subject:"IPFW\/NATD Transparent Proxy"

RE: IPFW/NATD Transparent Proxy

2004-08-09 Thread Incoming Mail List


>Your ipfw rules are invalid.

They seem to work perfectly.  My only gripe is that static rule
#15100 is required to succeed with redirect_port from 1.2.3.4:80 to 
192.168.2.250:80 when 192.168.1.247 requests a web page using the domain
name for 1.2.3.4.  I'm looking for a solution that doesn't require rule
#15100.

>This causes the dynamic
>internal state table to cross match packets in error because it does
>not keep track of which interface the packet is from. This has been
>a long time bug in stateful rules for NATed interfaces. Technically
>your whole stateful environment is being forced to look like its
>working when in fact its all most useless.

How can that be?  If I'm on 192.168.2.100, I can make a request to
www.cnn.com and it works fine.  Yet I have no rule that allows any
packets to be accepted IN via my outside nic (de0), and no rule that
allows any port 80 OUT to my private lan on de2.  That sounds to me
like the dynamic rules are working.  How else are the packets getting
into de0 and out to de2?

>That is why the stateful + nated rule example from the new firewall
>rewrite uses skipto rules to work around this problem.

I'm using skipto's as well, just not using the keep-state parameter
on the skipto rule.  I don't believe the transparent proxy problem
I'm having is a result of skipto.  It's a chicken/egg issue when 
using stateful rules because either NATD or the original nic "remembers"
that the packet changed when it got redirected.

If I allow the stateful rule first, it gets created as
192.168.1.247 <-> 1.2.3.4
and immediately starts communicating with the outside interface due
to the dynamic rule bypassing the rest of the firewall.  So the
packets never get to go through the divert rule to be redirected
to 192.168.2.250.

If I go through divert first (as in my firewall example), the packet
matches rule 100, the destination gets changed to 192.168.2.250, and
the packet continues down through the firewall.  Great!  Next, it
matches on 300 and gets passed to 15000 where a the dynamic rule
192.168.1.247 <-> 192.168.2.250 gets created.  More greatness!  When
192.168.2.250 replies to 192.168.1.247, that packet also matches rule
100, gets diverted and NATD rewrites the source to the original IP
address so the packet is now configured as 1.2.3.4 -> 192.168.1.247.
Continued greatness!  But now, the packet gets denied at 15200 (remember
15100 does not exist in this example) because there's no rule to allow
1.2.3.4 to communicate with 192.168.1.247.  Hence, I have to add in
#15100 to explicitly allow 1.2.3.4 to communicate with 192.168.1.247.
In my example ruleset I simply allowed anything to go out via de1.


>Basically the unpublished rule of thumb
>is ipfw keep-state rules can not be used on the internal interface
>and external interface in same rule set. Keep-state rules can only
>be used on the external interface. There are no error messages to
>enforce this.

Actually, the only problem I've run into is the combination of
external/internal with NATD doing a redirect_port or redirect_address.
I've not run into any problems with external/internal and normal NATD
address translations.


J



IPFW RULES
==
00100 divert 9000 log ip from any to any
00200 allow log ip from any to any out via de0 keep-state
00300 skipto 15000 log ip from any to any via de1
00400 skipto 2 log ip from any to any via de2
00500 deny log ip from any to any
15000 allow log ip from any to any in via de1 keep-state
15100 allow log ip from any to any out via de1
15200 deny log ip from any to any
2 allow log ip from any to any in via de2 keep-state
20100 allow log ip from any to any dst-port 80 out via de2
keep-state
20200 deny log ip from any to any
20300 deny log ip from any to any


NATD Config File (/etc/natd.conf)
redirect_port tcp 192.168.2.250:80 1.2.3.4:80

NATD Command
/sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IPFW/NATD Transparent Proxy

2004-08-08 Thread mailist


de0 = 1.2.3.4 (make up any valid public ip) (mydomain.com)
de1 = 192.168.1.1
de2 = 192.168.2.1

When 192.168.1.247 requests a web page from MYDOMAIN.COM
the request needs to be forwarded to 192.168.2.250:80

In the ruleset below, 15100 is required for this to work.  If I pull out
15100 I get no response from the web page because there is no rule to allow 
1.2.3.4 back out to 192.168.1.247.  I can't find a solution that does not 
require an explicit rule to allow 1.2.3.4 back out to 192.168.1.247.  In 
other words, I can't find a set of rules that allows dynamic setup of
192.168.1.247: <-> 1.2.3.4:80
192.168.1.247: <-> 192.168.2.250:80

I hope this information helps.  Thanks in advance for pointing me in the right 
direction.

