Re: ipfw/natd in 8.1
Здравствуйте, Casey. 00300 0 0 deny ip from 192.168.0.0/16 to any in via fxp0 00301 0 0 deny ip from 172.16.0.0/12 to any in via fxp0 00302 0 0 deny ip from 10.0.0.0/8 to any in via fxp0 00303 0 0 deny ip from 127.0.0.0/8 to any in via fxp0 00304 0 0 deny ip from 0.0.0.0/8 to any in via fxp0 00305 0 0 deny ip from 169.254.0.0/16 to any in via fxp0 00306 0 0 deny ip from 192.0.2.0/24 to any in via fxp0 00307 0 0 deny ip from 204.152.64.0/23 to any in via fxp0 00308 0 0 deny ip from 224.0.0.0/3 to any in via fxp0 you can replace that all by: deny all from any to not me in recv fxp0 in recv/in via are very different things! CS 00100965322 divert 8668 log ip from any to any in via fxp0 CS 00500 293 56642 divert 8668 log ip from any to any What are you trying to do by this rules??? what you do is wrong they do different work with conjactions with keep-state and other rules in your firewall. Devide logic in your firewall! What is one_pass option in you kernel? kes# sysctl -a | grep one_pass maybe you have 1, but must 0 CS 00420 91112 allow log tcp from any to me dst-port 20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20 this rule will not pass packets to undivert I think, or will have some effect on divert rule CS 0051078 21591 allow log ip from any to any this rule is useless!!! CS Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to CS[TCP] 74.94.69.225:61447 - 65.61.153.152:80 CS In {default}[TCP] [TCP] 65.61.153.152:80 - 74.94.69.225:61447 aliased to CS[TCP] 65.61.153.152:80 - 192.168.1.6:61447 before setup all works fine after setup, you firewall fail. established connections does not work CS In {default}[TCP] [TCP] 65.61.153.152:80 - 192.168.1.6:61447 aliased to CS[TCP] 65.61.153.152:80 - 192.168.1.6:61447 CS Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80 CS Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80 CS Out {default}[TCP] [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80 try to understand divert, then will try keep-state,setup etc. good luck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw natd rules not loading on startup
Just a sidenote: On Sat, 15 May 2010 02:33:10 +0200, umage theultram...@gmail.com wrote: However, if I run the script manually, or call it from the end of /etc/rc, it will add these rules as well. Currently I am using a workaround. It's not a good idea to modify /etc/rc. In your case, using the mechanism s of /etc/rc(.shutdown).local is a good way to call scripts that do not fit the rc.d concept. See man rc.local for details. So I would suggest something for /etc/rc.local like this: #!/bin/sh if [ -z ${source_rc_confs_defined} ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf elif [ -r /etc/rc.conf.local ]; then . /etc/rc.conf.local fi fi echo -n custom-firewall /your/firewall/script.sh --here The final dot + newline in the messages will be added by rc, if I remember correctly. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw natd rules not loading on startup
On Sat, May 15, 2010 at 02:33:10AM +0200, umage wrote: I performed a kernel+world update of my freebsd router, RELENG_8 branch, apparently from the version 6 months ago to current. I use ipfw and a shell script that gets loaded at startup. I noticed after rebooting that ipfw did not load two rules, both of type divert natd. However, if I run the script manually, or call it from the end of /etc/rc, it will add these rules as well. Currently I am using a workaround. Best to ask -STABLE. There's been some breakage of ipfw since end of April. I'm unsure as to whether they've all be resolved yet. Cheers. -- Jonathan Chen | To do is to be -- Nietzsche j...@chen.org.nz | To be is to do -- Sartre | Scooby do be do -- Scooby ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW + NATD FORWARDING
mr. phreak [EMAIL PROTECTED] writes: Hi, I am having trouble with my IPFW+NATD forwarding. I know a lot of people have and I've googled my ass off. Still I can't get it right. I'm trying to forward port 1213 in/out for dc++ usage. this is my setup: __WAN router (192.168.1.1) | | (FreeBSD gateway/fw NIC1:ath0 (public) NIC2:rl0 (LAN) ) | |__ LAN (10.10.10.0/24) I use stateful rules and I'd like to forward port 1213 both ways using natd. I know NATD should take care of this as long as i allow port 1213 in/out from the firewall. I've tried this at almost every position in the ipfw.rules and now i ask where i should put it?? i.e it's not there right now. I've tried: $cmd [num] allow all from any to any 1213 (at various positions in ipfw.rules) still doesn't work. $cmd [num] divert natd all from any to any 1213. Can someone help me? Your firewall configuration is rather unconventional, but the basic idea makes sense. What isn't clear is how you want to use this dc++ program within your infrastructure. Because you are using dynamic rules, I assume that you want the connections to always originate inside your network. If that is the case, you shouldn't need any special configuration to natd (because every connection will be learned from the initial packet). If that's not the case, you will need to pick one internal machine to receive the connections coming in from outside. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW + NATD rules
On Sun, Aug 27, 2006 at 01:04:54PM +0500, ?? ?? wrote: I'm a junior in FreeBSD, and I faced with problem. You should know that others have mailers that are thread enabled. This means that when you compose a new mail, but you that the reply sort cut others may not read this, because it end up in the list. I redirected the mail to questions@ becuase this is not related to the stable development brance. I've a FreeBSD 6.1-stable box as a gate+firewall, and I want to divert incoming requests to my web-server, placed in DeMilitarized Zone (DMZ). To do this I wrote down settings in /etc/rc.conf as shown above: natd_flags=-redirect_port tcp 80 192.168.1.234 80 natd_flags=-redirect_poort tcp 443 192.168.1.234 443 You proberbly can not have two lines. I think, that all packets incoming from Internet will be diverted from the External interface via DMZ interface to my We-server. Is it right? If not, why not, and what the way to make it working? Yes, but you made some mistakes: 1. You have two lines, where only one is allowed. 2. The file format is wrong: should be tcp forward_ip:port port 3. You made a typo 4. Did you setup ipfw? I've done this with a seperate config file. firewall_enable=YES firewall_type=/etc/firewall.conf natd_enable=YES natd_flags=-f /etc/natd.conf natd_interface=fxp0 /etc/firewall.conf contains: add divert 8668 ip from any to any (note: src_ip and dst_ip changes here, so keep this in mind if you add rules) add allow ip from any to any /etc/natd.conf contains: redirect_port tcp ip_to_goto:port local_port Did you setup ipfw and directed packes to natd? You also need to setup i -- Alex Please copy the original recipients, otherwise I may not read your reply. Howtos based on my personal use, including information about setting up a firewall and creating traffic graphs with MRTG http://alex.kruijff.org/FreeBSD/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW+natd Cisco VPN tunnelling....
