Re: ipfw/natd in 8.1

[Коньков Евгений]

Здравствуйте, Casey.

00300 0   0 deny ip from 192.168.0.0/16 to any in via fxp0
00301 0   0 deny ip from 172.16.0.0/12 to any in via fxp0
00302 0   0 deny ip from 10.0.0.0/8 to any in via fxp0
00303 0   0 deny ip from 127.0.0.0/8 to any in via fxp0
00304 0   0 deny ip from 0.0.0.0/8 to any in via fxp0
00305 0   0 deny ip from 169.254.0.0/16 to any in via fxp0
00306 0   0 deny ip from 192.0.2.0/24 to any in via fxp0
00307 0   0 deny ip from 204.152.64.0/23 to any in via fxp0
00308 0   0 deny ip from 224.0.0.0/3 to any in via fxp0
you can replace that all by:
deny all from any to not me in recv fxp0

in recv/in via are very different things!



CS 00100965322 divert 8668 log ip from any to any in via fxp0
CS 00500   293   56642 divert 8668 log ip from any to any
What are you trying to do by this rules??? what you do is wrong

they do different work with conjactions with keep-state and other
rules in your firewall. Devide logic in your firewall!

What is one_pass option in you kernel?
kes# sysctl -a | grep one_pass
maybe you have 1, but must 0

CS 00420 91112 allow log tcp from any to me dst-port 
20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20
this rule will not pass packets to undivert I think, or will have some
effect on divert rule

CS 0051078   21591 allow log ip from any to any
this rule is useless!!!

CS Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
CS[TCP] 74.94.69.225:61447 - 65.61.153.152:80
CS In  {default}[TCP]  [TCP] 65.61.153.152:80 - 74.94.69.225:61447 aliased to
CS[TCP] 65.61.153.152:80 - 192.168.1.6:61447
before setup all works fine

after setup, you firewall fail. established connections does not work
CS In  {default}[TCP]  [TCP] 65.61.153.152:80 - 192.168.1.6:61447 aliased to
CS[TCP] 65.61.153.152:80 - 192.168.1.6:61447
CS Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80
CS Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80
CS Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80

try to understand divert, then will try keep-state,setup etc.

good luck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: ipfw natd rules not loading on startup

[Polytropon]

Just a sidenote:

On Sat, 15 May 2010 02:33:10 +0200, umage theultram...@gmail.com wrote:
 However, if I
 run the script manually, or call it from the end of /etc/rc, it will add
 these rules as well. Currently I am using a workaround.

It's not a good idea to modify /etc/rc. In your case, using the
mechanism s of /etc/rc(.shutdown).local is a good way to call
scripts that do not fit the rc.d concept. See man rc.local
for details.

So I would suggest something for /etc/rc.local like this:



#!/bin/sh

if [ -z ${source_rc_confs_defined} ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
elif [ -r /etc/rc.conf.local ]; then
. /etc/rc.conf.local
fi
fi

echo -n  custom-firewall
/your/firewall/script.sh --here



The final dot + newline in the messages will be added by rc,
if I remember correctly.



-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: ipfw natd rules not loading on startup

[Jonathan Chen]

On Sat, May 15, 2010 at 02:33:10AM +0200, umage wrote:
 I performed a kernel+world update of my freebsd router, RELENG_8 branch,
 apparently from the version 6 months ago to current. I use ipfw and a
 shell script that gets loaded at startup. I noticed after rebooting that
 ipfw did not load two rules, both of type divert natd. However, if I
 run the script manually, or call it from the end of /etc/rc, it will add
 these rules as well. Currently I am using a workaround.

Best to ask -STABLE. There's been some breakage of ipfw since end of
April. I'm unsure as to whether they've all be resolved yet.

Cheers.
-- 
Jonathan Chen  |  To do is to be  -- Nietzsche
j...@chen.org.nz |  To be is to do  -- Sartre 
   |  Scooby do be do -- Scooby
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: IPFW + NATD FORWARDING

[Lowell Gilbert]

mr. phreak [EMAIL PROTECTED] writes:

 Hi, I am having trouble with my IPFW+NATD forwarding. I know a lot of
 people have
 and I've googled my ass off. Still I can't get it right. I'm trying to
 forward port 1213 in/out for dc++ usage.

 this is my setup:

  __WAN router (192.168.1.1)
  |
  |
 (FreeBSD gateway/fw NIC1:ath0 (public) NIC2:rl0 (LAN) )
  |
  |__
   LAN (10.10.10.0/24)

 I use stateful rules and I'd like to forward port 1213 both ways using
 natd. I know NATD should take care of this as long as i allow port
 1213 in/out from the firewall. I've tried this at almost every
 position in the ipfw.rules and now i ask where i should put it?? i.e
 it's not there right now.

 I've tried:

 $cmd [num] allow all from any to any 1213 (at various positions in
 ipfw.rules) still doesn't work.

 $cmd [num] divert natd all from any to any 1213.

 Can someone help me?

Your firewall configuration is rather unconventional, but the basic
idea makes sense.  What isn't clear is how you want to use this dc++
program within your infrastructure.  Because you are using dynamic
rules, I assume that you want the connections to always originate
inside your network.  If that is the case, you shouldn't need any
special configuration to natd (because every connection will be
learned from the initial packet).  If that's not the case, you will
need to pick one internal machine to receive the connections coming in
from outside.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW + NATD rules

[Alex de Kruijff]

On Sun, Aug 27, 2006 at 01:04:54PM +0500, ?? ?? wrote:
 I'm a junior in FreeBSD, and I faced with problem.

You should know that others have mailers that are thread enabled. This
means that when you compose a new mail, but you that the reply sort cut
others may not read this, because it end up in the list.

I redirected the mail to questions@ becuase this is not related to the
stable development brance.

 I've a FreeBSD 6.1-stable box as a gate+firewall, and I want to divert
 incoming requests to my web-server, placed in DeMilitarized Zone
 (DMZ). To do this I wrote down settings in /etc/rc.conf as shown
 above:
 
   natd_flags=-redirect_port tcp 80 192.168.1.234 80
   natd_flags=-redirect_poort tcp 443 192.168.1.234 443

You proberbly can not have two lines. 

 I think, that all packets incoming from Internet will be diverted from
 the External interface via DMZ interface to my We-server. Is it right?
 If not, why not, and what the way to make it working?

Yes, but you made some mistakes:
1. You have two lines, where only one is allowed.
2. The file format is wrong: should be tcp forward_ip:port port
3. You made a typo
4. Did you setup ipfw?

I've done this with a seperate config file.

firewall_enable=YES
firewall_type=/etc/firewall.conf
natd_enable=YES
natd_flags=-f /etc/natd.conf
natd_interface=fxp0

/etc/firewall.conf contains:
add divert 8668 ip from any to any (note: src_ip and dst_ip changes
here, so keep this in mind if you
add rules)
add allow ip from any to any

/etc/natd.conf contains:
redirect_port tcp ip_to_goto:port local_port

Did you setup ipfw and directed packes to natd?

You also need to setup i
-- 
Alex

Please copy the original recipients, otherwise I may not read your reply.

Howtos based on my personal use, including information about 
setting up a firewall and creating traffic graphs with MRTG
http://alex.kruijff.org/FreeBSD/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW+natd Cisco VPN tunnelling....

[Alex Zbyslaw]

Chuck Swiger wrote:

Is there any way to convince natd to re-read the natd.conf file short 
of killing and restarting the daemon entirely?  The manpage didn't say 
so, and kill -HUP terminates the process.


If there was, I would expect /etc/rc.d/natd to support a reload option, 
but I don't see one.  You could try it, but if not then I suggest


sh /etc/rc.d/natd restart

Can't help on VPN, I'm afraid.

--Alex


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw + natd = some sites won't work :-S

[Emanuel Strobl]

Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot:
 Hi,

 I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like
 Google for instance does work, but many other don't. All other protocols

I guess you're using an A-DSL line with PPPoE, right?
If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the 
maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't 
know the machine behind the NAT box. Your NAT box has to alter the mss 
field in the TCP header because many sites have wrong configured firewalls 
which simply block all ICMP traffic, so the error from your router must 
fragment never reaches to originating host. So the sent packaet is too 
big to go over your line and the Must Fragment bit is ingnored... you'll 
never receive what you've requested.

I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with 
max-mss.

-Harry

 seems to be working properly. But why are sites failing to do anything?
 I got running natd with the verbose option and successfull request of
 google is indentical to a random other site :S
 The firewall I use is rather big. the most important piece is:

 01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0
 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any
 01200   0 0 allow ip from any to 10.0.5.0/24
 01201 524 85399 allow ip from 82.94.238.70 to any
 01201   3   144 allow ip from any to 82.94.238.70
 01500  871494 216106437 allow tcp from any to any established


 /etc/natd.conf is:

 alias_address %external_ip%
 verbose


 It just puzzles me why only some http request would fail and everything
 works fine!
 Anyone got any idea?


 Thanks in advanced,

 Frank de Bot
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]


pgpnMEVBLR44V.pgp
Description: PGP signature

RE: ipfw + natd = some sites won't work :-S

[fbsd_user]

Seeing snippet of your firewall rules is not giving us enough info
to work on.  
You have to post complete rule set because of the way rules are
processed. 

Also an explanation of your private network layout and how you
connect to the internet is needed.

