RE: IPFW/NATD Transparent Proxy
>Your ipfw rules are invalid. They seem to work perfectly. My only gripe is that static rule #15100 is required to succeed with redirect_port from 1.2.3.4:80 to 192.168.2.250:80 when 192.168.1.247 requests a web page using the domain name for 1.2.3.4. I'm looking for a solution that doesn't require rule #15100. >This causes the dynamic >internal state table to cross match packets in error because it does >not keep track of which interface the packet is from. This has been >a long time bug in stateful rules for NATed interfaces. Technically >your whole stateful environment is being forced to look like its >working when in fact its all most useless. How can that be? If I'm on 192.168.2.100, I can make a request to www.cnn.com and it works fine. Yet I have no rule that allows any packets to be accepted IN via my outside nic (de0), and no rule that allows any port 80 OUT to my private lan on de2. That sounds to me like the dynamic rules are working. How else are the packets getting into de0 and out to de2? >That is why the stateful + nated rule example from the new firewall >rewrite uses skipto rules to work around this problem. I'm using skipto's as well, just not using the keep-state parameter on the skipto rule. I don't believe the transparent proxy problem I'm having is a result of skipto. It's a chicken/egg issue when using stateful rules because either NATD or the original nic "remembers" that the packet changed when it got redirected. If I allow the stateful rule first, it gets created as 192.168.1.247 <-> 1.2.3.4 and immediately starts communicating with the outside interface due to the dynamic rule bypassing the rest of the firewall. So the packets never get to go through the divert rule to be redirected to 192.168.2.250. If I go through divert first (as in my firewall example), the packet matches rule 100, the destination gets changed to 192.168.2.250, and the packet continues down through the firewall. Great! Next, it matches on 300 and gets passed to 15000 where a the dynamic rule 192.168.1.247 <-> 192.168.2.250 gets created. More greatness! When 192.168.2.250 replies to 192.168.1.247, that packet also matches rule 100, gets diverted and NATD rewrites the source to the original IP address so the packet is now configured as 1.2.3.4 -> 192.168.1.247. Continued greatness! But now, the packet gets denied at 15200 (remember 15100 does not exist in this example) because there's no rule to allow 1.2.3.4 to communicate with 192.168.1.247. Hence, I have to add in #15100 to explicitly allow 1.2.3.4 to communicate with 192.168.1.247. In my example ruleset I simply allowed anything to go out via de1. >Basically the unpublished rule of thumb >is ipfw keep-state rules can not be used on the internal interface >and external interface in same rule set. Keep-state rules can only >be used on the external interface. There are no error messages to >enforce this. Actually, the only problem I've run into is the combination of external/internal with NATD doing a redirect_port or redirect_address. I've not run into any problems with external/internal and normal NATD address translations. J IPFW RULES == 00100 divert 9000 log ip from any to any 00200 allow log ip from any to any out via de0 keep-state 00300 skipto 15000 log ip from any to any via de1 00400 skipto 2 log ip from any to any via de2 00500 deny log ip from any to any 15000 allow log ip from any to any in via de1 keep-state 15100 allow log ip from any to any out via de1 15200 deny log ip from any to any 2 allow log ip from any to any in via de2 keep-state 20100 allow log ip from any to any dst-port 80 out via de2 keep-state 20200 deny log ip from any to any 20300 deny log ip from any to any NATD Config File (/etc/natd.conf) redirect_port tcp 192.168.2.250:80 1.2.3.4:80 NATD Command /sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW/NATD Transparent Proxy
de0 = 1.2.3.4 (make up any valid public ip) (mydomain.com) de1 = 192.168.1.1 de2 = 192.168.2.1 When 192.168.1.247 requests a web page from MYDOMAIN.COM the request needs to be forwarded to 192.168.2.250:80 In the ruleset below, 15100 is required for this to work. If I pull out 15100 I get no response from the web page because there is no rule to allow 1.2.3.4 back out to 192.168.1.247. I can't find a solution that does not require an explicit rule to allow 1.2.3.4 back out to 192.168.1.247. In other words, I can't find a set of rules that allows dynamic setup of 192.168.1.247: <-> 1.2.3.4:80 192.168.1.247: <-> 192.168.2.250:80 I hope this information helps. Thanks in advance for pointing me in the right direction. IPFW RULES == 00100 divert 9000 log ip from any to any 00200 allow log ip from any to any out via de0 keep-state 00300 skipto 15000 log ip from any to any via de1 00400 skipto 2 log ip from any to any via de2 00500 deny log ip from any to any 15000 allow log ip from any to any in via de1 keep-state 15100 allow log ip from any to any out via de1 15200 deny log ip from any to any 2 allow log ip from any to any in via de2 keep-state 20100 allow log ip from any to any dst-port 80 out via de2 keep-state 20200 deny log ip from any to any 20300 deny log ip from any to any NATD Config File (/etc/natd.conf) redirect_port tcp 192.168.2.250:80 1.2.3.4:80 NATD Command /sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf On Sunday 08 August 2004 06:30 pm, Eric Crist wrote: > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Sunday, August 08, 2004 5:43 PM > > To: [EMAIL PROTECTED] > > Subject: Re: IPFW/NATD Transparent Proxy > > > > On Sunday 