Chuck Swiger wrote: Is there any way to convince natd to re-read the natd.conf file short of killing and restarting the daemon entirely? The manpage didn't say so, and kill -HUP terminates the process. If there was, I would expect /etc/rc.d/natd to support a reload option, but I don't see one. You could try it, but if not then I suggest sh /etc/rc.d/natd restart Can't help on VPN, I'm afraid. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot: Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols I guess you're using an A-DSL line with PPPoE, right? If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't know the machine behind the NAT box. Your NAT box has to alter the mss field in the TCP header because many sites have wrong configured firewalls which simply block all ICMP traffic, so the error from your router must fragment never reaches to originating host. So the sent packaet is too big to go over your line and the Must Fragment bit is ingnored... you'll never receive what you've requested. I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with max-mss. -Harry seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] pgpnMEVBLR44V.pgp Description: PGP signature
RE: ipfw + natd = some sites won't work :-S
Seeing snippet of your firewall rules is not giving us enough info to work on. You have to post complete rule set because of the way rules are processed. Also an explanation of your private network layout and how you connect to the internet is needed. List sites you can not access. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Frank de Bot Sent: Monday, May 09, 2005 6:42 PM To: freebsd-questions@freebsd.org Subject: ipfw + natd = some sites won't work :-S Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
Emanuel Strobl wrote: Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot: Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols I guess you're using an A-DSL line with PPPoE, right? If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't know the machine behind the NAT box. Your NAT box has to alter the mss field in the TCP header because many sites have wrong configured firewalls which simply block all ICMP traffic, so the error from your router must fragment never reaches to originating host. So the sent packaet is too big to go over your line and the Must Fragment bit is ingnored... you'll never receive what you've requested. I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with max-mss. I'm not using an ADSL with PPPoE. But the configuration used is kinda non-standard. I'll try to explain with a little drawing: = Laptop = IP: 10.0.5.21 (/24) | | = Server 1 = IP: 10.0.5.2 |IP: 10.0.3.1 | | (ipip tunnel) | = Server 2 = IP: 10.0.3.2 |IP %external_ip% | % internet % Server 1 is a Linux box Server 2 is the FreeBSD performing the NAT Tracerouting occures without anyproblem. From the laptop to the internet 10.0.5.2 - 10.0.3.2 - %internet% During testing I've also dumped the whole firewall exept the points written in the starting post. The behaviour stays exactly the same. -Harry seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
The ipfw rules standing without any other rules and '65535 allow ip from any to any' as last rule give the same behaviour. So it's not a firewall case. The network layout is posted in my reaction to Emanuel. Sites I can't access are: www.tweakers.net www.fok.nl www.yahoo.com www.userfriendly.org www.thinkgeek.com Sites i CAN access: www.google.com www.gmail.com www.fastclick.net fbsd_user wrote: Seeing snippet of your firewall rules is not giving us enough info to work on. You have to post complete rule set because of the way rules are processed. Also an explanation of your private network layout and how you connect to the internet is needed. List sites you can not access. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Frank de Bot Sent: Monday, May 09, 2005 6:42 PM To: freebsd-questions@freebsd.org Subject: ipfw + natd = some sites won't work :-S Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
Am Dienstag, 10. Mai 2005 01:04 schrieb Frank de Bot: Emanuel Strobl wrote: Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot: Hi, I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like Google for instance does work, but many other don't. All other protocols I guess you're using an A-DSL line with PPPoE, right? If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't know the machine behind the NAT box. Your NAT box has to alter the mss field in the TCP header because many sites have wrong configured firewalls which simply block all ICMP traffic, so the error from your router must fragment never reaches to originating host. So the sent packaet is too big to go over your line and the Must Fragment bit is ingnored... you'll never receive what you've requested. I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with max-mss. I'm not using an ADSL with PPPoE. But the configuration used is kinda non-standard. I'll try to explain with a little drawing: = Laptop = IP: 10.0.5.21 (/24) = Server 1 = IP: 10.0.5.2 |IP: 10.0.3.1 | | (ipip tunnel) = Server 2 = IP: 10.0.3.2 |IP %external_ip% % internet % Server 1 is a Linux box Server 2 is the FreeBSD performing the NAT Tracerouting occures without anyproblem. From the laptop to the internet 10.0.5.2 - 10.0.3.2 - %internet% The problem is the same: IP-IP tunneling reduces TCPs mss which the linux box doesn't fix. ICMP will work of course, TCP with full payload won't. I don't knwo how/why you tunnle IP into IP on that linux box, but that's the point where you have to dig. Good luck, -Harry During testing I've also dumped the whole firewall exept the points written in the starting post. The behaviour stays exactly the same. -Harry seems to be working properly. But why are sites failing to do anything? I got running natd with the verbose option and successfull request of google is indentical to a random other site :S The firewall I use is rather big. the most important piece is: 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any 01200 0 0 allow ip from any to 10.0.5.0/24 01201 524 85399 allow ip from 82.94.238.70 to any 01201 3 144 allow ip from any to 82.94.238.70 01500 871494 216106437 allow tcp from any to any established /etc/natd.conf is: alias_address %external_ip% verbose It just puzzles me why only some http request would fail and everything works fine! Anyone got any idea? Thanks in advanced, Frank de Bot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] pgprDecoTwkHs.pgp Description: PGP signature
Re: ipfw + natd = some sites won't work :-S
Emanuel Strobl wrote: The problem is the same: IP-IP tunneling reduces TCPs mss which the linux box doesn't fix. ICMP will work of course, TCP with full payload won't. I don't knwo how/why you tunnle IP into IP on that linux box, but that's the point where you have to dig. Good luck, -Harry Which tunnel forms don't experience the reducing of mss? I've chosen for a ipip tunnel because it was a tunnen solutions which seemed to be the most simple. Once I got that working I was planning to change it to VPN or IPSec tunnel. I got my reason for having that tunnel between the boxes (Server 2 is a server far apart from Server 1) Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd = some sites won't work :-S
Am Dienstag, 10. Mai 2005 01:19 schrieb Frank de Bot: Emanuel Strobl wrote: The problem is the same: IP-IP tunneling reduces TCPs mss which the linux box doesn't fix. ICMP will work of course, TCP with full payload won't. I don't knwo how/why you tunnle IP into IP on that linux box, but that's the point where you have to dig. Good luck, -Harry Which tunnel forms don't experience the reducing of mss? I've chosen for Hm, I don't have that handy in my mind right now. I had to look for some RFCs but it's quiet late here in germany, if I knew it by rote I'd tell you. I have similar configurations with IPSec without that problem (IPSec (ESP) is another protocol parallel to IP, not a IP in IP tunnel) -Harry a ipip tunnel because it was a tunnen solutions which seemed to be the most simple. Once I got that working I was planning to change it to VPN or IPSec tunnel. I got my reason for having that tunnel between the boxes (Server 2 is a server far apart from Server 1) Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] pgp4O5PuF7BMx.pgp Description: PGP signature
RE: IPFW NATD
snip Hi I'm trying to setup natd to port forward to a http,ftp and vnc server behind the natd box But I only want a customer from their static ip address to be able to login and block everything else Is this possible in an natd enviroment? Any examples? Port forwarding works ok, I just can't figure out the rules to stop everyone and allow this one client Cheers Brian Brian, If you've got the portforwarding working, then a few IPFW rules will add the security you're looking for. If your divert rule is number 100, then add a few rules above it, like this: ipfw add 50 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] 80 ipfw add 51 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] 21 ipfw add 52 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] [VNC port] ipfw add 53 deny tcp from any to [public.ip.of.nat.box] 80 ipfw add 54 deny tcp from any to [public.ip.of.nat.box] 21 ipfw add 55 deny tcp from any to [public.ip.of.nat.box] [VNC port] The first three rules pass the traffic from the specified IP, to the divert rule, to natd, and get portforwaded. Any other traffic on those ports get blocked, and doesn't get diverted. snip This worked a treat, thanks very much. Brian --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.773 / Virus Database: 520 - Release Date: 05/10/2004 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW NATD