List sites you can not access.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Frank de
Bot
Sent: Monday, May 09, 2005 6:42 PM
To: freebsd-questions@freebsd.org
Subject: ipfw + natd = some sites won't work :-S


Hi,

I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites
like 
Google for instance does work, but many other don't. All other
protocols 
seems to be working properly. But why are sites failing to do
anything? 
I got running natd with the verbose option and successfull request
of 
google is indentical to a random other site :S
The firewall I use is rather big. the most important piece is:

01200 723652298 divert 8668 ip from any to 82.94.238.70 via
fxp0
01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any
01200   0 0 allow ip from any to 10.0.5.0/24
01201 524 85399 allow ip from 82.94.238.70 to any
01201   3   144 allow ip from any to 82.94.238.70
01500  871494 216106437 allow tcp from any to any established


/etc/natd.conf is:

alias_address %external_ip%
verbose


It just puzzles me why only some http request would fail and
everything 
works fine!
Anyone got any idea?


Thanks in advanced,

Frank de Bot
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw + natd = some sites won't work :-S

[Frank de Bot]

Emanuel Strobl wrote:
Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot:
Hi,
I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like
Google for instance does work, but many other don't. All other protocols

I guess you're using an A-DSL line with PPPoE, right?
If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the 
maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't 
know the machine behind the NAT box. Your NAT box has to alter the mss 
field in the TCP header because many sites have wrong configured firewalls 
which simply block all ICMP traffic, so the error from your router must 
fragment never reaches to originating host. So the sent packaet is too 
big to go over your line and the Must Fragment bit is ingnored... you'll 
never receive what you've requested.

I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with 
max-mss.


I'm not using an ADSL with PPPoE. But the configuration used is kinda 
non-standard. I'll try to explain with a little drawing:

= Laptop = IP: 10.0.5.21   (/24)
|
|
= Server 1 = IP: 10.0.5.2
|IP: 10.0.3.1
|
|  (ipip tunnel)
|
= Server 2 = IP: 10.0.3.2
|IP %external_ip%
|
% internet %
Server 1 is a Linux box
Server 2 is the FreeBSD performing the NAT
Tracerouting occures without anyproblem. From the laptop to the internet
10.0.5.2 - 10.0.3.2 - %internet%
During testing I've also dumped the whole firewall exept the points 
written in the starting post. The behaviour stays exactly the same.


-Harry

seems to be working properly. But why are sites failing to do anything?
I got running natd with the verbose option and successfull request of
google is indentical to a random other site :S
The firewall I use is rather big. the most important piece is:
01200 723652298 divert 8668 ip from any to 82.94.238.70 via fxp0
01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any
01200   0 0 allow ip from any to 10.0.5.0/24
01201 524 85399 allow ip from 82.94.238.70 to any
01201   3   144 allow ip from any to 82.94.238.70
01500  871494 216106437 allow tcp from any to any established
/etc/natd.conf is:
alias_address %external_ip%
verbose
It just puzzles me why only some http request would fail and everything
works fine!
Anyone got any idea?
Thanks in advanced,
Frank de Bot
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw + natd = some sites won't work :-S

[Frank de Bot]

The ipfw rules standing without any other rules and '65535 allow ip from 
any to any' as  last rule give the same behaviour. So it's not a 
firewall case.

The network layout is posted in my reaction to Emanuel.
Sites I can't access are:
www.tweakers.net
www.fok.nl
www.yahoo.com
www.userfriendly.org
www.thinkgeek.com
Sites i CAN access:
www.google.com
www.gmail.com
www.fastclick.net

fbsd_user wrote:
Seeing snippet of your firewall rules is not giving us enough info
to work on.  
You have to post complete rule set because of the way rules are
processed. 

Also an explanation of your private network layout and how you
connect to the internet is needed.
List sites you can not access.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Frank de
Bot
Sent: Monday, May 09, 2005 6:42 PM
To: freebsd-questions@freebsd.org
Subject: ipfw + natd = some sites won't work :-S
Hi,
I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites
like 
Google for instance does work, but many other don't. All other
protocols 
seems to be working properly. But why are sites failing to do
anything? 
I got running natd with the verbose option and successfull request
of 
google is indentical to a random other site :S
The firewall I use is rather big. the most important piece is:

01200 723652298 divert 8668 ip from any to 82.94.238.70 via
fxp0
01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any
01200   0 0 allow ip from any to 10.0.5.0/24
01201 524 85399 allow ip from 82.94.238.70 to any
01201   3   144 allow ip from any to 82.94.238.70
01500  871494 216106437 allow tcp from any to any established
/etc/natd.conf is:
alias_address %external_ip%
verbose
It just puzzles me why only some http request would fail and
everything 
works fine!
Anyone got any idea?

Thanks in advanced,
Frank de Bot
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw + natd = some sites won't work :-S

[Emanuel Strobl]

Am Dienstag, 10. Mai 2005 01:04 schrieb Frank de Bot:
 Emanuel Strobl wrote:
  Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot:
 Hi,
 
 I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites
  like Google for instance does work, but many other don't. All other
  protocols
 
  I guess you're using an A-DSL line with PPPoE, right?
  If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the
  maximum segment sice of TCP sessions is reduced by 8 bytes which
  doesn't know the machine behind the NAT box. Your NAT box has to alter
  the mss field in the TCP header because many sites have wrong
  configured firewalls which simply block all ICMP traffic, so the error
  from your router must fragment never reaches to originating host. So
  the sent packaet is too big to go over your line and the Must
  Fragment bit is ingnored... you'll never receive what you've
  requested.
 
  I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does
  with max-mss.

 I'm not using an ADSL with PPPoE. But the configuration used is kinda
 non-standard. I'll try to explain with a little drawing:


 = Laptop = IP: 10.0.5.21   (/24)


 = Server 1 = IP: 10.0.5.2

  |IP: 10.0.3.1
  |
  |  (ipip tunnel)

 = Server 2 = IP: 10.0.3.2

  |IP %external_ip%

 % internet %

 Server 1 is a Linux box
 Server 2 is the FreeBSD performing the NAT

 Tracerouting occures without anyproblem. From the laptop to the internet
 10.0.5.2 - 10.0.3.2 - %internet%

The problem is the same: IP-IP tunneling reduces TCPs mss which the linux 
box doesn't fix. ICMP will work of course, TCP with full payload won't.
I don't knwo how/why you tunnle IP into IP on that linux box, but that's 
the point where you have to dig.

Good luck,

-Harry


 During testing I've also dumped the whole firewall exept the points
 written in the starting post. The behaviour stays exactly the same.

  -Harry
 
 seems to be working properly. But why are sites failing to do
  anything? I got running natd with the verbose option and successfull
  request of google is indentical to a random other site :S
 The firewall I use is rather big. the most important piece is:
 
 01200 723652298 divert 8668 ip from any to 82.94.238.70 via
  fxp0 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any
  01200   0 0 allow ip from any to 10.0.5.0/24
 01201 524 85399 allow ip from 82.94.238.70 to any
 01201   3   144 allow ip from any to 82.94.238.70
 01500  871494 216106437 allow tcp from any to any established
 
 
 /etc/natd.conf is:
 
 alias_address %external_ip%
 verbose
 
 
 It just puzzles me why only some http request would fail and
  everything works fine!
 Anyone got any idea?
 
 
 Thanks in advanced,
 
 Frank de Bot
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]
 
  

 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]


pgprDecoTwkHs.pgp
Description: PGP signature

Re: ipfw + natd = some sites won't work :-S

[Frank de Bot]

Emanuel Strobl wrote:

The problem is the same: IP-IP tunneling reduces TCPs mss which the linux 
box doesn't fix. ICMP will work of course, TCP with full payload won't.
I don't knwo how/why you tunnle IP into IP on that linux box, but that's 
the point where you have to dig.

Good luck,
-Harry

Which tunnel forms don't experience the reducing of mss? I've chosen for 
a ipip tunnel because it was a tunnen solutions which seemed to be the 
most simple. Once I got that working I was planning to change it to VPN 
or IPSec tunnel.
I got my reason for having that tunnel between the boxes (Server 2 is a 
server far apart from Server 1)

Frank
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw + natd = some sites won't work :-S

[Emanuel Strobl]

Am Dienstag, 10. Mai 2005 01:19 schrieb Frank de Bot:
 Emanuel Strobl wrote:
  The problem is the same: IP-IP tunneling reduces TCPs mss which the
  linux box doesn't fix. ICMP will work of course, TCP with full payload
  won't. I don't knwo how/why you tunnle IP into IP on that linux box,
  but that's the point where you have to dig.
 
  Good luck,
 
  -Harry

 Which tunnel forms don't experience the reducing of mss? I've chosen for

Hm, I don't have that handy in my mind right now. I had to look for some 
RFCs but it's quiet late here in germany, if I knew it by rote I'd tell 
you. I have similar configurations with IPSec without that problem (IPSec 
(ESP) is another protocol parallel to IP, not a IP in IP tunnel)

-Harry

 a ipip tunnel because it was a tunnen solutions which seemed to be the
 most simple. Once I got that working I was planning to change it to VPN
 or IPSec tunnel.
 I got my reason for having that tunnel between the boxes (Server 2 is a
 server far apart from Server 1)


 Frank


 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]


pgp4O5PuF7BMx.pgp
Description: PGP signature

RE: IPFW NATD

[Brian]

 

snip
Hi

I'm trying to setup natd to port forward to a http,ftp and vnc server behind
the natd box

But I only want a customer from their static ip address to be able to login
and block everything else

Is this possible in an natd enviroment?

Any examples?

