Date: Thu, 29 Jun 2000 13:40:21 -0400 (EDT) From: Michael Lucas <mwlucas@blackhelicopters.org> To: freebsd-security@freebsd.org Subject: ipfilter & pptp & freebsd Message-ID: <200006291740.NAA16472@blackhelicopters.org>
next in thread | raw e-mail | index | archive | help
Well, I got a FreeBSD firewall at work, after explaining how the commercial ones weren't any better and cost far more for not much gain. And it makes the enterprise-critical application fail. Sometimes life is just not fair. Anyway, I have a FreeBSD 4.-stable machine as our gateway box. I'm using ipfilter for NAT and connection control. Inside the network, I have a Windows machine, running FrontPage, that needs to publish data to the outside world via pptp tunnels. This machine pumps hundreds of meg a day. If we take this system and put it outside the firewall, it shoves data quickly. Inside the firewall, it runs painfully slowly. In the last 50 minutes, it's sent 1,181,971 bytes. Below, I replace the class C with a.b.c to protect the guilty. 192.168.1.105 is my pptp host. I'd appreciate any help anyone has to offer, or any tips on what to check. Thanks, Michael My ipnat.conf looks like: #then the general NAT for the office #first, pptp rdr fxp1 a.b.c.2/32 port 0 -> 192.168.1.105 port 0 gre rdr fxp1 a.b.c.2/32 port 1723 -> 192.168.1.105 port 1723 tcpudp #then regular networking map fxp1 192.168.1.1/24 -> a.b.c.2/32 proxy port ftp ftp/tcp map fxp1 192.168.1.1/24 -> a.b.c.2/32 portmap tcp/udp 10000:40000 #finally, allow any any outgoing protocol map fxp1 192.168.1.0/24 -> a.b.c.2/32 rdr fxp1 a.b.c.2/32 port 21 -> 192.168.1.254 port 21 ... plus a bunch more "redirect this for incoming services"... My ipf.conf looks like: #universal rules block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short #the outside interface #outgoing on outside pass out on fxp1 all head 350 block out from 127.0.0.0/8 to any group 350 block out from any to 127.0.0.0/8 group 350 block out from any to 192.168.1.1/24 group 350 pass out log quick proto tcp from a.b.c.2 to any keep state group 350 pass out log quick proto udp from a.b.c.2 to any keep state group 350 #incoming on outside #first, the rules for all traffic pass in on fxp1 all head 300 block in log quick from 127.0.0.0/8 to any group 300 block in log quick from 192.168.1.1/32 to any group 300 block in log quick from 10.0.0.1/0xff000000 to any group 300 #for DNS queries to firewall exterior pass in quick proto udp from any to a.b.c.2 port = 53 keep state group 300 #for pptp tunnel pass in log quick proto gre from 135.145.11.128 to a.b.c.2 group 300 pass in log quick proto gre from 135.145.11.129 to a.b.c.2 group 300 pass in log quick proto gre from 135.145.11.128 to 192.168.1.105 group 300 pass in log quick proto gre from 135.145.11.129 to 192.168.1.105 group 300 #establish 3way handshake on a.b.c.2 block in log proto tcp from any to a.b.c.2/32 flags S/SA head 302 group 300 #allow DNS zone transfers pass in quick proto tcp from 209.69.70.3 to a.b.c.2 port = 53 keep state group 302 #incoming connections proxied through the firewall on .2, in port order pass in log quick proto tcp from any to 192.168.1.254/32 port = 21 keep state group 302 ...more of the same... pass in log quick proto tcp from 135.145.11.128 port = 1723 to 192.168.1.105/32 keep state group 302 ...more of same... #finally, after everything else is processed, we bounce bad connections #this gives a proper response to UDP probes block return-icmp(port-unr) in log on fxp1 proto udp from any to any group 302 block return-rst in log proto tcp from any to any group 302 ############################################################################ #the inside interface #outgoing on inside interface pass out log on fxp0 all head 450 block out log quick from 127.0.0.0/8 to any group 450 block out log quick from any to 127.0.0.0/8 group 450 block out log quick from any to a.b.c.2/25 group 450 #do not block syslogd pass out quick from any to 192.168.1.251 port = 514 group 450 #incoming on inside interface pass in on fxp0 all head 400 block in log quick from 127.0.0.0/8 to any group 400 block in log quick from a.b.c.2/25 to any group 400 block in log quick from 10.0.0.1/0xff000000 to any group 400 pass in on fxp0 all head 400 block in log quick from 127.0.0.0/8 to any group 400 block in log quick from a.b.c.2/25 to any group 400 block in log quick from 10.0.0.1/0xff000000 to any group 400 block in quick from any to 206.154.102.240/24 group 400 pass in log quick on fxp0 proto tcp from any to 192.168.1.1 port = 22 keep state group 400 pass in quick on fxp0 proto udp from 192.168.1.251/32 to 192.168.1.1 port = 161 keep state group 400 pass in log quick on fxp0 proto tcp from any to any keep state group 400 pass in log quick on fxp0 proto udp from any to any keep state group 400 pass in log quick on fxp0 proto gre from any to any group 400 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006291740.NAA16472>