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Sent: Thursday, October 14, 2004 11:01 AM To: 'FreeBSD Questions' Subject: IPFW NATD Hi I'm trying to setup natd to port forward to a http,ftp and vnc server behind the natd box But I only want a customer from their static ip address to be able to login and block everything else Is this possible in an natd enviroment? Any examples? Port forwarding works ok, I just can't figure out the rules to stop everyone and allow this one client Cheers Brian --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.773 / Virus Database: 520 - Release Date: 05/10/2004 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Brian, If you've got the portforwarding working, then a few IPFW rules will add the security you're looking for. If your divert rule is number 100, then add a few rules above it, like this: ipfw add 50 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] 80 ipfw add 51 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] 21 ipfw add 52 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] [VNC port] ipfw add 53 deny tcp from any to [public.ip.of.nat.box] 80 ipfw add 54 deny tcp from any to [public.ip.of.nat.box] 21 ipfw add 55 deny tcp from any to [public.ip.of.nat.box] [VNC port] The first three rules pass the traffic from the specified IP, to the divert rule, to natd, and get portforwaded. Any other traffic on those ports get blocked, and doesn't get diverted. Kevin Glick ITS Manager Sterling Business Forms [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW/NATD Transparent Proxy
Your ipfw rules are invalid. They seem to work perfectly. My only gripe is that static rule #15100 is required to succeed with redirect_port from 1.2.3.4:80 to 192.168.2.250:80 when 192.168.1.247 requests a web page using the domain name for 1.2.3.4. I'm looking for a solution that doesn't require rule #15100. This causes the dynamic internal state table to cross match packets in error because it does not keep track of which interface the packet is from. This has been a long time bug in stateful rules for NATed interfaces. Technically your whole stateful environment is being forced to look like its working when in fact its all most useless. How can that be? If I'm on 192.168.2.100, I can make a request to www.cnn.com and it works fine. Yet I have no rule that allows any packets to be accepted IN via my outside nic (de0), and no rule that allows any port 80 OUT to my private lan on de2. That sounds to me like the dynamic rules are working. How else are the packets getting into de0 and out to de2? That is why the stateful + nated rule example from the new firewall rewrite uses skipto rules to work around this problem. I'm using skipto's as well, just not using the keep-state parameter on the skipto rule. I don't believe the transparent proxy problem I'm having is a result of skipto. It's a chicken/egg issue when using stateful rules because either NATD or the original nic remembers that the packet changed when it got redirected. If I allow the stateful rule first, it gets created as 192.168.1.247 - 1.2.3.4 and immediately starts communicating with the outside interface due to the dynamic rule bypassing the rest of the firewall. So the packets never get to go through the divert rule to be redirected to 192.168.2.250. If I go through divert first (as in my firewall example), the packet matches rule 100, the destination gets changed to 192.168.2.250, and the packet continues down through the firewall. Great! Next, it matches on 300 and gets passed to 15000 where a the dynamic rule 192.168.1.247 - 192.168.2.250 gets created. More greatness! When 192.168.2.250 replies to 192.168.1.247, that packet also matches rule 100, gets diverted and NATD rewrites the source to the original IP address so the packet is now configured as 1.2.3.4 - 192.168.1.247. Continued greatness! But now, the packet gets denied at 15200 (remember 15100 does not exist in this example) because there's no rule to allow 1.2.3.4 to communicate with 192.168.1.247. Hence, I have to add in #15100 to explicitly allow 1.2.3.4 to communicate with 192.168.1.247. In my example ruleset I simply allowed anything to go out via de1. Basically the unpublished rule of thumb is ipfw keep-state rules can not be used on the internal interface and external interface in same rule set. Keep-state rules can only be used on the external interface. There are no error messages to enforce this. Actually, the only problem I've run into is the combination of external/internal with NATD doing a redirect_port or redirect_address. I've not run into any problems with external/internal and normal NATD address translations. J IPFW RULES == 00100 divert 9000 log ip from any to any 00200 allow log ip from any to any out via de0 keep-state 00300 skipto 15000 log ip from any to any via de1 00400 skipto 2 log ip from any to any via de2 00500 deny log ip from any to any 15000 allow log ip from any to any in via de1 keep-state 15100 allow log ip from any to any out via de1 15200 deny log ip from any to any 2 allow log ip from any to any in via de2 keep-state 20100 allow log ip from any to any dst-port 80 out via de2 keep-state 20200 deny log ip from any to any 20300 deny log ip from any to any NATD Config File (/etc/natd.conf) redirect_port tcp 192.168.2.250:80 1.2.3.4:80 NATD Command /sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW/NATD Transparent Proxy
A new rewrite of the FreeBSD handbook firewall section is currently being made ready for update to the handbook. You can get an in-process copy from www.a1poweruser.com/FBSD_firewall/ From what you posted looks like you want public internet users to access web server on one of your LAN machines. Both ipfw and ipfilter does this normally with port redirect. You need to post more info about your system config. Post the full contents of your rc.conf and firewall rules files. The limit you write about ipfilter is not true. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Sunday, August 08, 2004 2:11 PM To: [EMAIL PROTECTED] Subject: IPFW/NATD Transparent Proxy Anyone up for a challenge? I've come to the conclusion that IPFW/NATD cannot support transparent proxying with ONLY stateful rules. I'd like to hear from anyone who has been successful doing so in case I'm missing something. Configuration is: FreeBSD 5.2.1 3 - NICS (de0, de1, de2) de1 = Public IP = 1.2.3.4 de2 = LAN1 = 192.168.1.0 de3 = LAN2 = 192.168.2.0 The challenge: 1) TCP request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.2.250:80 3) Use stateful rules On another note, I read somewhere on the Internet that IPFILTER has a limitation in that it cannot redirect a public destination to a private destination if the source machine is on the same subnet as the redirected destination. In other words, the following supposedly will not work: 1) A tcp request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.1.100:80 Is this an accurate limitation of IPFILTER? J ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW/NATD Transparent Proxy
On Sunday 08 August 2004 04:38 pm, JJB wrote: A new rewrite of the FreeBSD handbook firewall section is currently being made ready for update to the handbook. You can get an in-process copy from www.a1poweruser.com/FBSD_firewall/ The firewall rewrite only deals with a single public nic and a single internal nic and does not have the information I require. From what you posted looks like you want public internet users to access web server on one of your LAN machines. Both ipfw and ipfilter does this normally with port redirect. No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1 I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80. Put another way, I have a FreeBSD server acting as a Router/Firewall. It has a public interface with an IP number of 1.2.3.4 and is assigned the DNS name www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a private address space of 192.168.1.0/255.255.255.0 and a third NIC that supports a private address space of 192.168.2.0/255.255.255.0 When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com they get redirected to 192.168.2.250 because I've included a redirect_port rule for NATD. This works fine. But, users on all private networks (I have two, but there could be 20) also need to be redirected to 192.168.2.250 when they try to go to www.ishouldhaveusedipfilter.com So the user sitting at 192.168.1.247 shouldn't have to worry about putting in the IP number of the company web server, they should just be able to put in the company domain name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 just like anyone coming from the outside. You need to post more info about your system config. Post the full contents of your rc.conf and firewall rules files. My rc.conf file is properly configured and has no bearing on my question. My gateway works fine from public to private IP space and private to public IP space. I've tried so many combination of rules and NATD options that I wouldn't know what to post. What I need is someone who has completed a similar configuration to send me their configuration (change the IP numbers if you like). From what I can see, I don't believe this is possible with stateful rules. Let me add that I've been successful with stateless rules, but I'd like to use 100% stateful if possible. The limit you write about ipfilter is not true. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Sunday, August 08, 2004 2:11 PM To: [EMAIL PROTECTED] Subject: IPFW/NATD Transparent Proxy Anyone up for a challenge? I've come to the conclusion that IPFW/NATD cannot support transparent proxying with ONLY stateful rules. I'd like to hear from anyone who has been successful doing so in case I'm missing something. Configuration is: FreeBSD 5.2.1 3 - NICS (de0, de1, de2) de1 = Public IP = 1.2.3.4 de2 = LAN1 = 192.168.1.0 de3 = LAN2 = 192.168.2.0 The challenge: 1) TCP request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.2.250:80 3) Use stateful rules On another note, I read somewhere on the Internet that IPFILTER has a limitation in that it cannot redirect a public destination to a private destination if the source machine is on the same subnet as the redirected destination. In other words, the following supposedly will not work: 1) A tcp request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.1.100:80 Is this an accurate limitation of IPFILTER? J ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW/NATD Transparent Proxy
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, August 08, 2004 5:43 PM To: [EMAIL PROTECTED] Subject: Re: IPFW/NATD Transparent Proxy On Sunday 08 August 2004 04:38 pm, JJB wrote: A new rewrite of the FreeBSD handbook firewall section is currently being made ready for update to the handbook. You can get an in-process copy from www.a1poweruser.com/FBSD_firewall/ The firewall rewrite only deals with a single public nic and a single internal nic and does not have the information I require. From what you posted looks like you want public internet users to access web server on one of your LAN machines. Both ipfw and ipfilter does this normally with port redirect. No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1 I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80. Could you send us (or me, peronally) your firewall script, and the address you want to use? Thanks. Eric F Crist ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW/NATD Transparent Proxy
--On Sunday, August 08, 2004 18:43:21 -0400 [EMAIL PROTECTED] wrote: No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1 I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80. Put another way, I have a FreeBSD server acting as a Router/Firewall. It has a public interface with an IP number of 1.2.3.4 and is assigned the DNS name www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a private address space of 192.168.1.0/255.255.255.0 and a third NIC that supports a private address space of 192.168.2.0/255.255.255.0 When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com they get redirected to 192.168.2.250 because I've included a redirect_port rule for NATD. This works fine. But, users on all private networks (I have two, but there could be 20) also need to be redirected to 192.168.2.250 when they try to go to www.ishouldhaveusedipfilter.com So the user sitting at 192.168.1.247 shouldn't have to worry about putting in the IP number of the company web server, they should just be able to put in the company domain name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 just like anyone coming from the outside. It seems to me that the best way to handle this is through DNS. Hosts within your LAN should find www.ishouldhaveusedipfilter.com to 192.168.2.250 instead of 1.2.3.4. Typically, you would have an externally visible DNS server which is authorititave for your domain; and which lists only the publicly visible machines and IP addresses. (It should -NOT- handle referrals at all.) Somewhere within your LAN you would have another DNS server that is authoritative for your internal domain and IP range. It may handle referrals; but it is safer to have a completely separate DNS server which just handles referrals (and possibly caches results) - it should be explicitly told to use your LAN's authoritative server for your domain and IP range. With this setup, outside machines see the public address, which is redirected via your firewall/NAT rules; but internal machines see the internal address and access it directly. -Pat ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW/NATD Transparent Proxy
de0 = 1.2.3.4 (make up any valid public ip) (mydomain.com) de1 = 192.168.1.1 de2 = 192.168.2.1 When 192.168.1.247 requests a web page from MYDOMAIN.COM the request needs to be forwarded to 192.168.2.250:80 In the ruleset below, 15100 is required for this to work. If I pull out 15100 I get no response from the web page because there is no rule to allow 1.2.3.4 back out to 192.168.1.247. I can't find a solution that does not require an explicit rule to allow 1.2.3.4 back out to 192.168.1.247. In other words, I can't find a set of rules that allows dynamic setup of 192.168.1.247: - 1.2.3.4:80 192.168.1.247: - 192.168.2.250:80 I hope this information helps. Thanks in advance for pointing me in the right direction. IPFW RULES == 00100 divert 9000 log ip from any to any 00200 allow log ip from any to any out via de0 keep-state 00300 skipto 15000 log ip from any to any via de1 00400 skipto 2 log ip from any to any via de2 00500 deny log ip from any to any 15000 allow log ip from any to any in via de1 keep-state 15100 allow log ip from any to any out via de1 15200 deny log ip from any to any 2 allow log ip from any to any in via de2 keep-state 20100 allow log ip from any to any dst-port 80 out via de2 keep-state 20200 deny log ip from any to any 20300 deny log ip from any to any NATD Config File (/etc/natd.conf) redirect_port tcp 192.168.2.250:80 1.2.3.4:80 NATD Command /sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf On Sunday 08 August 2004 06:30 pm, Eric Crist wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, August 08, 2004 5:43 PM To: [EMAIL PROTECTED] Subject: Re: IPFW/NATD Transparent Proxy On Sunday 08 August 2004 04:38 pm, JJB wrote: A new rewrite of the FreeBSD handbook firewall section is currently being made ready for update to the handbook. You can get an in-process copy from www.a1poweruser.com/FBSD_firewall/ The firewall rewrite only deals with a single public nic and a single internal nic and does not have the information I require. From what you posted looks like you want public internet users to access web server on one of your LAN machines. Both ipfw and ipfilter does this normally with port redirect. No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1 I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80. Could you send us (or me, peronally) your firewall script, and the address you want to use? Thanks. Eric F Crist ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw + natd - not sharing internet for LAN users
- Original Message - From: Prodigy [EMAIL PROTECTED] To: freebsd-questions [EMAIL PROTECTED] Sent: Tuesday, March 09, 2004 10:53 AM Subject: ipfw + natd - not sharing internet for LAN users snip # ipfw show 65535 1546 115746 allow ip from any to any This is your problem. Even though you're running NATD, you need to divert all traffic to NATD in the firewall. Try adding a divert entry to your firewall like this: ipfw add 100 divert natd all from any to any via ed1 Then check /etc/services and make sure that there's an entry for natd: natd8668/divert # Network Address Translation -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw / natd does not allow lan traffic to reach externalnumbers