Port forwarding works ok, I just can't figure out the rules to stop everyone
and allow this one client

Cheers

Brian



Brian,
If you've got the portforwarding working, then a few IPFW rules will add the
security you're looking for.  If your divert rule is number 100, then add a
few rules above it, like this:

ipfw add 50 skipto 100 tcp from [static.ip.of.customer] to
[public.ip.of.nat.box] 80 ipfw add 51 skipto 100 tcp from
[static.ip.of.customer] to [public.ip.of.nat.box] 21 ipfw add 52 skipto 100
tcp from [static.ip.of.customer] to [public.ip.of.nat.box] [VNC port] ipfw
add 53 deny tcp from any to [public.ip.of.nat.box] 80 ipfw add 54 deny tcp
from any to [public.ip.of.nat.box] 21 ipfw add 55 deny tcp from any to
[public.ip.of.nat.box] [VNC port]


The first three rules pass the traffic from the specified IP, to the divert
rule, to natd, and get portforwaded.  Any other traffic on those ports get
blocked, and doesn't get diverted.

snip

This worked a treat, thanks very much.

Brian

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.773 / Virus Database: 520 - Release Date: 05/10/2004
 

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: IPFW NATD

[Kevin Glick]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
Sent: Thursday, October 14, 2004 11:01 AM
To: 'FreeBSD Questions'
Subject: IPFW NATD

Hi

I'm trying to setup natd to port forward to a http,ftp and vnc server behind
the natd box

But I only want a customer from their static ip address to be able to login
and block everything else

Is this possible in an natd enviroment?

Any examples?

Port forwarding works ok, I just can't figure out the rules to stop everyone
and allow this one client

Cheers

Brian

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.773 / Virus Database: 520 - Release Date: 05/10/2004
 

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]



Brian,
If you've got the portforwarding working, then a few IPFW rules will add the
security you're looking for.  If your divert rule is number 100, then add a
few rules above it, like this:

ipfw add 50 skipto 100 tcp from [static.ip.of.customer] to
[public.ip.of.nat.box] 80
ipfw add 51 skipto 100 tcp from [static.ip.of.customer] to
[public.ip.of.nat.box] 21
ipfw add 52 skipto 100 tcp from [static.ip.of.customer] to
[public.ip.of.nat.box] [VNC port]
ipfw add 53 deny tcp from any to [public.ip.of.nat.box] 80
ipfw add 54 deny tcp from any to [public.ip.of.nat.box] 21
ipfw add 55 deny tcp from any to [public.ip.of.nat.box] [VNC port]


The first three rules pass the traffic from the specified IP, to the divert
rule, to natd, and get portforwaded.  Any other traffic on those ports get
blocked, and doesn't get diverted.

Kevin Glick
ITS Manager
Sterling Business Forms
[EMAIL PROTECTED]


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: IPFW/NATD Transparent Proxy

[Incoming Mail List]

Your ipfw rules are invalid.

They seem to work perfectly.  My only gripe is that static rule
#15100 is required to succeed with redirect_port from 1.2.3.4:80 to 
192.168.2.250:80 when 192.168.1.247 requests a web page using the domain
name for 1.2.3.4.  I'm looking for a solution that doesn't require rule
#15100.

This causes the dynamic
internal state table to cross match packets in error because it does
not keep track of which interface the packet is from. This has been
a long time bug in stateful rules for NATed interfaces. Technically
your whole stateful environment is being forced to look like its
working when in fact its all most useless.

How can that be?  If I'm on 192.168.2.100, I can make a request to
www.cnn.com and it works fine.  Yet I have no rule that allows any
packets to be accepted IN via my outside nic (de0), and no rule that
allows any port 80 OUT to my private lan on de2.  That sounds to me
like the dynamic rules are working.  How else are the packets getting
into de0 and out to de2?

That is why the stateful + nated rule example from the new firewall
rewrite uses skipto rules to work around this problem.

I'm using skipto's as well, just not using the keep-state parameter
on the skipto rule.  I don't believe the transparent proxy problem
I'm having is a result of skipto.  It's a chicken/egg issue when 
using stateful rules because either NATD or the original nic remembers
that the packet changed when it got redirected.

If I allow the stateful rule first, it gets created as
192.168.1.247 - 1.2.3.4
and immediately starts communicating with the outside interface due
to the dynamic rule bypassing the rest of the firewall.  So the
packets never get to go through the divert rule to be redirected
to 192.168.2.250.

If I go through divert first (as in my firewall example), the packet
matches rule 100, the destination gets changed to 192.168.2.250, and
the packet continues down through the firewall.  Great!  Next, it
matches on 300 and gets passed to 15000 where a the dynamic rule
192.168.1.247 - 192.168.2.250 gets created.  More greatness!  When
192.168.2.250 replies to 192.168.1.247, that packet also matches rule
100, gets diverted and NATD rewrites the source to the original IP
address so the packet is now configured as 1.2.3.4 - 192.168.1.247.
Continued greatness!  But now, the packet gets denied at 15200 (remember
15100 does not exist in this example) because there's no rule to allow
1.2.3.4 to communicate with 192.168.1.247.  Hence, I have to add in
#15100 to explicitly allow 1.2.3.4 to communicate with 192.168.1.247.
In my example ruleset I simply allowed anything to go out via de1.


Basically the unpublished rule of thumb
is ipfw keep-state rules can not be used on the internal interface
and external interface in same rule set. Keep-state rules can only
be used on the external interface. There are no error messages to
enforce this.

Actually, the only problem I've run into is the combination of
external/internal with NATD doing a redirect_port or redirect_address.
I've not run into any problems with external/internal and normal NATD
address translations.


J



IPFW RULES
==
00100 divert 9000 log ip from any to any
00200 allow log ip from any to any out via de0 keep-state
00300 skipto 15000 log ip from any to any via de1
00400 skipto 2 log ip from any to any via de2
00500 deny log ip from any to any
15000 allow log ip from any to any in via de1 keep-state
15100 allow log ip from any to any out via de1
15200 deny log ip from any to any
2 allow log ip from any to any in via de2 keep-state
20100 allow log ip from any to any dst-port 80 out via de2
keep-state
20200 deny log ip from any to any
20300 deny log ip from any to any


NATD Config File (/etc/natd.conf)
redirect_port tcp 192.168.2.250:80 1.2.3.4:80

NATD Command
/sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: IPFW/NATD Transparent Proxy

[JJB]

A new rewrite of the FreeBSD handbook firewall section is currently
being made ready for update to the handbook. You can get an
in-process copy from  www.a1poweruser.com/FBSD_firewall/




From what you posted looks like you want public internet users to
access web server on one of your LAN machines. Both ipfw and
ipfilter does this normally with port redirect. You need to post
more info about your system config.
Post the full contents of your rc.conf and  firewall rules files.

The limit you write about ipfilter is not true.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Sunday, August 08, 2004 2:11 PM
To: [EMAIL PROTECTED]
Subject: IPFW/NATD Transparent Proxy


Anyone up for a challenge?

I've come to the conclusion that IPFW/NATD cannot support
transparent
proxying with ONLY stateful rules.  I'd like to hear from anyone who
has
been successful doing so in case I'm missing something.

Configuration is:
FreeBSD 5.2.1
3 - NICS (de0, de1, de2)
de1 = Public IP = 1.2.3.4
de2 = LAN1 = 192.168.1.0
de3 = LAN2 = 192.168.2.0

The challenge:
1) TCP request from 192.168.1.247 to 1.2.3.4:80
2) Redirect 1.2.3.4:80 to 192.168.2.250:80
3) Use stateful rules

On another note, I read somewhere on the Internet that IPFILTER has
a
limitation in that it cannot redirect a public destination to a
private
destination if the source machine is on the same subnet as the
redirected
destination.  In other words, the following supposedly will not
work:
1) A tcp request from 192.168.1.247 to 1.2.3.4:80
2) Redirect 1.2.3.4:80 to 192.168.1.100:80

Is this an accurate limitation of IPFILTER?



J

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW/NATD Transparent Proxy

[mailist]

On Sunday 08 August 2004 04:38 pm, JJB wrote:
 A new rewrite of the FreeBSD handbook firewall section is currently
 being made ready for update to the handbook. You can get an
 in-process copy from  www.a1poweruser.com/FBSD_firewall/

The firewall rewrite only deals with a single public nic and a single
internal nic and does not have the information I require.  

 From what you posted looks like you want public internet users to
 access web server on one of your LAN machines. Both ipfw and
 ipfilter does this normally with port redirect.

No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when 
they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD 
internet gateway.  Again, the configuration is
de0 = PUBLIC IP = 1.2.3.4
de1 = 192.168.1.1
de2 = 192.168.2.1

I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet 
being redirected to 192.168.2.250.  That works fine.  But I want someone on 
192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the 
public address 1.2.3.4:80.

Put another way, I have a FreeBSD server acting as a Router/Firewall.  It has 
a public interface with an IP number of 1.2.3.4 and is assigned the DNS name 
www.ishouldhaveusedipfilter.com.  It also has a second NIC that supports a 
private address space of 192.168.1.0/255.255.255.0 and a third NIC that 
supports a private address space of 192.168.2.0/255.255.255.0

When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com 
they get redirected to 192.168.2.250 because I've included a redirect_port 
rule for NATD.  This works fine.  But, users on all private networks (I have 
two, but there could be 20) also need to be redirected to 192.168.2.250 when 
they try to go to www.ishouldhaveusedipfilter.com   So the user sitting at 
192.168.1.247 shouldn't have to worry about putting in the IP number of the 
company web server, they should just be able to put in the company domain 
name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 
just like anyone coming from the outside.

 You need to post
 more info about your system config.
 Post the full contents of your rc.conf and  firewall rules files.