08 August 2004 04:38 pm, JJB wrote: > > > A new rewrite of the FreeBSD handbook firewall section is currently > > > being made ready for update to the handbook. You can get an > > > > in-process > > > > > copy from www.a1poweruser.com/FBSD_firewall/ > > > > The firewall rewrite only deals with a single public nic and > > a single internal nic and does not have the information I require. > > > > > From what you posted looks like you want public internet users to > > > access web server on one of your LAN machines. Both ipfw > > > > and ipfilter > > > > > does this normally with port redirect. > > > > No, I want a user on 192.168.1.247 to be redirected to > > 192.168.2.250:80 when > > they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number > > on the FreeBSD > > internet gateway. Again, the configuration is > > de0 = PUBLIC IP = 1.2.3.4 > > de1 = 192.168.1.1 > > de2 = 192.168.2.1 > > > > I don't have a problem with incoming requests for 1.2.3.4:80 > > from the Internet > > being redirected to 192.168.2.250. That works fine. But I > > want someone on > > 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when > > they request the > > public address 1.2.3.4:80. > > Could you send us (or me, peronally) your firewall script, and the > address you want to use? > > Thanks. > > Eric F Crist ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW/NATD Transparent Proxy
--On Sunday, August 08, 2004 18:43:21 -0400 [EMAIL PROTECTED] wrote: No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1 I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80. Put another way, I have a FreeBSD server acting as a Router/Firewall. It has a public interface with an IP number of 1.2.3.4 and is assigned the DNS name www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a private address space of 192.168.1.0/255.255.255.0 and a third NIC that supports a private address space of 192.168.2.0/255.255.255.0 When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com they get redirected to 192.168.2.250 because I've included a redirect_port rule for NATD. This works fine. But, users on all private networks (I have two, but there could be 20) also need to be redirected to 192.168.2.250 when they try to go to www.ishouldhaveusedipfilter.com So the user sitting at 192.168.1.247 shouldn't have to worry about putting in the IP number of the company web server, they should just be able to put in the company domain name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 just like anyone coming from the outside. It seems to me that the best way to handle this is through DNS. Hosts within your LAN should find www.ishouldhaveusedipfilter.com to 192.168.2.250 instead of 1.2.3.4. Typically, you would have an externally visible DNS server which is authorititave for your domain; and which lists only the publicly visible machines and IP addresses. (It should -NOT- handle referrals at all.) Somewhere within your LAN you would have another DNS server that is authoritative for your internal domain and IP range. It may handle referrals; but it is safer to have a completely separate DNS server which just handles referrals (and possibly caches results) - it should be explicitly told to use your LAN's authoritative server for your domain and IP range. With this setup, outside machines see the public address, which is redirected via your firewall/NAT rules; but internal machines see the internal address and access it directly. -Pat ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IPFW/NATD Transparent Proxy
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Sunday, August 08, 2004 5:43 PM > To: [EMAIL PROTECTED] > Subject: Re: IPFW/NATD Transparent Proxy > > > > On Sunday 08 August 2004 04:38 pm, JJB wrote: > > A new rewrite of the FreeBSD handbook firewall section is currently > > being made ready for update to the handbook. You can get an > in-process > > copy from www.a1poweruser.com/FBSD_firewall/ > > The firewall rewrite only deals with a single public nic and > a single internal nic and does not have the information I require. > > > From what you posted looks like you want public internet users to > > access web server on one of your LAN machines. Both ipfw > and ipfilter > > does this normally with port redirect. > > No, I want a user on 192.168.1.247 to be redirected to > 192.168.2.250:80 when > they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number > on the FreeBSD > internet gateway. Again, the configuration is > de0 = PUBLIC IP = 1.2.3.4 > de1 = 192.168.1.1 > de2 = 192.168.2.1 > > I don't have a problem with incoming requests for 1.2.3.4:80 > from the Internet > being redirected to 192.168.2.250. That works fine. But I > want someone on > 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when > they request the > public address 1.2.3.4:80. > Could you send us (or me, peronally) your firewall script, and the address you want to use? Thanks. Eric F Crist ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW/NATD Transparent Proxy
