RE: IPFW/NATD Transparent Proxy

[Incoming Mail List]

Your ipfw rules are invalid.

They seem to work perfectly.  My only gripe is that static rule
#15100 is required to succeed with redirect_port from 1.2.3.4:80 to 
192.168.2.250:80 when 192.168.1.247 requests a web page using the domain
name for 1.2.3.4.  I'm looking for a solution that doesn't require rule
#15100.

This causes the dynamic
internal state table to cross match packets in error because it does
not keep track of which interface the packet is from. This has been
a long time bug in stateful rules for NATed interfaces. Technically
your whole stateful environment is being forced to look like its
working when in fact its all most useless.

How can that be?  If I'm on 192.168.2.100, I can make a request to
www.cnn.com and it works fine.  Yet I have no rule that allows any
packets to be accepted IN via my outside nic (de0), and no rule that
allows any port 80 OUT to my private lan on de2.  That sounds to me
like the dynamic rules are working.  How else are the packets getting
into de0 and out to de2?

That is why the stateful + nated rule example from the new firewall
rewrite uses skipto rules to work around this problem.

I'm using skipto's as well, just not using the keep-state parameter
on the skipto rule.  I don't believe the transparent proxy problem
I'm having is a result of skipto.  It's a chicken/egg issue when 
using stateful rules because either NATD or the original nic remembers
that the packet changed when it got redirected.

If I allow the stateful rule first, it gets created as
192.168.1.247 - 1.2.3.4
and immediately starts communicating with the outside interface due
to the dynamic rule bypassing the rest of the firewall.  So the
packets never get to go through the divert rule to be redirected
to 192.168.2.250.

If I go through divert first (as in my firewall example), the packet
matches rule 100, the destination gets changed to 192.168.2.250, and
the packet continues down through the firewall.  Great!  Next, it
matches on 300 and gets passed to 15000 where a the dynamic rule
192.168.1.247 - 192.168.2.250 gets created.  More greatness!  When
192.168.2.250 replies to 192.168.1.247, that packet also matches rule
100, gets diverted and NATD rewrites the source to the original IP
address so the packet is now configured as 1.2.3.4 - 192.168.1.247.
Continued greatness!  But now, the packet gets denied at 15200 (remember
15100 does not exist in this example) because there's no rule to allow
1.2.3.4 to communicate with 192.168.1.247.  Hence, I have to add in
#15100 to explicitly allow 1.2.3.4 to communicate with 192.168.1.247.
In my example ruleset I simply allowed anything to go out via de1.


Basically the unpublished rule of thumb
is ipfw keep-state rules can not be used on the internal interface
and external interface in same rule set. Keep-state rules can only
be used on the external interface. There are no error messages to
enforce this.

Actually, the only problem I've run into is the combination of
external/internal with NATD doing a redirect_port or redirect_address.
I've not run into any problems with external/internal and normal NATD
address translations.


J



IPFW RULES
==
00100 divert 9000 log ip from any to any
00200 allow log ip from any to any out via de0 keep-state
00300 skipto 15000 log ip from any to any via de1
00400 skipto 2 log ip from any to any via de2
00500 deny log ip from any to any
15000 allow log ip from any to any in via de1 keep-state
15100 allow log ip from any to any out via de1
15200 deny log ip from any to any
2 allow log ip from any to any in via de2 keep-state
20100 allow log ip from any to any dst-port 80 out via de2
keep-state
20200 deny log ip from any to any
20300 deny log ip from any to any


NATD Config File (/etc/natd.conf)
redirect_port tcp 192.168.2.250:80 1.2.3.4:80

NATD Command
/sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: IPFW/NATD Transparent Proxy

[JJB]

A new rewrite of the FreeBSD handbook firewall section is currently
being made ready for update to the handbook. You can get an
in-process copy from  www.a1poweruser.com/FBSD_firewall/




From what you posted looks like you want public internet users to
access web server on one of your LAN machines. Both ipfw and
ipfilter does this normally with port redirect. You need to post
more info about your system config.
Post the full contents of your rc.conf and  firewall rules files.