My rc.conf file is properly configured and has no bearing on my question.  My 
gateway works fine from public to private IP space and private to public IP 
space.  I've tried so many combination of rules and NATD options that I 
wouldn't know what to post.  What I need is someone who has completed a 
similar configuration to send me their configuration (change the IP numbers
if you like).  From what I can see, I don't believe this is possible with 
stateful rules.  Let me add that I've been successful with stateless rules, 
but I'd like to use 100% stateful if possible.


 The limit you write about ipfilter is not true.




 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of
 [EMAIL PROTECTED]
 Sent: Sunday, August 08, 2004 2:11 PM
 To: [EMAIL PROTECTED]
 Subject: IPFW/NATD Transparent Proxy


 Anyone up for a challenge?

 I've come to the conclusion that IPFW/NATD cannot support
 transparent
 proxying with ONLY stateful rules.  I'd like to hear from anyone who
 has
 been successful doing so in case I'm missing something.

 Configuration is:
 FreeBSD 5.2.1
 3 - NICS (de0, de1, de2)
 de1 = Public IP = 1.2.3.4
 de2 = LAN1 = 192.168.1.0
 de3 = LAN2 = 192.168.2.0

 The challenge:
 1) TCP request from 192.168.1.247 to 1.2.3.4:80
 2) Redirect 1.2.3.4:80 to 192.168.2.250:80
 3) Use stateful rules

 On another note, I read somewhere on the Internet that IPFILTER has
 a
 limitation in that it cannot redirect a public destination to a
 private
 destination if the source machine is on the same subnet as the
 redirected
 destination.  In other words, the following supposedly will not
 work:
 1) A tcp request from 192.168.1.247 to 1.2.3.4:80
 2) Redirect 1.2.3.4:80 to 192.168.1.100:80

 Is this an accurate limitation of IPFILTER?



 J

 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: IPFW/NATD Transparent Proxy

[Eric Crist]

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 [EMAIL PROTECTED]
 Sent: Sunday, August 08, 2004 5:43 PM
 To: [EMAIL PROTECTED]
 Subject: Re: IPFW/NATD Transparent Proxy



 On Sunday 08 August 2004 04:38 pm, JJB wrote:
  A new rewrite of the FreeBSD handbook firewall section is currently
  being made ready for update to the handbook. You can get an
 in-process
  copy from  www.a1poweruser.com/FBSD_firewall/

 The firewall rewrite only deals with a single public nic and
 a single internal nic and does not have the information I require.

  From what you posted looks like you want public internet users to
  access web server on one of your LAN machines. Both ipfw
 and ipfilter
  does this normally with port redirect.

 No, I want a user on 192.168.1.247 to be redirected to
 192.168.2.250:80 when
 they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number
 on the FreeBSD
 internet gateway.  Again, the configuration is
   de0 = PUBLIC IP = 1.2.3.4
   de1 = 192.168.1.1
   de2 = 192.168.2.1

 I don't have a problem with incoming requests for 1.2.3.4:80
 from the Internet
 being redirected to 192.168.2.250.  That works fine.  But I
 want someone on
 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when
 they request the
 public address 1.2.3.4:80.


Could you send us (or me, peronally) your firewall script, and the
address you want to use?

Thanks.

Eric F Crist


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW/NATD Transparent Proxy

[Pat Lashley]

--On Sunday, August 08, 2004 18:43:21 -0400 [EMAIL PROTECTED] wrote:
No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when
they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD
internet gateway.  Again, the configuration is
de0 = PUBLIC IP = 1.2.3.4
de1 = 192.168.1.1
de2 = 192.168.2.1
I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet
being redirected to 192.168.2.250.  That works fine.  But I want someone on
192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the
public address 1.2.3.4:80.
Put another way, I have a FreeBSD server acting as a Router/Firewall.  It has
a public interface with an IP number of 1.2.3.4 and is assigned the DNS name
www.ishouldhaveusedipfilter.com.  It also has a second NIC that supports a
private address space of 192.168.1.0/255.255.255.0 and a third NIC that
supports a private address space of 192.168.2.0/255.255.255.0
When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com
they get redirected to 192.168.2.250 because I've included a redirect_port
rule for NATD.  This works fine.  But, users on all private networks (I have
two, but there could be 20) also need to be redirected to 192.168.2.250 when
they try to go to www.ishouldhaveusedipfilter.com   So the user sitting at
192.168.1.247 shouldn't have to worry about putting in the IP number of the
company web server, they should just be able to put in the company domain
name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250
just like anyone coming from the outside.
It seems to me that the best way to handle this is through DNS.  Hosts
within your LAN should find www.ishouldhaveusedipfilter.com to 192.168.2.250
instead of 1.2.3.4.
Typically, you would have an externally visible DNS server which is authorititave
for your domain; and which lists only the publicly visible machines and IP addresses.
(It should -NOT- handle referrals at all.)  Somewhere within your LAN you would have
another DNS server that is authoritative for your internal domain and IP range.  It
may handle referrals; but it is safer to have a completely separate DNS server which
just handles referrals (and possibly caches results) - it should be explicitly told
to use your LAN's authoritative server for your domain and IP range.
With this setup, outside machines see the public address, which is redirected
via your firewall/NAT rules; but internal machines see the internal address and
access it directly.
-Pat
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW/NATD Transparent Proxy

[mailist]

de0 = 1.2.3.4 (make up any valid public ip) (mydomain.com)
de1 = 192.168.1.1
de2 = 192.168.2.1

When 192.168.1.247 requests a web page from MYDOMAIN.COM
the request needs to be forwarded to 192.168.2.250:80

In the ruleset below, 15100 is required for this to work.  If I pull out
15100 I get no response from the web page because there is no rule to allow 
1.2.3.4 back out to 192.168.1.247.  I can't find a solution that does not 
require an explicit rule to allow 1.2.3.4 back out to 192.168.1.247.  In 
other words, I can't find a set of rules that allows dynamic setup of
192.168.1.247: - 1.2.3.4:80
192.168.1.247: - 192.168.2.250:80

I hope this information helps.  Thanks in advance for pointing me in the right 
direction.

IPFW RULES
==
00100 divert 9000 log ip from any to any
00200 allow log ip from any to any out via de0 keep-state
00300 skipto 15000 log ip from any to any via de1
00400 skipto 2 log ip from any to any via de2
00500 deny log ip from any to any
15000 allow log ip from any to any in via de1 keep-state
15100 allow log ip from any to any out via de1
15200 deny log ip from any to any
2 allow log ip from any to any in via de2 keep-state
20100 allow log ip from any to any dst-port 80 out via de2 keep-state
20200 deny log ip from any to any
20300 deny log ip from any to any


NATD Config File (/etc/natd.conf)
redirect_port tcp 192.168.2.250:80 1.2.3.4:80

NATD Command
/sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf



On Sunday 08 August 2004 06:30 pm, Eric Crist wrote:
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
  [EMAIL PROTECTED]
  Sent: Sunday, August 08, 2004 5:43 PM
  To: [EMAIL PROTECTED]
  Subject: Re: IPFW/NATD Transparent Proxy
 
  On Sunday 08 August 2004 04:38 pm, JJB wrote:
   A new rewrite of the FreeBSD handbook firewall section is currently
   being made ready for update to the handbook. You can get an
 
  in-process
 
   copy from  www.a1poweruser.com/FBSD_firewall/
 
  The firewall rewrite only deals with a single public nic and
  a single internal nic and does not have the information I require.
 
   From what you posted looks like you want public internet users to
   access web server on one of your LAN machines. Both ipfw
 
  and ipfilter
 
   does this normally with port redirect.
 
  No, I want a user on 192.168.1.247 to be redirected to
  192.168.2.250:80 when
  they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number
  on the FreeBSD
  internet gateway.  Again, the configuration is
  de0 = PUBLIC IP = 1.2.3.4
  de1 = 192.168.1.1
  de2 = 192.168.2.1
 
  I don't have a problem with incoming requests for 1.2.3.4:80
  from the Internet
  being redirected to 192.168.2.250.  That works fine.  But I
  want someone on
  192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when
  they request the
  public address 1.2.3.4:80.

 Could you send us (or me, peronally) your firewall script, and the
 address you want to use?

 Thanks.

 Eric F Crist

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw + natd - not sharing internet for LAN users

[Micheal Patterson]

- Original Message - 
From: Prodigy [EMAIL PROTECTED]
To: freebsd-questions [EMAIL PROTECTED]
Sent: Tuesday, March 09, 2004 10:53 AM
Subject: ipfw + natd - not sharing internet for LAN users


snip

 # ipfw show
 65535 1546 115746 allow ip from any to any


This is your problem. Even though you're running NATD, you need to divert
all traffic to NATD in the firewall.

Try adding a divert entry to your firewall like this:

ipfw add 100 divert natd all from any to any via ed1

Then check /etc/services and make sure that there's an entry for natd:

natd8668/divert # Network Address Translation


--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw / natd does not allow lan traffic to reach externalnumbers

[Stacey Roberts]

Hello,

On Sun, 2003-08-10 at 22:38, Johannes Angeldorff wrote:
 Hi,
 
 I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here 
 a list with some details:
 
 *) The FreeBSD box uses natd and ipfw, and have two external IP:s, 
 lets say aaa.bbb.ccc.20 and ddd.eee.fff.21.
 
 *) natd is used to redirect access to external IP addresses and ports 
 to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21, 
 where for example webservers are located.
 