Hello, On Sun, 2003-08-10 at 22:38, Johannes Angeldorff wrote: Hi, I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here a list with some details: *) The FreeBSD box uses natd and ipfw, and have two external IP:s, lets say aaa.bbb.ccc.20 and ddd.eee.fff.21. *) natd is used to redirect access to external IP addresses and ports to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21, where for example webservers are located. *) natd rules: natd_flags=-redirect_address 192.168.0.20 aaa.bbb.ccc.20 -redirect_port tcp 192.168.0.21:25-52 25-52 -redirect_port udp 192.168.0.21:25-52 25-52 -redirect_port tcp 192.168.0.30:80 80 -redirect_port udp 192.168.0.30:80 80 -redirect_port tcp 192.168.0.21:54-79 54-79 -redirect_port udp 192.168.0.21:54-79 54-79 -redirect_port tcp 192.168.0.21:81-722 81-722 -redirect_port udp 192.168.0.21:81-722 81-722 -redirect_port tcp 192.168.0.21:3306-4559 3306-4559 -redirect_port udp 192.168.0.21:3306-4559 3306-4559 *) ipfw lets things through: 00050 divert 8668 ip from any to any via fxp0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any Problem: Most things works just fine, external access are redirected to correct ports, and the webservers work just fine. BUT the problem comes when a box on the LAN tries to reach a site residing on 192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. Then I get error: Unable to connect to remote host. Connecting from a LAN machine to the same site using the _internal_ IP works fine. Connecting to other external IPs also works fine. I want to be able to connect from LAN boxes to the external IP:s, for example aaa.bbb.ccc.20. Can anyone lead me on the way...? Very thankful for all comments on this matter. This is not possible. You have to use another host external to your local network in order to access / view services via their respective public IP's, or continue to access them via their defined RFC1918 addresses. One another note, if access via public IP isn't a strict requirement, there is the views functionality in Bind9 that (once set up properly) would allow you to access, say hosted websites, via their WWW addresses from internal hosts .., Regards, Stacey Regards, Smartnet Sverige AB Johannes Angeldorff ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw natd forward port 80
Hi, I have similar problem. I'm using IPF IPNAT to redirect outbound connection to the internal IP addr. It's been 4 months I can't solve it :( The result so far: The connection was refused (Netscape) Alert! Unable to connect (Lynx) TIA Here is the details IPF.CONF block in log all pass out all pass in on xl1 all pass in on lo all block in log quick on xl0 from 0.0.0.0/32 to any block in log quick on xl0 from 255.255.255.255/32 to any block in log quick on xl0 from 127.0.0.0/8 to any block in log quick on xl0 from any to 0.0.0.0/32 block in log quick on xl0 from any to 255.255.255.255/32 block in log quick on xl0 from any to 127.0.0.0/8 block in log quick on xl0 from 192.168.0.0/16 to any block in log quick on xl0 from 172.16.0.0/12 to any block in log quick on xl0 from 10.0.0.0/8 to any pass in quick on xl0 proto icmp all icmp-type 0 pass in quick on xl0 proto icmp all icmp-type 3 pass in quick on xl0 proto icmp all icmp-type 11 connections to machines block in log on xl0 proto tcp all flags S/SA block in log on xl0 proto tcp all flags SA/SA pass in quick on xl0 proto tcp from any to any port = 5557 flags S/SA keep state pass in quick on xl0 proto tcp from any to any port = 25 flags S/SA keep state pass in quick on lo0 proto tcp from any to any port = 25 flags S/SA keep state pass in quick on xl0 proto tcp from any to any port = 110 flags S/SA keep state pass in quick on lo0 proto tcp from any to any port = 110 flags S/SA keep state pass in quick on xl0 proto tcp from any to any port = flags S/SA keep state pass in quick on lo0 proto tcp from any to any port = flags S/SA keep state pass in quick on xl0 proto tcp from any to any port = 80 flags S/SA keep state pass in quick on lo0 proto tcp from any to any port = 80 flags S/SA keep state pass out on xl0 proto tcp all keep state note 5 block return-rst in on xl0 proto tcp from any to any port = 113 block in log quick on xl1 proto tcp from any to any port = 135 block in log quick on xl1 proto udp from any to any port = 135 block in log quick on xl1 proto udp from any to any port = 137 pass in log quick on xl1 proto udp from 192.168.0.1 to any port = 137 block in log quick on xl1 proto tcp from any to any port = 139 block in log quick on xl1 proto tcp from any to any port = 445 block in log quick on xl1 proto udp from any to any port = 138 pass in on xl0 proto udp from 202.xxx.xxx.xxx port = 53 to any pass in on xl0 proto udp from 202.xxx.xxx.xxx port = 53 to any IPNAT map xl0 192.168.0.0/24 - 202.xxx.xxx.xxx/32 portmap tcp/udp 1025:2 map xl0 192.168.0.0/24 - 202.xxx.xxx.xxx/32 rdr xl0 202.xxx.xxx.xxx/32 port - 192.168.0.89 port 80 tcp RC.CONF ifconfig_xl1=inet 192.168.0.27 netmask 255.255.255.0 ifconfig_xl0=inet 202.xxx.xxx.xxx netmask 255.255.255.240 gateway_enable=YES defaultrouter=202.xxx.xxx.xxx ntpdate_flags=ntp.cyber-fleet.net ntpdate_enable=YES sshd_enable=YES inetd_enable=YES hostname=AROMA.ialf.edu sendmail_enable=YES sendmail_flags=-bd sendmail_outbound_enable=NO sendmail_submit_enable=NO sendmail_msp_queue_enable=NO inetd_flags=-Ww ipfilter_enable=YES ipfilter_rules=/etc/ipf.conf ipnat_rules=/etc/ipnat.conf ipnat_flags=-CF ipmon_enable=YES --- Clement Laforet [EMAIL PROTECTED] wrote: On Thu, 7 Aug 2003 04:33:43 +0200 Clement Laforet [EMAIL PROTECTED] wrote: oups : use this natd_flags=-dynamic -redirect_port 192.168.1.150:80 80 natd_flags=-dynamic -redirect_port tcp 192.168.1.150:80 80 that's better ;) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://uk.messenger.yahoo.com/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw natd forward port 80
On Wed, 06 Aug 2003 21:28:19 -0700 [EMAIL PROTECTED] wrote: I want to forward port 80 from an outside ip to an internal ip of 192.168.1.150 dc1 is tun0 pppoe / dc0 is lan I have read what seems like 5 diff ways to do this but the only result has been to lock myself out of the computer. What have I missed. rc.conf settings firewall_enable=YES firewall_script=/etc/firewall/fwrules firewall_quiet=YES firewall_logging_enable=YES #log_in_vain=YES tcp_drop_synfin=NO tcp_restrict_rst=NO icmp_drop_redirect=YES natd_enable=YES natd_interface=tun0 natd_flags=-dynamic gateway_enable=YES ppp_enable=YES ppp_mode=ddial ppp_profile=default seems to be good. ipfw show 00050 fwd 192.168.1.150,80 tcp from any to 192.168.1.150 in via tun0 ^^ = BAD use this natd_flags=-dynamic -redirect_port 192.168.1.150:80 80 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw natd forward port 80
On Wed, 6 Aug 2003 20:55:47 -0500 (CDT) Mark [EMAIL PROTECTED] wrote: I am still unable to connect from the outside, from the kernel config # ipfw options options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT #To hide firewall from traceroute options IPSTEALTH #To hide from nmap, remove if create web server #options TCP_DROP_SYNFIN ok here my set up (I use pound for web traffic now but it used to work for year) kernel conf : options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT natd.conf : [EMAIL PROTECTED]|(553)| teapop-devel]# ssh charon.cultdeadsheep.org cat /etc/natd.conf log no deny_incoming no port8668 # use_sockets yes # # Avoid port changes if possible. Makes rlogin work # in most cases. # same_ports yes # verbose no interface tun0 unregistered_only yes redirect_port tcp 192.168.0.1:80 80 Now the debugging :) when you try a telnet your external IP 80 you have : 1. Connection refused : natds is'nt running 2. ping timeout : - your firewall is faulty or - your server is down or - your server doesn't have the right gateway ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw / natd does not allow lan traffic to reach external num
Hi! I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here a list with some details: *) The FreeBSD box uses natd and ipfw, and have two external IP:s, lets say aaa.bbb.ccc.20 and ddd.eee.fff.21. *) natd is used to redirect access to external IP addresses and ports to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21, where for example webservers are located. *) natd rules: snipped *) ipfw lets things through: snipped Most things works just fine, external access are redirected to correct ports, and the webservers work just fine. BUT the problem comes when a box on the LAN tries to reach a site residing on 192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. I don't use ipfw but I encountered the same problem when I first attempted to do the similar setup using ipfilter/ipnat. The problem (at least with ipfilter/ipnat) is that nat does not change the *source* address of packets to that of the machine doing the NAT. So, if you are at machine 192.168.1.10, the internal IP of the NAT box is 192.168.1.1 and you are trying to access a service running on 192.168.1.2 via the external interface of the NAT box, this is what happens: * Your PC sends initial SYN with source=192.168.1.10, target=natbox_external_ip. This packet goes to the natbox, as that is your default gateway. * NAT on natbox translates the target address to 192.168.1.2 and sends the packet there. The source address remains unchanged (192.168.1.10). * 192.168.1.2 sees the packet coming from 192.168.1.10, and - this is where it goes wrong - sends response (SYN+ACK) directly to 192.168.1.10. * since 192.168.1.10 did not initiate session with 192.168.1.2 but with natbox, it doesn't want anything to do with this strange SYN+ACK packet and just drops it. There are several possible solutions recommended for ipfilter, but the one that I myself ended up using was set up netcat on the natbox. Basically (using inetd) you set up netcat to listen on an arbitrary port X and pipe all traffic to the machine:port on your internal net where the actual service is running (such as 192.168.1.2:80). Then you forward all traffic with src=your_internal_net and dst=natbox_external_ip:80 to 127.0.0.1:X. That way the internal server sees packets coming from natbox, sends its responses there, and the natbox in turn sends responses back to the original client. Everybody's happy. As I said I don't use ipfw myself so I can't give you any specific ipfw commands, but I'm sure it all can be done. If only my explanation wasn't too confusing :-) -- Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/ * (A)bort, (R)etry, (I)nfluence with large hammer? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw natd forward port 80