IPFW RULES
==
00100 divert 9000 log ip from any to any
00200 allow log ip from any to any out via de0 keep-state
00300 skipto 15000 log ip from any to any via de1
00400 skipto 2 log ip from any to any via de2
00500 deny log ip from any to any
15000 allow log ip from any to any in via de1 keep-state
15100 allow log ip from any to any out via de1
15200 deny log ip from any to any
2 allow log ip from any to any in via de2 keep-state
20100 allow log ip from any to any dst-port 80 out via de2 keep-state
20200 deny log ip from any to any
20300 deny log ip from any to any


NATD Config File (/etc/natd.conf)
redirect_port tcp 192.168.2.250:80 1.2.3.4:80

NATD Command
/sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf



On Sunday 08 August 2004 06:30 pm, Eric Crist wrote:
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Sunday, August 08, 2004 5:43 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: IPFW/NATD Transparent Proxy
> >
> > On Sunday 08 August 2004 04:38 pm, JJB wrote:
> > > A new rewrite of the FreeBSD handbook firewall section is currently
> > > being made ready for update to the handbook. You can get an
> >
> > in-process
> >
> > > copy from  www.a1poweruser.com/FBSD_firewall/
> >
> > The firewall rewrite only deals with a single public nic and
> > a single internal nic and does not have the information I require.
> >
> > > From what you posted looks like you want public internet users to
> > > access web server on one of your LAN machines. Both ipfw
> >
> > and ipfilter
> >
> > > does this normally with port redirect.
> >
> > No, I want a user on 192.168.1.247 to be redirected to
> > 192.168.2.250:80 when
> > they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number
> > on the FreeBSD
> > internet gateway.  Again, the configuration is
> > de0 = PUBLIC IP = 1.2.3.4
> > de1 = 192.168.1.1
> > de2 = 192.168.2.1
> >
> > I don't have a problem with incoming requests for 1.2.3.4:80
> > from the Internet
> > being redirected to 192.168.2.250.  That works fine.  But I
> > want someone on
> > 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when
> > they request the
> > public address 1.2.3.4:80.
>
> Could you send us (or me, peronally) your firewall script, and the
> address you want to use?
>
> Thanks.
>
> Eric F Crist

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IPFW/NATD Transparent Proxy

2004-08-08 Thread Pat Lashley

--On Sunday, August 08, 2004 18:43:21 -0400 [EMAIL PROTECTED] wrote:
No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when
they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD
internet gateway.  Again, the configuration is
de0 = PUBLIC IP = 1.2.3.4
de1 = 192.168.1.1
de2 = 192.168.2.1
I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet
being redirected to 192.168.2.250.  That works fine.  But I want someone on
192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the
public address 1.2.3.4:80.
Put another way, I have a FreeBSD server acting as a Router/Firewall.  It has
a public interface with an IP number of 1.2.3.4 and is assigned the DNS name
www.ishouldhaveusedipfilter.com.  It also has a second NIC that supports a
private address space of 192.168.1.0/255.255.255.0 and a third NIC that
supports a private address space of 192.168.2.0/255.255.255.0
When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com
they get redirected to 192.168.2.250 because I've included a redirect_port
rule for NATD.  This works fine.  But, users on all private networks (I have
two, but there could be 20) also need to be redirected to 192.168.2.250 when
they try to go to www.ishouldhaveusedipfilter.com   So the user sitting at
192.168.1.247 shouldn't have to worry about putting in the IP number of the
company web server, they should just be able to put in the company domain
name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250
just like anyone coming from the outside.
It seems to me that the best way to handle this is through DNS.  Hosts
within your LAN should find www.ishouldhaveusedipfilter.com to 192.168.2.250
instead of 1.2.3.4.
Typically, you would have an externally visible DNS server which is authorititave
for your domain; and which lists only the publicly visible machines and IP addresses.
(It should -NOT- handle referrals at all.)  Somewhere within your LAN you would have
another DNS server that is authoritative for your internal domain and IP range.  It
may handle referrals; but it is safer to have a completely separate DNS server which
just handles referrals (and possibly caches results) - it should be explicitly told
to use your LAN's authoritative server for your domain and IP range.
With this setup, outside machines see the public address, which is redirected
via your firewall/NAT rules; but internal machines see the internal address and
access it directly.
-Pat
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: IPFW/NATD Transparent Proxy