 *) natd rules:
 
 natd_flags=-redirect_address 192.168.0.20 aaa.bbb.ccc.20
 -redirect_port tcp 192.168.0.21:25-52 25-52
 -redirect_port udp 192.168.0.21:25-52 25-52
 -redirect_port tcp 192.168.0.30:80 80
 -redirect_port udp 192.168.0.30:80 80
 -redirect_port tcp 192.168.0.21:54-79 54-79
 -redirect_port udp 192.168.0.21:54-79 54-79
 -redirect_port tcp 192.168.0.21:81-722 81-722
 -redirect_port udp 192.168.0.21:81-722 81-722
 -redirect_port tcp 192.168.0.21:3306-4559 3306-4559
 -redirect_port udp 192.168.0.21:3306-4559 3306-4559
 
 *) ipfw lets things through:
 
 00050 divert 8668 ip from any to any via fxp0
 00100 allow ip from any to any via lo0
 00200 deny ip from any to 127.0.0.0/8
 00300 deny ip from 127.0.0.0/8 to any
 65000 allow ip from any to any
 65535 allow ip from any to any
 
 Problem:
 Most things works just fine, external access are redirected to 
 correct ports, and the webservers work just fine. BUT the problem 
 comes when a box on the LAN tries to reach a site residing on 
 192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. Then I get 
 error: Unable to connect to remote host. Connecting from a LAN 
 machine to the same site using the _internal_ IP works fine. 
 Connecting to other external IPs also works fine.
 
 I want to be able to connect from LAN boxes to the external IP:s, for 
 example aaa.bbb.ccc.20. Can anyone lead me on the way...? Very 
 thankful for all comments on this matter.
 

This is not possible. You have to use another host external to your
local network in order to access / view services via their respective
public IP's, or continue to  access them via their defined RFC1918
addresses.

One another note, if access via public IP isn't a strict requirement,
there is the views functionality in Bind9 that (once set up properly)
would allow you to access, say hosted websites, via their WWW addresses
from internal hosts ..,

Regards,

Stacey

 Regards,
 Smartnet Sverige AB
 
 Johannes Angeldorff
 
 
 
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]
-- 
Stacey Roberts
B.Sc (HONS) Computer Science

Web: www.vickiandstacey.com


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw natd forward port 80

[Totok]

Hi,

I have similar problem.
I'm using IPF  IPNAT to redirect outbound connection
to the internal IP addr. It's been 4 months I can't
solve it :(

The result so far:
The connection was refused (Netscape)
Alert! Unable to connect (Lynx)

TIA

Here is the details

IPF.CONF
block in log all
pass out all
pass in on xl1 all
pass in on lo all
block in log quick on xl0 from 0.0.0.0/32 to any
block in log quick on xl0 from 255.255.255.255/32 to
any
block in log quick on xl0 from 127.0.0.0/8 to any
block in log quick on xl0 from any to 0.0.0.0/32
block in log quick on xl0 from any to
255.255.255.255/32
block in log quick on xl0 from any to 127.0.0.0/8
block in log quick on xl0 from 192.168.0.0/16 to any
block in log quick on xl0 from 172.16.0.0/12 to any
block in log quick on xl0 from 10.0.0.0/8 to any
pass in quick on xl0 proto icmp all icmp-type 0
pass in quick on xl0 proto icmp all icmp-type 3
pass in quick on xl0 proto icmp all icmp-type 11
connections to machines
block in log on xl0 proto tcp all flags S/SA
block in log on xl0 proto tcp all flags SA/SA
pass in quick on xl0 proto tcp from any to any port =
5557 flags S/SA keep state
pass in quick on xl0 proto tcp from any to any port =
25 flags S/SA keep state
pass in quick on lo0 proto tcp from any to any port =
25 flags S/SA keep state
pass in quick on xl0 proto tcp from any to any port =
110 flags S/SA keep state
pass in quick on lo0 proto tcp from any to any port =
110 flags S/SA keep state
pass in quick on xl0 proto tcp from any to any port =
 flags S/SA keep state
pass in quick on lo0 proto tcp from any to any port =
 flags S/SA keep state
pass in quick on xl0 proto tcp from any to any port =
80 flags S/SA keep state
pass in quick on lo0 proto tcp from any to any port =
80 flags S/SA keep state
pass out on xl0 proto tcp all keep state
note 5
block return-rst in on xl0 proto tcp from any to any
port = 113
block in log quick on xl1 proto tcp from any to any
port = 135  
block in log quick on xl1 proto udp from any to any
port = 135
block in log quick on xl1 proto udp from any to any
port = 137
pass in log quick on xl1 proto udp from 192.168.0.1 to
any port = 137
block in log quick on xl1 proto tcp from any to any
port = 139
block in log quick on xl1 proto tcp from any to any
port = 445
block in log quick on xl1 proto udp from any to any
port = 138
pass in on xl0 proto udp from 202.xxx.xxx.xxx port =
53 to any
pass in on xl0 proto udp from 202.xxx.xxx.xxx port =
53 to any

IPNAT
map xl0 192.168.0.0/24 - 202.xxx.xxx.xxx/32 portmap
tcp/udp 1025:2
map xl0 192.168.0.0/24 - 202.xxx.xxx.xxx/32
rdr xl0 202.xxx.xxx.xxx/32 port  - 192.168.0.89
port 80 tcp

RC.CONF
ifconfig_xl1=inet 192.168.0.27  netmask
255.255.255.0
ifconfig_xl0=inet 202.xxx.xxx.xxx netmask
255.255.255.240
gateway_enable=YES
defaultrouter=202.xxx.xxx.xxx
ntpdate_flags=ntp.cyber-fleet.net
ntpdate_enable=YES
sshd_enable=YES
inetd_enable=YES
hostname=AROMA.ialf.edu
sendmail_enable=YES
sendmail_flags=-bd
sendmail_outbound_enable=NO
sendmail_submit_enable=NO
sendmail_msp_queue_enable=NO
inetd_flags=-Ww
ipfilter_enable=YES
ipfilter_rules=/etc/ipf.conf
ipnat_rules=/etc/ipnat.conf
ipnat_flags=-CF
ipmon_enable=YES




--- Clement Laforet [EMAIL PROTECTED]
wrote:  On Thu, 7 Aug 2003 04:33:43 +0200
 Clement Laforet [EMAIL PROTECTED]
 wrote:
 
 oups :
  use this
  natd_flags=-dynamic -redirect_port
 192.168.1.150:80 80
 
 natd_flags=-dynamic -redirect_port tcp
 192.168.1.150:80 80
 that's better ;)
 ___
 [EMAIL PROTECTED] mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
[EMAIL PROTECTED] 


Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://uk.messenger.yahoo.com/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw natd forward port 80

[Clement Laforet]

On Wed, 06 Aug 2003 21:28:19 -0700
[EMAIL PROTECTED] wrote:

 
 I want to forward port 80 from an outside ip to an internal ip of
 192.168.1.150 dc1 is tun0  pppoe / dc0 is lan 
 I have read what seems like 5 diff ways to do this but the only 
 result has been to lock myself out of the computer.
 What have I missed.
 rc.conf settings
 firewall_enable=YES
 firewall_script=/etc/firewall/fwrules
 firewall_quiet=YES  
 firewall_logging_enable=YES
 #log_in_vain=YES
 tcp_drop_synfin=NO 
 tcp_restrict_rst=NO 
 icmp_drop_redirect=YES
 natd_enable=YES
 natd_interface=tun0
 natd_flags=-dynamic
 gateway_enable=YES
 ppp_enable=YES
 ppp_mode=ddial
 ppp_profile=default

seems to be good.


  ipfw show
 00050 fwd 192.168.1.150,80 tcp from any to 192.168.1.150 in via tun0
^^ = BAD
use this
natd_flags=-dynamic -redirect_port 192.168.1.150:80 80


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw natd forward port 80

[Clement Laforet]

On Wed, 6 Aug 2003 20:55:47 -0500 (CDT)
Mark [EMAIL PROTECTED] wrote:

 I am still unable to connect from the outside, 
 from the kernel config
 # ipfw options
 options IPFIREWALL
 options IPFIREWALL_VERBOSE
 options IPFIREWALL_VERBOSE_LIMIT=10
 options IPFIREWALL_DEFAULT_TO_ACCEPT
 options IPDIVERT
 
 #To hide firewall from traceroute
 options   IPSTEALTH
 
 #To hide from nmap, remove if create web server
 #options  TCP_DROP_SYNFIN


ok here my set up
(I use pound for web traffic now but it used to work for year)
kernel conf :
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT

natd.conf :
[EMAIL PROTECTED]|(553)| teapop-devel]# ssh charon.cultdeadsheep.org cat /etc/natd.conf
log no
deny_incoming   no
port8668
#
use_sockets yes
#
# Avoid port changes if possible. Makes rlogin work
# in most cases.
#
same_ports  yes
#
verbose no
interface tun0
unregistered_only yes
redirect_port tcp 192.168.0.1:80 80

Now the debugging :)
when you try a telnet your external IP 80 you have :
1. Connection refused : natds is'nt running
2. ping timeout : 
- your firewall is faulty
or  - your server is down
or  - your server doesn't have the right gateway

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw / natd does not allow lan traffic to reach external num

[Toomas Aas]

Hi!

 I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here 
 a list with some details:
 
 *) The FreeBSD box uses natd and ipfw, and have two external IP:s, 
 lets say aaa.bbb.ccc.20 and ddd.eee.fff.21.
 
 *) natd is used to redirect access to external IP addresses and ports 
 to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21, 
 where for example webservers are located.
 