I am still unable to connect from the outside, from the kernel config # ipfw options options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT #To hide firewall from traceroute options IPSTEALTH #To hide from nmap, remove if create web server #options TCP_DROP_SYNFIN ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw natd forward port 80
On Thu, 7 Aug 2003 04:33:43 +0200 Clement Laforet [EMAIL PROTECTED] wrote: oups : use this natd_flags=-dynamic -redirect_port 192.168.1.150:80 80 natd_flags=-dynamic -redirect_port tcp 192.168.1.150:80 80 that's better ;) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw - natd - squid - 3 Nic's - 1 FBSD 5.1 server and routingquestion
On Mon, Aug 04, 2003 at 06:24:42AM -0700, [EMAIL PROTECTED] wrote: I could sure use an idea for solving the following. We have a perfectly functional but saturated ds0 with our telco that is very expensive. We have squid running with transparent proxy for our LAN that consists of about 10-15 users. [ fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80 ] It works fine but still not enough bandwidth so we contracted a connection with a cable company that we plan to use for all outgoing requests for port 80 from squid. The problem is that I can't get the outgoing requests from squid to use the nic that is connected to the cable company. Squid is setup to use the Cable companies IP tcp_outgoing_address 10.24.194.163 but since the default gateway is to the telco interface, the request is sent to the telco. I'm not sure how to make this work. Our three nic's are set up as follows rl1 192.168.5.0/24 --- Internal Network \ \rl0 [TelCo] -- 200.79.x.0/28--- INTERNET /natd-ipfw-squid rl2 / routing: default 200.79.x.1 10.24.194.163/20 --- Cable Network Our firewall configuration has been reduced to the following until we can get this to work. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80 65100 divert 8668 ip from any to any via rl0 65500 allow ip from any to any 65535 allow ip from any to any Everything works great with rl1 - rl0 but rl2 is basically useless. I have tried many different approaches and none have worked. I'm probably complicating it too much. Any help or suggestions will be appreciated. This sounds to me like a policy based routing problem -- googling for policy based routing FreeBSD in Google Groups should prove informative. However, the mechanism is basically the same as you've used to implement your transparent proxy. All you need to do is insert another rule to trap the port 80 traffic coming out of Squid and send the packets to the next-hop gateway on your rl2 interface. That presumably has it's default route set via the cable network. Something like: 00500 fwd 10.24.207.254 tcp from me to any 80 (assuming that 10.24.207.254 is the router address in the cable companies' network.) Since your Squid is already using a Cable Co. address as the source address on any outgoing packets this should cause all in- and out-going HTTP traffic to pass via the Cable Co. network. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: IPFW + NATD
- Original Message - From: Vitor de Matos Carvalho [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 13, 2003 7:18 AM Subject: IPFW + NATD Hi, I have two networks: 10.1.0.0/16 and 10.2.0.0/16 Only that I need to make the NAT for only a one network, 10.2.0.0/16. Network 10,1,0,0/16 does not have external access. How I configure in ipfw + natd so that this is possible? My interface of exit is xl0 interface of network 10.1.0.0/16 is xl1, and interface of network 10.2.0.0/16 is xl2. As I configure in ipfw using natd to make nat only for net 10.2.0.0/16. Regards, --- Vitor de Matos Carvalho - #5602098 Softinfo Network Administrator +55 (71)9971-5011 / +55 (71)9986-9317 Salvador - Bahia - Brazil FreeBSD: The silent Workhorse I would think it would be something like this: # Divert all outbound traffic through nat # ipfw add 1 divert natd all from any to any via xl0 # ### Allow traffic from to internal networks # ipfw add 2 allow ip from 10,1,0,0/16 to 10.2.0.0/16 ipfw add 2 allow ip from 10.2.0.0/16 to 10.1.0.0/16 # ### Deny 10.1.0.0/16 traffic to anyone else # ipfw add 4 deny ip from 10.1.0.0/16 to any # ### Rest of firewall rules # -- Micheal Patterson Network Administration Cancer Care Network 405-733-2230 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW + NATD
Thanks for help. My net 10.1.0.0/16 cannot se net 10.2.0.0/16. E mine firewall the last rule of my kernel is: deny ip from any to any Regards, --- Vitor de Matos Carvalho - #5602098 Softinfo Network Administrator +55 (71)9971-5011 / +55 (71)9986-9317 Salvador - Bahia - Brazil FreeBSD: The silent Workhorse - Original Message - From: Micheal Patterson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, July 13, 2003 1:53 PM Subject: Re: IPFW + NATD - Original Message - From: Vitor de Matos Carvalho [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 13, 2003 7:18 AM Subject: IPFW + NATD Hi, I have two networks: 10.1.0.0/16 and 10.2.0.0/16 Only that I need to make the NAT for only a one network, 10.2.0.0/16. Network 10,1,0,0/16 does not have external access. How I configure in ipfw + natd so that this is possible? My interface of exit is xl0 interface of network 10.1.0.0/16 is xl1, and interface of network 10.2.0.0/16 is xl2. As I configure in ipfw using natd to make nat only for net 10.2.0.0/16. Regards, --- Vitor de Matos Carvalho - #5602098 Softinfo Network Administrator +55 (71)9971-5011 / +55 (71)9986-9317 Salvador - Bahia - Brazil FreeBSD: The silent Workhorse I would think it would be something like this: # Divert all outbound traffic through nat # ipfw add 1 divert natd all from any to any via xl0 # ### Allow traffic from to internal networks # ipfw add 2 allow ip from 10,1,0,0/16 to 10.2.0.0/16 ipfw add 2 allow ip from 10.2.0.0/16 to 10.1.0.0/16 # ### Deny 10.1.0.0/16 traffic to anyone else # ipfw add 4 deny ip from 10.1.0.0/16 to any # ### Rest of firewall rules # -- Micheal Patterson Network Administration Cancer Care Network 405-733-2230 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW NATD access www server by name from the LAN side ?
FreeBSD 4.7 firewall with 3 nics. Public, DMZ, and LAN. DNS,Bind is not running here. www Public address is redirected to it's DMZ address. The www server in the DMZ can be accessed by name from the Internet but only by it's private DMZ IP address from the LAN side. Attempt to access it by name from the LAN results in a 'page not found'. When attempting to access the www by name from the LAN side tcpdump shows traffic getting to the firewall but not redirected out DMZ nic. So it's the firewall answering with the 'page not found'. Well, actually your web browser is saying that... because it can't find the page. How can I redirect traffic to the WWW server from the LAN side ? Thanks, Jay. This is in the howto I followed (but I don't remember how)... there's about 5 good ones that can be found via google. Basically, you need to add a rdr rule to natd, if I remember correctly. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW NATD access www server by name from the LAN side ?
On Sat, 29 Mar 2003 14:50:22 -0800 (PST), Charlie Schluting wrote: FreeBSD 4.7 firewall with 3 nics. Public, DMZ, and LAN. DNS,Bind is not running here. www Public address is redirected to it's DMZ address. The www server in the DMZ can be accessed by name from the Internet but only by it's private DMZ IP address from the LAN side. Attempt to access it by name from the LAN results in a 'page not found'. When attempting to access the www by name from the LAN side tcpdump shows traffic getting to the firewall but not redirected out DMZ nic. So it's the firewall answering with the 'page not found'. Well, actually your web browser is saying that... because it can't find the page. How can I redirect traffic to the WWW server from the LAN side ? Thanks, Jay. This is in the howto I followed (but I don't remember how)... there's about 5 good ones that can be found via google. Basically, you need to add a rdr rule to natd, if I remember correctly. Thanks, I've spent some time google(ing) but haven't hit anything, if anyone has some links it would be most appreciated. __ Get your FREE personalized e-mail at http://www.canada.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW NATD access www server by name from the LAN side ?