The limit you write about ipfilter is not true.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Sunday, August 08, 2004 2:11 PM
To: [EMAIL PROTECTED]
Subject: IPFW/NATD Transparent Proxy


Anyone up for a challenge?

I've come to the conclusion that IPFW/NATD cannot support
transparent
proxying with ONLY stateful rules.  I'd like to hear from anyone who
has
been successful doing so in case I'm missing something.

Configuration is:
FreeBSD 5.2.1
3 - NICS (de0, de1, de2)
de1 = Public IP = 1.2.3.4
de2 = LAN1 = 192.168.1.0
de3 = LAN2 = 192.168.2.0

The challenge:
1) TCP request from 192.168.1.247 to 1.2.3.4:80
2) Redirect 1.2.3.4:80 to 192.168.2.250:80
3) Use stateful rules

On another note, I read somewhere on the Internet that IPFILTER has
a
limitation in that it cannot redirect a public destination to a
private
destination if the source machine is on the same subnet as the
redirected
destination.  In other words, the following supposedly will not
work:
1) A tcp request from 192.168.1.247 to 1.2.3.4:80
2) Redirect 1.2.3.4:80 to 192.168.1.100:80

Is this an accurate limitation of IPFILTER?



J

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW/NATD Transparent Proxy

[mailist]

On Sunday 08 August 2004 04:38 pm, JJB wrote:
 A new rewrite of the FreeBSD handbook firewall section is currently
 being made ready for update to the handbook. You can get an
 in-process copy from  www.a1poweruser.com/FBSD_firewall/

The firewall rewrite only deals with a single public nic and a single
internal nic and does not have the information I require.  

 From what you posted looks like you want public internet users to
 access web server on one of your LAN machines. Both ipfw and
 ipfilter does this normally with port redirect.

No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when 
they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD 
internet gateway.  Again, the configuration is
de0 = PUBLIC IP = 1.2.3.4
de1 = 192.168.1.1
de2 = 192.168.2.1

I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet 
being redirected to 192.168.2.250.  That works fine.  But I want someone on 
192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the 
public address 1.2.3.4:80.

Put another way, I have a FreeBSD server acting as a Router/Firewall.  It has 
a public interface with an IP number of 1.2.3.4 and is assigned the DNS name 
www.ishouldhaveusedipfilter.com.  It also has a second NIC that supports a 
private address space of 192.168.1.0/255.255.255.0 and a third NIC that 
supports a private address space of 192.168.2.0/255.255.255.0

When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com 
they get redirected to 192.168.2.250 because I've included a redirect_port 
rule for NATD.  This works fine.  But, users on all private networks (I have 
two, but there could be 20) also need to be redirected to 192.168.2.250 when 
they try to go to www.ishouldhaveusedipfilter.com   So the user sitting at 
192.168.1.247 shouldn't have to worry about putting in the IP number of the 
company web server, they should just be able to put in the company domain 
name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 
just like anyone coming from the outside.

 You need to post
 more info about your system config.
 Post the full contents of your rc.conf and  firewall rules files.

My rc.conf file is properly configured and has no bearing on my question.  My 
gateway works fine from public to private IP space and private to public IP 
space.  I've tried so many combination of rules and NATD options that I 
wouldn't know what to post.  What I need is someone who has completed a 
similar configuration to send me their configuration (change the IP numbers
if you like).  From what I can see, I don't believe this is possible with 
stateful rules.  Let me add that I've been successful with stateless rules, 
but I'd like to use 100% stateful if possible.


 The limit you write about ipfilter is not true.




 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of
 [EMAIL PROTECTED]
 Sent: Sunday, August 08, 2004 2:11 PM
 To: [EMAIL PROTECTED]
 Subject: IPFW/NATD Transparent Proxy


 Anyone up for a challenge?