2004-08-08 Thread Eric Crist

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Sunday, August 08, 2004 5:43 PM
> To: [EMAIL PROTECTED]
> Subject: Re: IPFW/NATD Transparent Proxy
>
>
>
> On Sunday 08 August 2004 04:38 pm, JJB wrote:
> > A new rewrite of the FreeBSD handbook firewall section is currently
> > being made ready for update to the handbook. You can get an
> in-process
> > copy from  www.a1poweruser.com/FBSD_firewall/
>
> The firewall rewrite only deals with a single public nic and
> a single internal nic and does not have the information I require.
>
> > From what you posted looks like you want public internet users to
> > access web server on one of your LAN machines. Both ipfw
> and ipfilter
> > does this normally with port redirect.
>
> No, I want a user on 192.168.1.247 to be redirected to
> 192.168.2.250:80 when
> they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number
> on the FreeBSD
> internet gateway.  Again, the configuration is
>   de0 = PUBLIC IP = 1.2.3.4
>   de1 = 192.168.1.1
>   de2 = 192.168.2.1
>
> I don't have a problem with incoming requests for 1.2.3.4:80
> from the Internet
> being redirected to 192.168.2.250.  That works fine.  But I
> want someone on
> 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when
> they request the
> public address 1.2.3.4:80.
>

Could you send us (or me, peronally) your firewall script, and the
address you want to use?

Thanks.

Eric F Crist


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IPFW/NATD Transparent Proxy

2004-08-08 Thread mailist

On Sunday 08 August 2004 04:38 pm, JJB wrote:
> A new rewrite of the FreeBSD handbook firewall section is currently
> being made ready for update to the handbook. You can get an
> in-process copy from  www.a1poweruser.com/FBSD_firewall/

The firewall rewrite only deals with a single public nic and a single
internal nic and does not have the information I require.  

> From what you posted looks like you want public internet users to
> access web server on one of your LAN machines. Both ipfw and
> ipfilter does this normally with port redirect.

No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when 
they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD 
internet gateway.  Again, the configuration is
de0 = PUBLIC IP = 1.2.3.4
de1 = 192.168.1.1
de2 = 192.168.2.1

I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet 
being redirected to 192.168.2.250.  That works fine.  But I want someone on 
192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the 
public address 1.2.3.4:80.

Put another way, I have a FreeBSD server acting as a Router/Firewall.  It has 
a public interface with an IP number of 1.2.3.4 and is assigned the DNS name 
www.ishouldhaveusedipfilter.com.  It also has a second NIC that supports a 
private address space of 192.168.1.0/255.255.255.0 and a third NIC that 
supports a private address space of 192.168.2.0/255.255.255.0

When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com 
they get redirected to 192.168.2.250 because I've included a redirect_port 
rule for NATD.  This works fine.  But, users on all private networks (I have 
two, but there could be 20) also need to be redirected to 192.168.2.250 when 
they try to go to www.ishouldhaveusedipfilter.com   So the user sitting at 
192.168.1.247 shouldn't have to worry about putting in the IP number of the 
company web server, they should just be able to put in the company domain 
name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 
just like anyone coming from the outside.

> You need to post
> more info about your system config.
> Post the full contents of your rc.conf and  firewall rules files.

My rc.conf file is properly configured and has no bearing on my question.  My 
gateway works fine from public to private IP space and private to public IP 
space.  I've tried so many combination of rules and NATD options that I 
wouldn't know what to post.  What I need is someone who has completed a 
similar configuration to send me their configuration (change the IP numbers
if you like).  From what I can see, I don't believe this is possible with 
stateful rules.  Let me add that I've been successful with stateless rules, 
but I'd like to use 100% stateful if possible.

>
> The limit you write about ipfilter is not true.