 *) natd rules:

snipped

 
 *) ipfw lets things through:

snipped

 Most things works just fine, external access are redirected to 
 correct ports, and the webservers work just fine. BUT the problem 
 comes when a box on the LAN tries to reach a site residing on 
 192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. 

I don't use ipfw but I encountered the same problem when I first
attempted to do the similar setup using ipfilter/ipnat.

The problem (at least with ipfilter/ipnat) is that nat does not change the
*source* address of packets to that of the machine doing the NAT.

So, if you are at machine 192.168.1.10, the internal IP of the NAT
box is 192.168.1.1 and you are trying to access a service running
on 192.168.1.2 via the external interface of the NAT box, this is
what happens:

* Your PC sends initial SYN with source=192.168.1.10, target=natbox_external_ip.
  This packet goes to the natbox, as that is your default gateway.

* NAT on natbox translates the target address to 192.168.1.2 and sends the packet 
  there. The source address remains unchanged (192.168.1.10).

* 192.168.1.2 sees the packet coming from 192.168.1.10, and - this is where
  it goes wrong - sends response (SYN+ACK) directly to 192.168.1.10.

* since 192.168.1.10 did not initiate session with 192.168.1.2 but with
  natbox, it doesn't want anything to do with this strange SYN+ACK packet 
  and just drops it.

There are several possible solutions recommended for ipfilter, but the one
that I myself ended up using was set up netcat on the natbox.

Basically (using inetd) you set up netcat to listen on an arbitrary port X and 
pipe all traffic to the machine:port on your internal net where the actual
service is running (such as 192.168.1.2:80). Then you forward all traffic with 
src=your_internal_net and dst=natbox_external_ip:80 to 127.0.0.1:X. That way 
the internal server sees packets coming from natbox, sends its responses there, 
and the natbox in turn sends responses back to the original client. Everybody's 
happy.

As I said I don't use ipfw myself so I can't give you any specific ipfw
commands, but I'm sure it all can be done. If only my explanation wasn't too
confusing :-)
--
Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/
* (A)bort, (R)etry, (I)nfluence with large hammer?

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw natd forward port 80

[Mark]

I am still unable to connect from the outside, 
from the kernel config
# ipfw options
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT

#To hide firewall from traceroute
options   IPSTEALTH

#To hide from nmap, remove if create web server
#options  TCP_DROP_SYNFIN
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw natd forward port 80

[Clement Laforet]

On Thu, 7 Aug 2003 04:33:43 +0200
Clement Laforet [EMAIL PROTECTED] wrote:

oups :
 use this
 natd_flags=-dynamic -redirect_port 192.168.1.150:80 80

natd_flags=-dynamic -redirect_port tcp 192.168.1.150:80 80
that's better ;)
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw - natd - squid - 3 Nic's - 1 FBSD 5.1 server and routingquestion

[Matthew Seaman]

On Mon, Aug 04, 2003 at 06:24:42AM -0700, [EMAIL PROTECTED] wrote:
 I could sure use an idea for solving the following.  We have a perfectly
 functional but saturated ds0 with our telco that is very expensive.  We
 have squid running with transparent proxy for our LAN that consists of
 about 10-15 users.  [ fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80 ]
 It works fine but still not enough bandwidth so we contracted a connection
 with a cable company that we plan to use for all outgoing requests for
 port 80 from squid.  The problem is that I can't get the outgoing requests
 from squid to use the nic that is connected to the cable company.
 
 Squid is setup to use the Cable companies IP
   tcp_outgoing_address  10.24.194.163
 but since the default gateway is to the telco interface, the request is sent
 to the telco.
 
 I'm not sure how to make this work.  Our three nic's are set up as follows
 
 rl1
 192.168.5.0/24   ---
 Internal Network \
   \rl0 [TelCo]
--  200.79.x.0/28--- INTERNET
   /natd-ipfw-squid
 rl2  / routing: default 200.79.x.1
 10.24.194.163/20 ---
 Cable Network
 
 Our firewall configuration has been reduced to the following until we can
 get this to work.
 
 00100 allow ip from any to any via lo0
 00200 deny ip from any to 127.0.0.0/8
 00300 deny ip from 127.0.0.0/8 to any
 00400 fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80
 65100 divert 8668 ip from any to any via rl0
 65500 allow ip from any to any
 65535 allow ip from any to any
 
 Everything works great with rl1 - rl0 but rl2 is basically useless.
 I have tried many different approaches and none have worked.  I'm probably
 complicating it too much.
 
 Any help or suggestions will be appreciated.

This sounds to me like a policy based routing problem -- googling for
policy based routing FreeBSD in Google Groups should prove
informative.

However, the mechanism is basically the same as you've used to
implement your transparent proxy.  All you need to do is insert
another rule to trap the port 80 traffic coming out of Squid and send
the packets to the next-hop gateway on your rl2 interface.  That
presumably has it's default route set via the cable network.

Something like:

00500 fwd 10.24.207.254 tcp from me to any 80

(assuming that 10.24.207.254 is the router address in the cable
companies' network.)  Since your Squid is already using a Cable
Co. address as the source address on any outgoing packets this should
cause all in- and out-going HTTP traffic to pass via the Cable
Co. network.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
  Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614  Bucks., SL7 1TH UK


pgp0.pgp
Description: PGP signature

Re: IPFW + NATD

[Micheal Patterson]

- Original Message - 
From: Vitor de Matos Carvalho [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, July 13, 2003 7:18 AM
Subject: IPFW + NATD


 Hi,

 I have two networks: 10.1.0.0/16 and 10.2.0.0/16

 Only that I need to make the NAT for only a one network, 10.2.0.0/16.
Network 10,1,0,0/16 does not have external access.
 How I configure in ipfw + natd so that this is possible?
 My interface of exit is xl0 interface of network 10.1.0.0/16 is xl1, and
interface of network 10.2.0.0/16 is xl2.
 As I configure in ipfw using natd to make nat only for net 10.2.0.0/16.



  Regards,

 ---
 Vitor de Matos Carvalho - #5602098
 Softinfo Network Administrator
 +55 (71)9971-5011 / +55 (71)9986-9317
 Salvador - Bahia - Brazil
 FreeBSD: The silent Workhorse


I would think it would be something like this:

# Divert all outbound traffic through nat
#
ipfw add 1 divert natd all from any to any via xl0
#
### Allow traffic from  to internal networks
#
ipfw add 2 allow ip from 10,1,0,0/16 to 10.2.0.0/16
ipfw add 2 allow ip from 10.2.0.0/16 to 10.1.0.0/16
#
### Deny 10.1.0.0/16 traffic to anyone else
#
ipfw add 4 deny ip from 10.1.0.0/16 to any
#
### Rest of firewall rules
#

--

Micheal Patterson
Network Administration
Cancer Care Network
405-733-2230

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW + NATD

[Vitor de Matos Carvalho]

Thanks for help.

My net 10.1.0.0/16 cannot se net 10.2.0.0/16. 
E mine firewall the last rule of my kernel is: deny ip from any to any 


 Regards,

---
Vitor de Matos Carvalho - #5602098
Softinfo Network Administrator
+55 (71)9971-5011 / +55 (71)9986-9317
Salvador - Bahia - Brazil
FreeBSD: The silent Workhorse
- Original Message - 
From: Micheal Patterson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Sunday, July 13, 2003 1:53 PM
Subject: Re: IPFW + NATD


 
 
 - Original Message - 
 From: Vitor de Matos Carvalho [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Sunday, July 13, 2003 7:18 AM
 Subject: IPFW + NATD
 
 
  Hi,
 
  I have two networks: 10.1.0.0/16 and 10.2.0.0/16
 
  Only that I need to make the NAT for only a one network, 10.2.0.0/16.
 Network 10,1,0,0/16 does not have external access.
  How I configure in ipfw + natd so that this is possible?
  My interface of exit is xl0 interface of network 10.1.0.0/16 is xl1, and
 interface of network 10.2.0.0/16 is xl2.
  As I configure in ipfw using natd to make nat only for net 10.2.0.0/16.
 
 
 
   Regards,
 
  ---
  Vitor de Matos Carvalho - #5602098
  Softinfo Network Administrator
  +55 (71)9971-5011 / +55 (71)9986-9317
  Salvador - Bahia - Brazil
  FreeBSD: The silent Workhorse
 
 
 I would think it would be something like this:
 
 # Divert all outbound traffic through nat
 #
 ipfw add 1 divert natd all from any to any via xl0
 #
 ### Allow traffic from  to internal networks
 #
 ipfw add 2 allow ip from 10,1,0,0/16 to 10.2.0.0/16
 ipfw add 2 allow ip from 10.2.0.0/16 to 10.1.0.0/16
 #
 ### Deny 10.1.0.0/16 traffic to anyone else
 #
 ipfw add 4 deny ip from 10.1.0.0/16 to any
 #
 ### Rest of firewall rules
 #
 
 --
 
 Micheal Patterson
 Network Administration
 Cancer Care Network
 405-733-2230
 
 


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW NATD access www server by name from the LAN side ?

[Charlie Schluting]

 FreeBSD 4.7 firewall with 3 nics. Public, DMZ, and LAN.
 DNS,Bind is not running here.
 www Public address is redirected to it's DMZ address.
 The www server in the DMZ can be accessed by name from the Internet but
 only by it's private DMZ IP address from the LAN side. Attempt to access
 it by name from the LAN results in a 'page not found'.

 When attempting to access the www by name from the LAN side tcpdump
 shows traffic getting to the firewall but not redirected out DMZ nic. So
 it's the firewall answering with the 'page not found'.