 I've come to the conclusion that IPFW/NATD cannot support
 transparent
 proxying with ONLY stateful rules.  I'd like to hear from anyone who
 has
 been successful doing so in case I'm missing something.

 Configuration is:
 FreeBSD 5.2.1
 3 - NICS (de0, de1, de2)
 de1 = Public IP = 1.2.3.4
 de2 = LAN1 = 192.168.1.0
 de3 = LAN2 = 192.168.2.0

 The challenge:
 1) TCP request from 192.168.1.247 to 1.2.3.4:80
 2) Redirect 1.2.3.4:80 to 192.168.2.250:80
 3) Use stateful rules

 On another note, I read somewhere on the Internet that IPFILTER has
 a
 limitation in that it cannot redirect a public destination to a
 private
 destination if the source machine is on the same subnet as the
 redirected
 destination.  In other words, the following supposedly will not
 work:
 1) A tcp request from 192.168.1.247 to 1.2.3.4:80
 2) Redirect 1.2.3.4:80 to 192.168.1.100:80

 Is this an accurate limitation of IPFILTER?



 J

 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: IPFW/NATD Transparent Proxy

[Eric Crist]

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 [EMAIL PROTECTED]
 Sent: Sunday, August 08, 2004 5:43 PM
 To: [EMAIL PROTECTED]
 Subject: Re: IPFW/NATD Transparent Proxy



 On Sunday 08 August 2004 04:38 pm, JJB wrote:
  A new rewrite of the FreeBSD handbook firewall section is currently
  being made ready for update to the handbook. You can get an
 in-process
  copy from  www.a1poweruser.com/FBSD_firewall/

 The firewall rewrite only deals with a single public nic and
 a single internal nic and does not have the information I require.

  From what you posted looks like you want public internet users to
  access web server on one of your LAN machines. Both ipfw
 and ipfilter
  does this normally with port redirect.

 No, I want a user on 192.168.1.247 to be redirected to
 192.168.2.250:80 when
 they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number
 on the FreeBSD
 internet gateway.  Again, the configuration is
   de0 = PUBLIC IP = 1.2.3.4
   de1 = 192.168.1.1
   de2 = 192.168.2.1

 I don't have a problem with incoming requests for 1.2.3.4:80
 from the Internet
 being redirected to 192.168.2.250.  That works fine.  But I
 want someone on
 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when
 they request the
 public address 1.2.3.4:80.


Could you send us (or me, peronally) your firewall script, and the
address you want to use?

Thanks.

Eric F Crist


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW/NATD Transparent Proxy

[Pat Lashley]

--On Sunday, August 08, 2004 18:43:21 -0400 [EMAIL PROTECTED] wrote:
No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when
they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD
internet gateway.  Again, the configuration is
de0 = PUBLIC IP = 1.2.3.4
de1 = 192.168.1.1
de2 = 192.168.2.1
I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet
being redirected to 192.168.2.250.  That works fine.  But I want someone on
192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the
public address 1.2.3.4:80.
Put another way, I have a FreeBSD server acting as a Router/Firewall.  It has
a public interface with an IP number of 1.2.3.4 and is assigned the DNS name
www.ishouldhaveusedipfilter.com.  It also has a second NIC that supports a
private address space of 192.168.1.0/255.255.255.0 and a third NIC that
supports a private address space of 192.168.2.0/255.255.255.0
When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com
they get redirected to 192.168.2.250 because I've included a redirect_port
rule for NATD.  This works fine.  But, users on all private networks (I have
two, but there could be 20) also need to be redirected to 192.168.2.250 when
they try to go to www.ishouldhaveusedipfilter.com   So the user sitting at
192.168.1.247 shouldn't have to worry about putting in the IP number of the
company web server, they should just be able to put in the company domain
name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250
just like anyone coming from the outside.
It seems to me that the best way to handle this is through DNS.  Hosts
within your LAN should find www.ishouldhaveusedipfilter.com to 192.168.2.250
instead of 1.2.3.4.
Typically, you would have an externally visible DNS server which is authorititave
for your domain; and which lists only the publicly visible machines and IP addresses.
(It should -NOT- handle referrals at all.)  Somewhere within your LAN you would have
another DNS server that is authoritative for your internal domain and IP range.  It
may handle referrals; but it is safer to have a completely separate DNS server which
just handles referrals (and possibly caches results) - it should be explicitly told
to use your LAN's authoritative server for your domain and IP range.
With this setup, outside machines see the public address, which is redirected
via your firewall/NAT rules; but internal machines see the internal address and
access it directly.
-Pat
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW/NATD Transparent Proxy

