Date: Thu, 29 Jun 2000 16:34:43 -0700 From: Pierre Chiu <pccb@yahoo.com> To: Michael Lucas <mwlucas@blackhelicopters.org> Cc: freebsd-security@freebsd.org Subject: Re: ipfilter & pptp & freebsd Message-ID: <14149621401.20000629163443@everyday.cx> In-Reply-To: <200006291740.NAA16472@blackhelicopters.org> References: <200006291740.NAA16472@blackhelicopters.org>
next in thread | previous in thread | raw e-mail | index | archive | help
For debugging purpose, how about keeping the nat rules but dropping all the firewall rules. And also, you might want to check out the NIC stats (netstat -i) while frontpage is uploading. The problem could be packet loss. Thursday, June 29, 2000, 10:40:21 AM, you wrote: ML> Well, I got a FreeBSD firewall at work, after explaining how the ML> commercial ones weren't any better and cost far more for not much ML> gain. And it makes the enterprise-critical application fail. ML> Sometimes life is just not fair. ML> Anyway, I have a FreeBSD 4.-stable machine as our gateway box. I'm ML> using ipfilter for NAT and connection control. Inside the network, I ML> have a Windows machine, running FrontPage, that needs to publish data ML> to the outside world via pptp tunnels. This machine pumps hundreds of ML> meg a day. ML> If we take this system and put it outside the firewall, it shoves data ML> quickly. Inside the firewall, it runs painfully slowly. In the last ML> 50 minutes, it's sent 1,181,971 bytes. ML> Below, I replace the class C with a.b.c to protect the guilty. ML> 192.168.1.105 is my pptp host. ML> I'd appreciate any help anyone has to offer, or any tips on what to check. ML> Thanks, ML> Michael ML> My ipnat.conf looks like: ML> #then the general NAT for the office ML> #first, pptp ML> rdr fxp1 a.b.c.2/32 port 0 -> 192.168.1.105 port 0 gre ML> rdr fxp1 a.b.c.2/32 port 1723 -> 192.168.1.105 port 1723 tcpudp ML> #then regular networking ML> map fxp1 192.168.1.1/24 -> a.b.c.2/32 proxy port ftp ftp/tcp ML> map fxp1 192.168.1.1/24 -> a.b.c.2/32 portmap tcp/udp 10000:40000 ML> #finally, allow any any outgoing protocol ML> map fxp1 192.168.1.0/24 -> a.b.c.2/32 ML> rdr fxp1 a.b.c.2/32 port 21 -> 192.168.1.254 port 21 ML> ... plus a bunch more "redirect this for incoming services"... ML> My ipf.conf looks like: ML> #universal rules ML> block in log quick from any to any with ipopts ML> block in log quick proto tcp from any to any with short ML> #the outside interface ML> #outgoing on outside ML> pass out on fxp1 all head 350 ML> block out from 127.0.0.0/8 to any group 350 ML> block out from any to 127.0.0.0/8 group 350 ML> block out from any to 192.168.1.1/24 group 350 ML> pass out log quick proto tcp from a.b.c.2 to any keep state group 350 ML> pass out log quick proto udp from a.b.c.2 to any keep state group 350 ML> #incoming on outside ML> #first, the rules for all traffic ML> pass in on fxp1 all head 300 ML> block in log quick from 127.0.0.0/8 to any group 300 ML> block in log quick from 192.168.1.1/32 to any group 300 ML> block in log quick from 10.0.0.1/0xff000000 to any group 300 ML> #for DNS queries to firewall exterior ML> pass in quick proto udp from any to a.b.c.2 port = 53 keep state group 300 ML> #for pptp tunnel ML> pass in log quick proto gre from 135.145.11.128 to a.b.c.2 group 300 ML> pass in log quick proto gre from 135.145.11.129 to a.b.c.2 group 300 ML> pass in log quick proto gre from 135.145.11.128 to 192.168.1.105 group 300 ML> pass in log quick proto gre from 135.145.11.129 to 192.168.1.105 group 300 ML> #establish 3way handshake on a.b.c.2 ML> block in log proto tcp from any to a.b.c.2/32 flags S/SA head 302 group 300 ML> #allow DNS zone transfers ML> pass in quick proto tcp from 209.69.70.3 to a.b.c.2 port = 53 keep state group 302 ML> #incoming connections proxied through the firewall on .2, in port order ML> pass in log quick proto tcp from any to 192.168.1.254/32 port = 21 keep state group 302 ML> ...more of the same... ML> pass in log quick proto tcp from 135.145.11.128 port = 1723 to 192.168.1.105/32 keep state group 302 ML> ...more of same... ML> #finally, after everything else is processed, we bounce bad connections ML> #this gives a proper response to UDP probes ML> block return-icmp(port-unr) in log on fxp1 proto udp from any to any group 302 ML> block return-rst in log proto tcp from any to any group 302 ML> ############################################################################ ML> #the inside interface ML> #outgoing on inside interface ML> pass out log on fxp0 all head 450 ML> block out log quick from 127.0.0.0/8 to any group 450 ML> block out log quick from any to 127.0.0.0/8 group 450 ML> block out log quick from any to a.b.c.2/25 group 450 ML> #do not block syslogd ML> pass out quick from any to 192.168.1.251 port = 514 group 450 ML> #incoming on inside interface ML> pass in on fxp0 all head 400 ML> block in log quick from 127.0.0.0/8 to any group 400 ML> block in log quick from a.b.c.2/25 to any group 400 ML> block in log quick from 10.0.0.1/0xff000000 to any group 400 ML> pass in on fxp0 all head 400 ML> block in log quick from 127.0.0.0/8 to any group 400 ML> block in log quick from a.b.c.2/25 to any group 400 ML> block in log quick from 10.0.0.1/0xff000000 to any group 400 ML> block in quick from any to 206.154.102.240/24 group 400 ML> pass in log quick on fxp0 proto tcp from any to 192.168.1.1 port = 22 keep state group 400 ML> pass in quick on fxp0 proto udp from 192.168.1.251/32 to 192.168.1.1 port = 161 keep state group 400 ML> pass in log quick on fxp0 proto tcp from any to any keep state group 400 ML> pass in log quick on fxp0 proto udp from any to any keep state group 400 ML> pass in log quick on fxp0 proto gre from any to any group 400 -- Pierre \\|// (o o) +-------------------------oOOo-(_)-oOOo-----------------------------+ EMail : mailto:webbie(at)everyday(dot)cx PGP Key : http://www.everyday.cx/pgpkey.txt PGP Fingerprint: 0B9F E081 35CD B9AF 58EA 7E43 38EC C84F 4AB4 792C +-------------------------------------------------------------------+ network packets travelling uphill (use a carrier pigeon) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14149621401.20000629163443>