restarted, but still
   doesn't work.
   I have gateway and natd both enabled.  x10 is the "external" interface
   (the one that is dhcp and connects to the cable modem).
   I don't want to redirect anything to my windows box.  I just want
   anything that connects out from my windows box to be able to connect
   or send data back in.
   For example, I load up a client (game) and it connects out on XYZ
   port.  The server will send data back on ABC.
   The problem, from what I can tell; is that I can get a connection out
   - but when the server tries to send data back on ABC it is discarded.
   Polytropon wrote:

If I understood you correctly, your setting is:

(Modem/Router)---DHCP---(FreeBSD)---("Windows")

I may respond directly on your configuration settings:

On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett [1]<[EMAIL PROTECTED]> wro
te:


 gateway_enable="YES"
 #firewall_enable="YES"
 #firewall_type="open"
 firewall_type="simple"
 #firewall_type="open"
 firewall_logging="YES"


Use instead:

gateway_enable="YES"
natd_enable="YES"
natd_interface="xl0"

You may add special redirect directives to NATD's settings, such
as
natd_flags="-redirect_port tcp 192.168.1.2:5900 5900"
natd_flags="-redirect_port tcp 192.168.1.5:23 "

or
natd_flags="-redirect_address 192.168.1.2 141.44.165.58 \
-redirect_address 192.168.1.5 141.44.165.58"

Examples taken from a very old configuration. :-)

Then,

firewall_enable="YES"
firewall_type="/etc/ipfw.conf"

Then, be sure to have nice firewall settings, you can use things
similar to this, enabling just the services you really need and want,
it's easy to write your own one or to rewrite this:

-f flush
add divert natd ip  from any to any via xl0
add allow   tcp from any to any ftp in recv xl0
add allow   tcp from any to any ssh in recv xl0
add allow   tcp from any to any authin recv xl0
add allow   udp from any to any ntp in recv xl0
add allow   udp from any to any ntalk   in recv xl0
add denyudp from any to any x11 in recv xl0
add reset   tcp from any to any x11 in recv xl0
add allow   ipencap from any to any
add allow   ip  from any to any

This should work fine. NB to use the correct interface names.

References

   1. mailto:[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewalls in FreeBSD?

2008-10-29 Thread Polytropon

If I understood you correctly, your setting is:

(Modem/Router)---DHCP---(FreeBSD)---("Windows")

I may respond directly on your configuration settings:

On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett <[EMAIL PROTECTED]> wrote:
>  gateway_enable="YES"
>  #firewall_enable="YES"
>  #firewall_type="open"
>  firewall_type="simple"
>  #firewall_type="open"
>  firewall_logging="YES"

Use instead:

gateway_enable="YES"
natd_enable="YES"
natd_interface="xl0"

You may add special redirect directives to NATD's settings, such
as
natd_flags="-redirect_port tcp 192.168.1.2:5900 5900"
natd_flags="-redirect_port tcp 192.168.1.5:23 "

or
natd_flags="-redirect_address 192.168.1.2 141.44.165.58 \
-redirect_address 192.168.1.5 141.44.165.58"

Examples taken from a very old configuration. :-)

Then,

firewall_enable="YES"
firewall_type="/etc/ipfw.conf"

Then, be sure to have nice firewall settings, you can use things
similar to this, enabling just the services you really need and want,
it's easy to write your own one or to rewrite this:

-f flush
add divert natd ip  from any to any via xl0
add allow   tcp from any to any ftp in recv xl0
add allow   tcp from any to any ssh in recv xl0
add allow   tcp from any to any authin recv xl0
add allow   udp from any to any ntp in recv xl0
add allow   udp from any to any ntalk   in recv xl0
add denyudp from any to any x11 in recv xl0
add reset   tcp from any to any x11 in recv xl0
add allow   ipencap from any to any
add allow   ip  from any to any

This should work fine. NB to use the correct interface names.



-- 
Polytropon
>From Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Firewalls in FreeBSD?

2008-10-29 Thread Jack Barnett


   Right now I have a Windows machine a FreeBSD natd/firewall then a
   cable modem.
   This is working for web surfing.  But I've been playing a lot of games
   lately and it doesn't work at all (for multiplayer/internet games).
   Basically the games send/receive data on random ports, and I think
   it's going out fine - but doesn't come back in.
   Is this a problem with nat or because I have a stateless firewall?
   I've played around with this on and off for the last while and haven't
   gotten any where with it.
   Do you think this would work better or at least be easier to
   configure/debug if I moved to pf instead?
   Do I need to run natd if I run pf?
   FreeBSD fire2 6.3-STABLE FreeBSD 6.3-STABLE #32: Tue Jan 22 22:21:30
   CST 2008

 gateway_enable="YES"
 #firewall_enable="YES"
 #firewall_type="open"
 firewall_type="simple"
 #firewall_type="open"
 firewall_logging="YES"
 ## PF
 #pf_enable="NO" # Enable PF (load module if
 required)
 #pf_rules="/etc/pf.conf" # rules definition file for pf
 #pf_flags="" # additional flags for pfctl
 startup
 #pflog_enable="YES"  # start pflogd(8)
 #pflog_logfile="/var/log/pflog"  # where pflogd should store the
 logfile
 #pflog_flags=""  # additional flags for pflogd
 startup
 ## NATD
 natd_enable="YES"
 natd_interface="xl0"
 natd_flags=" -f /etc/natd.conf"
 ifconfig_xl0="DHCP"
 ifconfig_dc0="inet 192.168.17.1 netmask 255.255.255.0"
 ifconfig_dc1="inet 192.168.18.1 netmask 255.255.255.0"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Re: Firewalls in FreeBSD?

Firewalls in FreeBSD?

16 matches

Site Navigation

Mail list logo

Footer information