[mailist]

de0 = 1.2.3.4 (make up any valid public ip) (mydomain.com)
de1 = 192.168.1.1
de2 = 192.168.2.1

When 192.168.1.247 requests a web page from MYDOMAIN.COM
the request needs to be forwarded to 192.168.2.250:80

In the ruleset below, 15100 is required for this to work.  If I pull out
15100 I get no response from the web page because there is no rule to allow 
1.2.3.4 back out to 192.168.1.247.  I can't find a solution that does not 
require an explicit rule to allow 1.2.3.4 back out to 192.168.1.247.  In 
other words, I can't find a set of rules that allows dynamic setup of
192.168.1.247: - 1.2.3.4:80
192.168.1.247: - 192.168.2.250:80

I hope this information helps.  Thanks in advance for pointing me in the right 
direction.

IPFW RULES
==
00100 divert 9000 log ip from any to any
00200 allow log ip from any to any out via de0 keep-state
00300 skipto 15000 log ip from any to any via de1
00400 skipto 2 log ip from any to any via de2
00500 deny log ip from any to any
15000 allow log ip from any to any in via de1 keep-state
15100 allow log ip from any to any out via de1
15200 deny log ip from any to any
2 allow log ip from any to any in via de2 keep-state
20100 allow log ip from any to any dst-port 80 out via de2 keep-state
20200 deny log ip from any to any
20300 deny log ip from any to any


NATD Config File (/etc/natd.conf)
redirect_port tcp 192.168.2.250:80 1.2.3.4:80

NATD Command
/sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf



On Sunday 08 August 2004 06:30 pm, Eric Crist wrote:
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
  [EMAIL PROTECTED]
  Sent: Sunday, August 08, 2004 5:43 PM
  To: [EMAIL PROTECTED]
  Subject: Re: IPFW/NATD Transparent Proxy
 
  On Sunday 08 August 2004 04:38 pm, JJB wrote:
   A new rewrite of the FreeBSD handbook firewall section is currently
   being made ready for update to the handbook. You can get an
 
  in-process
 
   copy from  www.a1poweruser.com/FBSD_firewall/
 
  The firewall rewrite only deals with a single public nic and
  a single internal nic and does not have the information I require.
 
   From what you posted looks like you want public internet users to
   access web server on one of your LAN machines. Both ipfw
 
  and ipfilter
 
   does this normally with port redirect.
 
  No, I want a user on 192.168.1.247 to be redirected to
  192.168.2.250:80 when
  they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number
  on the FreeBSD
  internet gateway.  Again, the configuration is
  de0 = PUBLIC IP = 1.2.3.4
  de1 = 192.168.1.1
  de2 = 192.168.2.1
 
  I don't have a problem with incoming requests for 1.2.3.4:80
  from the Internet
  being redirected to 192.168.2.250.  That works fine.  But I
  want someone on
  192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when
  they request the
  public address 1.2.3.4:80.

 Could you send us (or me, peronally) your firewall script, and the
 address you want to use?

 Thanks.

 Eric F Crist

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]