Well, actually your web browser is saying that... because it can't find
the page.

 How can I redirect traffic to the WWW server from the LAN side ?
 Thanks, Jay.

This is in the howto I followed (but I don't remember how)... there's
about 5 good ones that can be found via google.
Basically, you need to add a rdr rule to natd, if I remember correctly.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW NATD access www server by name from the LAN side ?

[jdroflet]

On Sat, 29 Mar 2003 14:50:22 -0800 (PST), Charlie Schluting wrote:
  FreeBSD 4.7 firewall with 3 nics. Public, DMZ, and LAN.
  DNS,Bind is not running here.
  www Public address is redirected to it's DMZ address.
  The www server in the DMZ can be accessed by name from the Internet
but
  only by it's private DMZ IP address from the LAN side. Attempt to
 access
  it by name from the LAN results in a 'page not found'.
 
  When attempting to access the www by name from the LAN side tcpdump
  shows traffic getting to the firewall but not redirected out DMZ nic.
 So
  it's the firewall answering with the 'page not found'.
 
 Well, actually your web browser is saying that... because it can't find
 the page.
 
  How can I redirect traffic to the WWW server from the LAN side ?
  Thanks, Jay.
 
 This is in the howto I followed (but I don't remember how)... there's
 about 5 good ones that can be found via google.
 Basically, you need to add a rdr rule to natd, if I remember correctly.
Thanks, I've spent some time google(ing) but haven't hit anything, if
anyone has some links it would be most appreciated. 

__
Get your FREE personalized e-mail at http://www.canada.com
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW NATD access www server by name from the LAN side ?

[Jonathan Chen]

On Sat, Mar 29, 2003 at 03:11:09PM -0800, [EMAIL PROTECTED] wrote:

[...]
   How can I redirect traffic to the WWW server from the LAN side ?
   Thanks, Jay.
  
  This is in the howto I followed (but I don't remember how)... there's
  about 5 good ones that can be found via google.
  Basically, you need to add a rdr rule to natd, if I remember correctly.
 Thanks, I've spent some time google(ing) but haven't hit anything, if
 anyone has some links it would be most appreciated. 

The most common solution is to run an internal DNS (which everyone on
the inside uses) which maps the name to the internal address. If you run
an authoritative DNS for your domain, the DNS which serves outside queries
need to be separate from the one that handles internal queries.
Alternatively, you can use BIND9's views feature to do the same thing
as these 2 DNS servers.

Cheers.
-- 
Jonathan Chen [EMAIL PROTECTED]
--
With sufficient thrust, pigs fly just fine. However, this is not necessarily
a good idea. It is hard to be sure where they are going to land, and it
could be dangerous sitting under them as they fly overhead. -- RFC 1925
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw/natd questions

[Axel Gruner]

On Wed, 15 Jan 2003 19:08:08 -0600
Redmond Militante [EMAIL PROTECTED] wrote:
[...]
 at the moment, it's not working.
 on machine 2, i can't ping www.freebsd.org - i get 'hostname lookup
 failure', i can't ping xl0 - external nic on machine 1 - ping
 129.x.x.35 gives me a 'host is down message' machine 2 can ping it's
 own static ip successfully - ping 129.x.x.20 works machine 2 can ping
 its own hostname successfully - ping machine2.hostname.com works
 sorry if this is long, i've been messing with this all day and i think
 i'm doing it right. can you guys tell if i'm missing something
 obvious?

What about your /etc/resolv.conf? On both machines?
Did you insert the namserver of your ISP? 


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: ipfw/natd questions

[John]

 - i've run an ethernet cable from xl1 - integrated intel 1000 pro nic on
machine 1 - to machine 2's nic.
 i've edited machine 2's /etc/rc.conf so that it points to the internal
nic - xl1 on machine 1 as it's default gateway:

Ethernet cable?  Or crossover cable?
If it's straight cable, you need another hub and cable.. or a crossover
cable instead.

 snip
 defaultrouter=10.20.155.1
 hostname=machine2.hostname.com
 ifconfig_xl0=inet 129.x.x.20 netmask 255.255.255.0
 snip

On another note, if I read that correctly.. you connected a nic that is
configured with IP of 129.x.x.x to a nic with an IP of 10.x.x.x.
You would more than likely want the nic on machine2 to be on the 10.x.x.x
subnet for this configuration.

Afterwards, you should at least be able to ping your internal interface on
machine1 from machine2 (It looks like you're allowing it in your IPFW
rules...).

Once you can ping.. (or begin to see traffic on the internal interface in
the logs for IPFW), you can start troubleshooting the IPFW rules, if
necessary.

HTH,
John




To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: IPFW + NATD with redirect_port

[Jonathan Clarke]

 I want to redirect incoming ssh packet to another box internally.  I have
 got the following as my /etc/natd.conf

 dynamic yes
 log_denied yes
 use_sockets yes
 same_ports yes
 unregistered_only
 redirect_port tcp 192.168.0.200:22 4455

 When I try to ssh to port 4455 I get nothing - I have ipfw running - do I
 need any specific rules to get this working.  I have tried ${fwcmd} add
 pass log tcp from any to any 22 in via ${oif} setup but it doesn't seem
to
 work.

Gordon,

Your natd setup looks OK to me. I'm wondering whether your ipfw isn't
blocking connection attempts. Do you have a rule that allows tcp connections
to port 4455? And another to allow connections from NAT box to ssh box on
port 22?

And when you try to connect to port 4455 on your NAT box, you do it from the
exterior, right?

Hope this helps,
Jonathan


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: IPFW, natd, redirect_address help needed

[David Cramblett]

Do you have gateway_enable=YES in your firewall?

Can you get packets through both directions just fine with the firewall 
set to OPEN?

David


Terrac Skiens wrote:

Hi there,

I have been trying to set up an embedded system from soekris, running a
small version of freebsd on it's internal compact flash hard disk.

The machine is built, I have remote access to it and I intend to use it
as a firewall + nat appliance. Directing traffic from machines internally
to external IP addresses.

I have gotten everything running, however my test for the machines
behind the new firewall keep failing. I can ping the firewall itself, but
not anything past it. The pings just dissapear. From the firewall I can
ping anythign by either hostname or IP.

What I have not figured out is why my machines behind the firewall cannot
ping out past the firewall, or get any other traffic out either.

my ipfw list is:
---
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to 172.16.0.0/12 via sis0
00500 deny ip from any to 192.168.0.0/16 via sis0
00600 deny ip from any to 0.0.0.0/8 via sis0
00700 deny ip from any to 169.254.0.0/16 via sis0
00800 deny ip from any to 192.0.2.0/24 via sis0
00900 deny ip from any to 224.0.0.0/4 via sis0
01000 deny ip from any to 240.0.0.0/4 via sis0
01100 divert 8668 ip from any to any via sis0
01200 deny ip from 172.16.0.0/12 to any via sis0
01300 deny ip from 192.168.0.0/16 to any via sis0
01400 deny ip from 0.0.0.0/8 to any via sis0
01500 deny ip from 169.254.0.0/16 to any via sis0
01600 deny ip from 192.0.2.0/24 to any via sis0
01700 deny ip from 224.0.0.0/4 to any via sis0
01800 deny ip from 240.0.0.0/4 to any via sis0
01900 allow tcp from any to any established
02000 allow ip from any to any frag
1 deny log logamount 100 tcp from any to any in recv sis0 setup
10100 allow tcp from any to any setup
10200 allow udp from any to any 53 keep-state out xmit sis0
10300 allow udp from any to any 53 keep-state in recv sis0
10400 allow udp from any to any 123 keep-state out xmit sis0
10500 allow udp from any to any 123 keep-state in recv sis1
10600 allow tcp from any to any 53 keep-state out xmit sis0
10700 allow tcp from any to any 53 keep-state in recv sis1
10800 allow tcp from any to any 25 keep-state out xmit sis0
10900 allow tcp from any to any 25 keep-state in recv sis1
11000 allow tcp from any to any 22 keep-state out xmit sis0
11100 allow tcp from any to any 22 keep-state in recv sis1
11200 allow udp from me to any 67 keep-state out xmit sis0
11300 allow icmp from any to any
65535 deny ip from any to any

and my netstat -rn is:
---
Routing table:
--
DestinationGatewayFlags   Netif  Use
default66.180.229.177 UGScsis02
10.1.1.0/24link#2 UC  sis10
xxx.xxx.xxx.xxxlink#1 UC  sis00 - network
xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway
127.0.0.1  127.0.0.1  UH  lo0 0




To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

 


--
David Cramblett
Network and Information Services
Multnomah Education Service District
phn: 503-257-1535
fax: 503-257-1538



To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: IPFW, natd, redirect_address help needed

[Terrac Skiens]

 since this is a super small distribution I do not have the default open,
closed, and client firewall configs. The set I am using is based on the
client one though, however I adjusted it to allow traffic from the inside
to the outside on specific ports and hopefully keep-state to let the
returning packets back in. Thats right isn't it?

 -terrac

On Tue, 5 Nov 2002, David Cramblett wrote:

 Do you have gateway_enable=YES in your firewall?

 Can you get packets through both directions just fine with the firewall
 set to OPEN?

 David


 Terrac Skiens wrote:

 Hi there,
 
  I have been trying to set up an embedded system from soekris, running a
 small version of freebsd on it's internal compact flash hard disk.
 
  The machine is built, I have remote access to it and I intend to use it
 as a firewall + nat appliance. Directing traffic from machines internally
 to external IP addresses.
 