On Sat, Mar 29, 2003 at 03:11:09PM -0800, [EMAIL PROTECTED] wrote: [...] How can I redirect traffic to the WWW server from the LAN side ? Thanks, Jay. This is in the howto I followed (but I don't remember how)... there's about 5 good ones that can be found via google. Basically, you need to add a rdr rule to natd, if I remember correctly. Thanks, I've spent some time google(ing) but haven't hit anything, if anyone has some links it would be most appreciated. The most common solution is to run an internal DNS (which everyone on the inside uses) which maps the name to the internal address. If you run an authoritative DNS for your domain, the DNS which serves outside queries need to be separate from the one that handles internal queries. Alternatively, you can use BIND9's views feature to do the same thing as these 2 DNS servers. Cheers. -- Jonathan Chen [EMAIL PROTECTED] -- With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. -- RFC 1925 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw/natd questions
On Wed, 15 Jan 2003 19:08:08 -0600 Redmond Militante [EMAIL PROTECTED] wrote: [...] at the moment, it's not working. on machine 2, i can't ping www.freebsd.org - i get 'hostname lookup failure', i can't ping xl0 - external nic on machine 1 - ping 129.x.x.35 gives me a 'host is down message' machine 2 can ping it's own static ip successfully - ping 129.x.x.20 works machine 2 can ping its own hostname successfully - ping machine2.hostname.com works sorry if this is long, i've been messing with this all day and i think i'm doing it right. can you guys tell if i'm missing something obvious? What about your /etc/resolv.conf? On both machines? Did you insert the namserver of your ISP? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: ipfw/natd questions
- i've run an ethernet cable from xl1 - integrated intel 1000 pro nic on machine 1 - to machine 2's nic. i've edited machine 2's /etc/rc.conf so that it points to the internal nic - xl1 on machine 1 as it's default gateway: Ethernet cable? Or crossover cable? If it's straight cable, you need another hub and cable.. or a crossover cable instead. snip defaultrouter=10.20.155.1 hostname=machine2.hostname.com ifconfig_xl0=inet 129.x.x.20 netmask 255.255.255.0 snip On another note, if I read that correctly.. you connected a nic that is configured with IP of 129.x.x.x to a nic with an IP of 10.x.x.x. You would more than likely want the nic on machine2 to be on the 10.x.x.x subnet for this configuration. Afterwards, you should at least be able to ping your internal interface on machine1 from machine2 (It looks like you're allowing it in your IPFW rules...). Once you can ping.. (or begin to see traffic on the internal interface in the logs for IPFW), you can start troubleshooting the IPFW rules, if necessary. HTH, John To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW + NATD with redirect_port
I want to redirect incoming ssh packet to another box internally. I have got the following as my /etc/natd.conf dynamic yes log_denied yes use_sockets yes same_ports yes unregistered_only redirect_port tcp 192.168.0.200:22 4455 When I try to ssh to port 4455 I get nothing - I have ipfw running - do I need any specific rules to get this working. I have tried ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup but it doesn't seem to work. Gordon, Your natd setup looks OK to me. I'm wondering whether your ipfw isn't blocking connection attempts. Do you have a rule that allows tcp connections to port 4455? And another to allow connections from NAT box to ssh box on port 22? And when you try to connect to port 4455 on your NAT box, you do it from the exterior, right? Hope this helps, Jonathan To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW, natd, redirect_address help needed
Do you have gateway_enable=YES in your firewall? Can you get packets through both directions just fine with the firewall set to OPEN? David Terrac Skiens wrote: Hi there, I have been trying to set up an embedded system from soekris, running a small version of freebsd on it's internal compact flash hard disk. The machine is built, I have remote access to it and I intend to use it as a firewall + nat appliance. Directing traffic from machines internally to external IP addresses. I have gotten everything running, however my test for the machines behind the new firewall keep failing. I can ping the firewall itself, but not anything past it. The pings just dissapear. From the firewall I can ping anythign by either hostname or IP. What I have not figured out is why my machines behind the firewall cannot ping out past the firewall, or get any other traffic out either. my ipfw list is: --- 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 172.16.0.0/12 via sis0 00500 deny ip from any to 192.168.0.0/16 via sis0 00600 deny ip from any to 0.0.0.0/8 via sis0 00700 deny ip from any to 169.254.0.0/16 via sis0 00800 deny ip from any to 192.0.2.0/24 via sis0 00900 deny ip from any to 224.0.0.0/4 via sis0 01000 deny ip from any to 240.0.0.0/4 via sis0 01100 divert 8668 ip from any to any via sis0 01200 deny ip from 172.16.0.0/12 to any via sis0 01300 deny ip from 192.168.0.0/16 to any via sis0 01400 deny ip from 0.0.0.0/8 to any via sis0 01500 deny ip from 169.254.0.0/16 to any via sis0 01600 deny ip from 192.0.2.0/24 to any via sis0 01700 deny ip from 224.0.0.0/4 to any via sis0 01800 deny ip from 240.0.0.0/4 to any via sis0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 1 deny log logamount 100 tcp from any to any in recv sis0 setup 10100 allow tcp from any to any setup 10200 allow udp from any to any 53 keep-state out xmit sis0 10300 allow udp from any to any 53 keep-state in recv sis0 10400 allow udp from any to any 123 keep-state out xmit sis0 10500 allow udp from any to any 123 keep-state in recv sis1 10600 allow tcp from any to any 53 keep-state out xmit sis0 10700 allow tcp from any to any 53 keep-state in recv sis1 10800 allow tcp from any to any 25 keep-state out xmit sis0 10900 allow tcp from any to any 25 keep-state in recv sis1 11000 allow tcp from any to any 22 keep-state out xmit sis0 11100 allow tcp from any to any 22 keep-state in recv sis1 11200 allow udp from me to any 67 keep-state out xmit sis0 11300 allow icmp from any to any 65535 deny ip from any to any and my netstat -rn is: --- Routing table: -- DestinationGatewayFlags Netif Use default66.180.229.177 UGScsis02 10.1.1.0/24link#2 UC sis10 xxx.xxx.xxx.xxxlink#1 UC sis00 - network xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway 127.0.0.1 127.0.0.1 UH lo0 0 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- David Cramblett Network and Information Services Multnomah Education Service District phn: 503-257-1535 fax: 503-257-1538 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW, natd, redirect_address help needed
since this is a super small distribution I do not have the default open, closed, and client firewall configs. The set I am using is based on the client one though, however I adjusted it to allow traffic from the inside to the outside on specific ports and hopefully keep-state to let the returning packets back in. Thats right isn't it? -terrac On Tue, 5 Nov 2002, David Cramblett wrote: Do you have gateway_enable=YES in your firewall? Can you get packets through both directions just fine with the firewall set to OPEN? David Terrac Skiens wrote: Hi there, I have been trying to set up an embedded system from soekris, running a small version of freebsd on it's internal compact flash hard disk. The machine is built, I have remote access to it and I intend to use it as a firewall + nat appliance. Directing traffic from machines internally to external IP addresses. I have gotten everything running, however my test for the machines behind the new firewall keep failing. I can ping the firewall itself, but not anything past it. The pings just dissapear. From the firewall I can ping anythign by either hostname or IP. What I have not figured out is why my machines behind the firewall cannot ping out past the firewall, or get any other