>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> [EMAIL PROTECTED]
> Sent: Sunday, August 08, 2004 2:11 PM
> To: [EMAIL PROTECTED]
> Subject: IPFW/NATD Transparent Proxy
>
>
> Anyone up for a challenge?
>
> I've come to the conclusion that IPFW/NATD cannot support
> transparent
> proxying with ONLY stateful rules.  I'd like to hear from anyone who
> has
> been successful doing so in case I'm missing something.
>
> Configuration is:
> FreeBSD 5.2.1
> 3 - NICS (de0, de1, de2)
> de1 = Public IP = 1.2.3.4
> de2 = LAN1 = 192.168.1.0
> de3 = LAN2 = 192.168.2.0
>
> The challenge:
> 1) TCP request from 192.168.1.247 to 1.2.3.4:80
> 2) Redirect 1.2.3.4:80 to 192.168.2.250:80
> 3) Use stateful rules
>
> On another note, I read somewhere on the Internet that IPFILTER has
> a
> limitation in that it cannot redirect a public destination to a
> private
> destination if the source machine is on the same subnet as the
> redirected
> destination.  In other words, the following supposedly will not
> work:
> 1) A tcp request from 192.168.1.247 to 1.2.3.4:80
> 2) Redirect 1.2.3.4:80 to 192.168.1.100:80
>
> Is this an accurate limitation of IPFILTER?
>
>
>
> J
>
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: IPFW/NATD Transparent Proxy

2004-08-08 Thread JJB

A new rewrite of the FreeBSD handbook firewall section is currently
being made ready for update to the handbook. You can get an
in-process copy from  www.a1poweruser.com/FBSD_firewall/




>From what you posted looks like you want public internet users to
access web server on one of your LAN machines. Both ipfw and
ipfilter does this normally with port redirect. You need to post
more info about your system config.
Post the full contents of your rc.conf and  firewall rules files.

The limit you write about ipfilter is not true.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Sunday, August 08, 2004 2:11 PM
To: [EMAIL PROTECTED]
Subject: IPFW/NATD Transparent Proxy


Anyone up for a challenge?

I've come to the conclusion that IPFW/NATD cannot support
transparent
proxying with ONLY stateful rules.  I'd like to hear from anyone who
has
been successful doing so in case I'm missing something.

Configuration is:
FreeBSD 5.2.1
3 - NICS (de0, de1, de2)
de1 = Public IP = 1.2.3.4
de2 = LAN1 = 192.168.1.0
de3 = LAN2 = 192.168.2.0

The challenge:
1) TCP request from 192.168.1.247 to 1.2.3.4:80
2) Redirect 1.2.3.4:80 to 192.168.2.250:80
3) Use stateful rules

On another note, I read somewhere on the Internet that IPFILTER has
a
limitation in that it cannot redirect a public destination to a
private
destination if the source machine is on the same subnet as the
redirected
destination.  In other words, the following supposedly will not
work:
1) A tcp request from 192.168.1.247 to 1.2.3.4:80
2) Redirect 1.2.3.4:80 to 192.168.1.100:80

Is this an accurate limitation of IPFILTER?



J

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

IPFW/NATD Transparent Proxy

2004-08-08 Thread mailist


Anyone up for a challenge?

I've come to the conclusion that IPFW/NATD cannot support transparent
proxying with ONLY stateful rules.  I'd like to hear from anyone who has
been successful doing so in case I'm missing something.

Configuration is:
FreeBSD 5.2.1
3 - NICS (de0, de1, de2)
de1 = Public IP = 1.2.3.4
de2 = LAN1 = 192.168.1.0
de3 = LAN2 = 192.168.2.0

The challenge:
1) TCP request from 192.168.1.247 to 1.2.3.4:80
2) Redirect 1.2.3.4:80 to 192.168.2.250:80
3) Use stateful rules

On another note, I read somewhere on the Internet that IPFILTER has a 
limitation in that it cannot redirect a public destination to a private 
destination if the source machine is on the same subnet as the redirected 
destination.  In other words, the following supposedly will not work:
1) A tcp request from 192.168.1.247 to 1.2.3.4:80
2) Redirect 1.2.3.4:80 to 192.168.1.100:80

Is this an accurate limitation of IPFILTER?



J

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: IPFW/NATD Transparent Proxy

Re: IPFW/NATD Transparent Proxy

Re: IPFW/NATD Transparent Proxy

RE: IPFW/NATD Transparent Proxy

Re: IPFW/NATD Transparent Proxy

RE: IPFW/NATD Transparent Proxy

IPFW/NATD Transparent Proxy

7 matches

Site Navigation

Mail list logo

Footer information