  I have gotten everything running, however my test for the machines
 behind the new firewall keep failing. I can ping the firewall itself, but
 not anything past it. The pings just dissapear. From the firewall I can
 ping anythign by either hostname or IP.
 
  What I have not figured out is why my machines behind the firewall cannot
 ping out past the firewall, or get any other traffic out either.
 
 my ipfw list is:
 ---
 00100 allow ip from any to any via lo0
 00200 deny ip from any to 127.0.0.0/8
 00300 deny ip from 127.0.0.0/8 to any
 00400 deny ip from any to 172.16.0.0/12 via sis0
 00500 deny ip from any to 192.168.0.0/16 via sis0
 00600 deny ip from any to 0.0.0.0/8 via sis0
 00700 deny ip from any to 169.254.0.0/16 via sis0
 00800 deny ip from any to 192.0.2.0/24 via sis0
 00900 deny ip from any to 224.0.0.0/4 via sis0
 01000 deny ip from any to 240.0.0.0/4 via sis0
 01100 divert 8668 ip from any to any via sis0
 01200 deny ip from 172.16.0.0/12 to any via sis0
 01300 deny ip from 192.168.0.0/16 to any via sis0
 01400 deny ip from 0.0.0.0/8 to any via sis0
 01500 deny ip from 169.254.0.0/16 to any via sis0
 01600 deny ip from 192.0.2.0/24 to any via sis0
 01700 deny ip from 224.0.0.0/4 to any via sis0
 01800 deny ip from 240.0.0.0/4 to any via sis0
 01900 allow tcp from any to any established
 02000 allow ip from any to any frag
 1 deny log logamount 100 tcp from any to any in recv sis0 setup
 10100 allow tcp from any to any setup
 10200 allow udp from any to any 53 keep-state out xmit sis0
 10300 allow udp from any to any 53 keep-state in recv sis0
 10400 allow udp from any to any 123 keep-state out xmit sis0
 10500 allow udp from any to any 123 keep-state in recv sis1
 10600 allow tcp from any to any 53 keep-state out xmit sis0
 10700 allow tcp from any to any 53 keep-state in recv sis1
 10800 allow tcp from any to any 25 keep-state out xmit sis0
 10900 allow tcp from any to any 25 keep-state in recv sis1
 11000 allow tcp from any to any 22 keep-state out xmit sis0
 11100 allow tcp from any to any 22 keep-state in recv sis1
 11200 allow udp from me to any 67 keep-state out xmit sis0
 11300 allow icmp from any to any
 65535 deny ip from any to any
 
 and my netstat -rn is:
 ---
 Routing table:
 --
 DestinationGatewayFlags   Netif  Use
 default66.180.229.177 UGScsis02
 10.1.1.0/24link#2 UC  sis10
 xxx.xxx.xxx.xxxlink#1 UC  sis00 - network
 xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway
 127.0.0.1  127.0.0.1  UH  lo0 0
 
 
 
 
 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with unsubscribe freebsd-questions in the body of the message
 
 
 

 --
 David Cramblett
 Network and Information Services
 Multnomah Education Service District
 phn: 503-257-1535
 fax: 503-257-1538



 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with unsubscribe freebsd-questions in the body of the message



To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: IPFW, natd, redirect_address help needed

[David Cramblett]

well you could simply do an ipfw flush and then use ipfw command line to 
add back the rule for the loopback device and the natd divert line 
(looks like your using natd?), then do a:

ipfw add pass all from any to any

and make sure that you can send and recive traffic in both directions 
without any deny firewall rules in place.

If you want to test with the current rules in place, you may want to add 
a line to log all connections, if you have the disk space for it and 
then tail -f your security log and see what packets are getting 
denied/accepted and why.

David



Terrac Skiens wrote:

since this is a super small distribution I do not have the default open,
closed, and client firewall configs. The set I am using is based on the
client one though, however I adjusted it to allow traffic from the inside
to the outside on specific ports and hopefully keep-state to let the
returning packets back in. Thats right isn't it?

-terrac

On Tue, 5 Nov 2002, David Cramblett wrote:

 

Do you have gateway_enable=YES in your firewall?

Can you get packets through both directions just fine with the firewall
set to OPEN?

David


Terrac Skiens wrote:

   

Hi there,

I have been trying to set up an embedded system from soekris, running a
small version of freebsd on it's internal compact flash hard disk.

The machine is built, I have remote access to it and I intend to use it
as a firewall + nat appliance. Directing traffic from machines internally
to external IP addresses.

I have gotten everything running, however my test for the machines
behind the new firewall keep failing. I can ping the firewall itself, but
not anything past it. The pings just dissapear. From the firewall I can
ping anythign by either hostname or IP.

What I have not figured out is why my machines behind the firewall cannot
ping out past the firewall, or get any other traffic out either.

my ipfw list is:
---
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to 172.16.0.0/12 via sis0
00500 deny ip from any to 192.168.0.0/16 via sis0
00600 deny ip from any to 0.0.0.0/8 via sis0
00700 deny ip from any to 169.254.0.0/16 via sis0
00800 deny ip from any to 192.0.2.0/24 via sis0
00900 deny ip from any to 224.0.0.0/4 via sis0
01000 deny ip from any to 240.0.0.0/4 via sis0
01100 divert 8668 ip from any to any via sis0
01200 deny ip from 172.16.0.0/12 to any via sis0
01300 deny ip from 192.168.0.0/16 to any via sis0
01400 deny ip from 0.0.0.0/8 to any via sis0
01500 deny ip from 169.254.0.0/16 to any via sis0
01600 deny ip from 192.0.2.0/24 to any via sis0
01700 deny ip from 224.0.0.0/4 to any via sis0
01800 deny ip from 240.0.0.0/4 to any via sis0
01900 allow tcp from any to any established
02000 allow ip from any to any frag
1 deny log logamount 100 tcp from any to any in recv sis0 setup
10100 allow tcp from any to any setup
10200 allow udp from any to any 53 keep-state out xmit sis0
10300 allow udp from any to any 53 keep-state in recv sis0
10400 allow udp from any to any 123 keep-state out xmit sis0
10500 allow udp from any to any 123 keep-state in recv sis1
10600 allow tcp from any to any 53 keep-state out xmit sis0
10700 allow tcp from any to any 53 keep-state in recv sis1
10800 allow tcp from any to any 25 keep-state out xmit sis0
10900 allow tcp from any to any 25 keep-state in recv sis1
11000 allow tcp from any to any 22 keep-state out xmit sis0
11100 allow tcp from any to any 22 keep-state in recv sis1
11200 allow udp from me to any 67 keep-state out xmit sis0
11300 allow icmp from any to any
65535 deny ip from any to any

and my netstat -rn is:
---
Routing table:
--
DestinationGatewayFlags   Netif  Use
default66.180.229.177 UGScsis02
10.1.1.0/24link#2 UC  sis10
xxx.xxx.xxx.xxxlink#1 UC  sis00 - network
xxx.xxx.xxx.xxxlink#1 UHLWsis00 - gateway
127.0.0.1  127.0.0.1  UH  lo0 0




To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message



 



To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: IPFW/NATD

[Ruben de Groot]

On Tue, Oct 22, 2002 at 10:55:26AM -0500, Scott Pilz typed:
 
   The answer to this is more than likely 'no'.
 
   But I'll try anyways.
 
 Setup: NATD/IPFW
 
 Say you have an IPFW rule to allow 10.0.0.2 through NATD - thus into the
 internet - and everything else to be blocked.
 
 Your machine (10.0.0.2) that is being firewalled by NATD/IPFW works fine.
 Then someone else sets their machine up to 10.0.0.2, and now they can also
 get out into the network (there will of course be an ip conflict).

You can use arp(8) to make a permanent entry in the arp table on your 
NAT/Firewall box to prevent anyone else to use this IP address:

arp -S 10.0.0.2 Your_machines_MAC

 
 My question is, for security, is there any way to use this type of block
 based on MAC ID. Almost to bond the MAC ID to the IP Address so the only
 computer that can use the IP address 10.0.0.2 is with MAC ID whatever?
 
 
 Thanks,
 
 Scott
 
 
 To Unsubscribe: send mail to [EMAIL PROTECTED]
 with unsubscribe freebsd-questions in the body of the message

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

RE: ipfw, natd tun0

[Carroll, D. (Danny)]

Is PPP trying to do NAT as well as Natd?  I use Natd with tun0 all the
time and it works OK..
-D

:-Original Message-
:From: Allan McDonald [mailto:[EMAIL PROTECTED]]
:Sent: Tuesday, July 16, 2002 8:45 AM
:To: [EMAIL PROTECTED]
:Subject: ipfw, natd  tun0
:
:
:Hi,
:I'm trying to use natd with port redirection and it's not working..
:
:I have a working model, a box with 2 network cards in it, in 
:which natd port
:redirection is working just fine..
:and I have another which I am trying to do the same thing, 
:however this poor
:box has to connect to the internet via ppp.  Now the internet 
:connection is
:working fine.
:
:My query is.. should natd support port redirection over the 
:tun0 interface?
:
:I do have options IPDIVERT compiled.. same format config files 
:(natd.conf
:/etc/rc.conf) on both boxes.
:Both boxes running FreeBSD 4.5
:
:Anyone had this problem before??
:
:
:Regards,
:
:Allan McDonald
:IT Manager
:Ozdaq Securities Pty Ltd
:
:
:
:
:To Unsubscribe: send mail to [EMAIL PROTECTED]
:with unsubscribe freebsd-questions in the body of the message
:
-
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message