Angelin Lalev wrote:
Two days ago I've switched the firewall on my FreeBSD 5.3 RELEASE
router from ipfw to ipfilter. The firewalls are not my speciality
and ipfilter looked simplier way to do NAT with firewall, because
it separates NAT rules from filtering rules.
The router has two interfaces rl0 (192.168.0.254/24) and rl1
(82.137.64.106/29, 192.168.5.1/24, 10.1.6.2/24).
The ipfilter is compiled in kernel:
==
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
/etc/ipnat.conf
map rl1 192.168.0.1/27 - 82.137.64.106/32
/etc/ipf.rules
pass in quick on lo0
pass out quick on lo0
pass out quick on rl0 all
pass in quick on rl0 all
pass in quick on rl1 proto tcp from 192.168.5.1/24 to 192.168.5.1 port =
80 flags S keep state
pass in quick on rl1 proto tcp from 192.168.5.1/24 to 192.168.5.1 port =
3128 flags S keep state
# local counter-strike server. No NAT.
pass in quick on rl1 from 192.168.5.1/24 to 192.168.0.50 keep state
block in quick on rl1 from 192.168.5.1/24 to any
pass out quick on rl1 all keep state
The problem
On 192.168.0.0/24 network I have 6 machines. The router itself is an old
166 MHz Pentium box, but load averages are not bigger than 10%. When one
of the machins makes dns lookup (the dns server is on outside -
62.73.78.2) it fails with timeout in about 9 of 10 times.
ipfstat -t shows that a rule is created - something like this:
Source IP Dest IPST PR
pkts.bytes 192.168.0.4,1029 62.73.78.2,53 0/0 udp
165 9992
Any help will be appreciated.
Well, the short answer is: there is no keep state in the line
pass in quick on rl0 all
the dns reply you get back times out because your default rule is block
and there is nowhere in the in rules for rl1 that allows the reply back.
Some recomendations:
1) I have a bit of dificulty understanding your network setup - why do
you have two private networks on your external interface? May scetch in
a diagram.
2) Having default block can be done by adding the rules
block in all
block out all
in the op of the ruleset rather than compile in the kernel. It makes
it explicit. It also means that you can connect if no rules are
pressent - this is usefull for installing while the machine is behind
a gateway.
Anyway, with your pass in all rules, you have almost effectively
disabled the default block anyway.
2) For your security, in all pass rules, state from and to even if
it is any it makes it more explicit. Split on protocols for
security and control.
3) At least when setting up your firewall, use log in all block rules
and enable ipmon, then you can see where your packets are blocked.
4) Use groups to structure your rules, and group them accordingly
visually. It makes them easier to manage and for large rulesets
optimises the firewall.
5) Always keep state! Doing so, all out rules only apply to the
gateway itself, it makes the ruleset shorter and firewall faster.
6) You probably want to enable the ftp-proxy in your nat-rule and define
which port-ranges are used for nat'ed connections.
and a lot more you'll learn along the way :-)
Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