traffic out either. my ipfw list is: --- 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 172.16.0.0/12 via sis0 00500 deny ip from any to 192.168.0.0/16 via sis0 00600 deny ip from any to 0.0.0.0/8 via sis0 00700 deny ip from any to 169.254.0.0/16 via sis0 00800 deny ip from any to 192.0.2.0/24 via sis0 00900 deny ip from any to 224.0.0.0/4 via sis0 01000 deny ip from any to 240.0.0.0/4 via sis0 01100 divert 8668 ip from any to any via sis0 01200 deny ip from 172.16.0.0/12 to any via sis0 01300 deny ip from 192.168.0.0/16 to any via sis0 01400 deny ip from 0.0.0.0/8 to any via sis0 01500 deny ip from 169.254.0.0/16 to any via sis0 01600 deny ip from 192.0.2.0/24 to any via sis0 01700 deny ip from 224.0.0.0/4 to any via sis0 01800 deny ip from 240.0.0.0/4 to any via sis0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 1 deny log logamount 100 tcp from any to any in recv sis0 setup 10100 allow tcp from any to any setup 10200 allow udp from any to any 53 keep-state out xmit sis0 10300 allow udp from any to any 53 keep-state in recv sis0 10400 allow udp from any to any 123 keep-state out xmit sis0 10500 allow udp from any to any 123 keep-state in recv sis1 10600 allow tcp from any to any 53 keep-state out xmit sis0 10700 allow tcp from any to any 53 keep-state in recv sis1 10800 allow tcp from any to any 25 keep-state out xmit sis0 10900 allow tcp from any to any 25 keep-state in recv sis1 11000 allow tcp from any to any 22 keep-state out xmit sis0 11100 allow tcp from any to any 22 keep-state in recv sis1 11200 allow udp from me to any 67 keep-state out xmit sis0 11300 allow icmp from any to any 65535 deny ip from any to any and my netstat -rn is: --- Routing table: -- DestinationGatewayFlags Netif Use default66.180.229.177 UGScsis02 10.1.1.0/24link#2 UC sis10 xxx.xxx.xxx.xxxlink#1 UC sis00 - network xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway 127.0.0.1 127.0.0.1 UH lo0 0 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- David Cramblett Network and Information Services Multnomah Education Service District phn: 503-257-1535 fax: 503-257-1538 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW, natd, redirect_address help needed
well you could simply do an ipfw flush and then use ipfw command line to add back the rule for the loopback device and the natd divert line (looks like your using natd?), then do a: ipfw add pass all from any to any and make sure that you can send and recive traffic in both directions without any deny firewall rules in place. If you want to test with the current rules in place, you may want to add a line to log all connections, if you have the disk space for it and then tail -f your security log and see what packets are getting denied/accepted and why. David Terrac Skiens wrote: since this is a super small distribution I do not have the default open, closed, and client firewall configs. The set I am using is based on the client one though, however I adjusted it to allow traffic from the inside to the outside on specific ports and hopefully keep-state to let the returning packets back in. Thats right isn't it? -terrac On Tue, 5 Nov 2002, David Cramblett wrote: Do you have gateway_enable=YES in your firewall? Can you get packets through both directions just fine with the firewall set to OPEN? David Terrac Skiens wrote: Hi there, I have been trying to set up an embedded system from soekris, running a small version of freebsd on it's internal compact flash hard disk. The machine is built, I have remote access to it and I intend to use it as a firewall + nat appliance. Directing traffic from machines internally to external IP addresses. I have gotten everything running, however my test for the machines behind the new firewall keep failing. I can ping the firewall itself, but not anything past it. The pings just dissapear. From the firewall I can ping anythign by either hostname or IP. What I have not figured out is why my machines behind the firewall cannot ping out past the firewall, or get any other traffic out either. my ipfw list is: --- 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 172.16.0.0/12 via sis0 00500 deny ip from any to 192.168.0.0/16 via sis0 00600 deny ip from any to 0.0.0.0/8 via sis0 00700 deny ip from any to 169.254.0.0/16 via sis0 00800 deny ip from any to 192.0.2.0/24 via sis0 00900 deny ip from any to 224.0.0.0/4 via sis0 01000 deny ip from any to 240.0.0.0/4 via sis0 01100 divert 8668 ip from any to any via sis0 01200 deny ip from 172.16.0.0/12 to any via sis0 01300 deny ip from 192.168.0.0/16 to any via sis0 01400 deny ip from 0.0.0.0/8 to any via sis0 01500 deny ip from 169.254.0.0/16 to any via sis0 01600 deny ip from 192.0.2.0/24 to any via sis0 01700 deny ip from 224.0.0.0/4 to any via sis0 01800 deny ip from 240.0.0.0/4 to any via sis0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 1 deny log logamount 100 tcp from any to any in recv sis0 setup 10100 allow tcp from any to any setup 10200 allow udp from any to any 53 keep-state out xmit sis0 10300 allow udp from any to any 53 keep-state in recv sis0 10400 allow udp from any to any 123 keep-state out xmit sis0 10500 allow udp from any to any 123 keep-state in recv sis1 10600 allow tcp from any to any 53 keep-state out xmit sis0 10700 allow tcp from any to any 53 keep-state in recv sis1 10800 allow tcp from any to any 25 keep-state out xmit sis0 10900 allow tcp from any to any 25 keep-state in recv sis1 11000 allow tcp from any to any 22 keep-state out xmit sis0 11100 allow tcp from any to any 22 keep-state in recv sis1 11200 allow udp from me to any 67 keep-state out xmit sis0 11300 allow icmp from any to any 65535 deny ip from any to any and my netstat -rn is: --- Routing table: -- DestinationGatewayFlags Netif Use default66.180.229.177 UGScsis02 10.1.1.0/24link#2 UC sis10 xxx.xxx.xxx.xxxlink#1 UC sis00 - network xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway 127.0.0.1 127.0.0.1 UH lo0 0 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW/NATD
On Tue, Oct 22, 2002 at 10:55:26AM -0500, Scott Pilz typed: The answer to this is more than likely 'no'. But I'll try anyways. Setup: NATD/IPFW Say you have an IPFW rule to allow 10.0.0.2 through NATD - thus into the internet - and everything else to be blocked. Your machine (10.0.0.2) that is being firewalled by NATD/IPFW works fine. Then someone else sets their machine up to 10.0.0.2, and now they can also get out into the network (there will of course be an ip conflict). You can use arp(8) to make a permanent entry in the arp table on your NAT/Firewall box to prevent anyone else to use this IP address: arp -S 10.0.0.2 Your_machines_MAC My question is, for security, is there any way to use this type of block based on MAC ID. Almost to bond the MAC ID to the IP Address so the only computer that can use the IP address 10.0.0.2 is with MAC ID whatever? Thanks, Scott To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: ipfw, natd tun0
Is PPP trying to do NAT as well as Natd? I use Natd with tun0 all the time and it works OK.. -D :-Original Message- :From: Allan McDonald [mailto:[EMAIL PROTECTED]] :Sent: Tuesday, July 16, 2002 8:45 AM :To: [EMAIL PROTECTED] :Subject: ipfw, natd tun0 : : :Hi, :I'm trying to use natd with port redirection and it's not working.. : :I have a working model, a box with 2 network cards in it, in :which natd port :redirection is working just fine.. :and I have another which I am trying to do the same thing, :however this poor :box has to connect to the internet via ppp. Now the internet :connection is :working fine. : :My query is.. should natd support port redirection over the :tun0 interface? : :I do have options IPDIVERT compiled.. same format config files :(natd.conf :/etc/rc.conf) on both boxes. :Both boxes running FreeBSD 4.5 : :Anyone had this problem before?? : : :Regards, : :Allan McDonald :IT Manager :Ozdaq Securities Pty Ltd : : : : :To Unsubscribe: send mail to [EMAIL PROTECTED] :with unsubscribe freebsd-questions in the body of the message : - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message