On Sunday 08 August 2004 04:38 pm, JJB wrote: > A new rewrite of the FreeBSD handbook firewall section is currently > being made ready for update to the handbook. You can get an > in-process copy from www.a1poweruser.com/FBSD_firewall/ The firewall rewrite only deals with a single public nic and a single internal nic and does not have the information I require. > From what you posted looks like you want public internet users to > access web server on one of your LAN machines. Both ipfw and > ipfilter does this normally with port redirect. No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1 I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80. Put another way, I have a FreeBSD server acting as a Router/Firewall. It has a public interface with an IP number of 1.2.3.4 and is assigned the DNS name www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a private address space of 192.168.1.0/255.255.255.0 and a third NIC that supports a private address space of 192.168.2.0/255.255.255.0 When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com they get redirected to 192.168.2.250 because I've included a redirect_port rule for NATD. This works fine. But, users on all private networks (I have two, but there could be 20) also need to be redirected to 192.168.2.250 when they try to go to www.ishouldhaveusedipfilter.com So the user sitting at 192.168.1.247 shouldn't have to worry about putting in the IP number of the company web server, they should just be able to put in the company domain name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 just like anyone coming from the outside. > You need to post > more info about your system config. > Post the full contents of your rc.conf and firewall rules files. My rc.conf file is properly configured and has no bearing on my question. My gateway works fine from public to private IP space and private to public IP space. I've tried so many combination of rules and NATD options that I wouldn't know what to post. What I need is someone who has completed a similar configuration to send me their configuration (change the IP numbers if you like). From what I can see, I don't believe this is possible with stateful rules. Let me add that I've been successful with stateless rules, but I'd like to use 100% stateful if possible. > > The limit you write about ipfilter is not true. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Sunday, August 08, 2004 2:11 PM > To: [EMAIL PROTECTED] > Subject: IPFW/NATD Transparent Proxy > > > Anyone up for a challenge? > > I've come to the conclusion that IPFW/NATD cannot support > transparent > proxying with ONLY stateful rules. I'd like to hear from anyone who > has > been successful doing so in case I'm missing something. > > Configuration is: > FreeBSD 5.2.1 > 3 - NICS (de0, de1, de2) > de1 = Public IP = 1.2.3.4 > de2 = LAN1 = 192.168.1.0 > de3 = LAN2 = 192.168.2.0 > > The challenge: > 1) TCP request from 192.168.1.247 to 1.2.3.4:80 > 2) Redirect 1.2.3.4:80 to 192.168.2.250:80 > 3) Use stateful rules > > On another note, I read somewhere on the Internet that IPFILTER has > a > limitation in that it cannot redirect a public destination to a > private > destination if the source machine is on the same subnet as the > redirected > destination. In other words, the following supposedly will not > work: > 1) A tcp request from 192.168.1.247 to 1.2.3.4:80 > 2) Redirect 1.2.3.4:80 to 192.168.1.100:80 > > Is this an accurate limitation of IPFILTER? > > > > J > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IPFW/NATD Transparent Proxy
A new rewrite of the FreeBSD handbook firewall section is currently being made ready for update to the handbook. You can get an in-process copy from www.a1poweruser.com/FBSD_firewall/ >From what you posted looks like you want public internet users to access web server on one of your LAN machines. Both ipfw and ipfilter does this normally with port redirect. You need to post more info about your system config. Post the full contents of your rc.conf and firewall rules files. The limit you write about ipfilter is not true. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Sunday, August 08, 2004 2:11 PM To: [EMAIL PROTECTED] Subject: IPFW/NATD Transparent Proxy Anyone up for a challenge? I've come to the conclusion that IPFW/NATD cannot support transparent proxying with ONLY stateful rules. I'd like to hear from anyone who has been successful doing so in case I'm missing something. Configuration is: FreeBSD 5.2.1 3 - NICS (de0, de1, de2) de1 = Public IP = 1.2.3.4 de2 = LAN1 = 192.168.1.0 de3 = LAN2 = 192.168.2.0 The challenge: 1) TCP request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.2.250:80 3) Use stateful rules On another note, I read somewhere on the Internet that IPFILTER has a limitation in that it cannot redirect a public destination to a private destination if the source machine is on the same subnet as the redirected destination. In other words, the following supposedly will not work: 1) A tcp request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.1.100:80 Is this an accurate limitation of IPFILTER? J ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
IPFW/NATD Transparent Proxy
Anyone up for a challenge? I've come to the conclusion that IPFW/NATD cannot support transparent proxying with ONLY stateful rules. I'd like to hear from anyone who has been successful doing so in case I'm missing something. Configuration is: FreeBSD 5.2.1 3 - NICS (de0, de1, de2) de1 = Public IP = 1.2.3.4 de2 = LAN1 = 192.168.1.0 de3 = LAN2 = 192.168.2.0 The challenge: 1) TCP request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.2.250:80 3) Use stateful rules On another note, I read somewhere on the Internet that IPFILTER has a limitation in that it cannot redirect a public destination to a private destination if the source machine is on the same subnet as the redirected destination. In other words, the following supposedly will not work: 1) A tcp request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.1.100:80 Is this an accurate limitation of IPFILTER? J ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"