Date: Thu, 29 Jun 2000 16:34:43 -0700 From: Pierre Chiu <pccb@yahoo.com> To: Michael Lucas <mwlucas@blackhelicopters.org> Cc: freebsd-security@freebsd.org Subject: Re: ipfilter & pptp & freebsd Message-ID: <14149621401.20000629163443@everyday.cx> In-Reply-To: <200006291740.NAA16472@blackhelicopters.org> References: <200006291740.NAA16472@blackhelicopters.org>
next in thread | previous in thread | raw e-mail | index | archive | help
For debugging purpose, how about keeping the nat rules but dropping all the firewall
rules.
And also, you might want to check out the NIC stats (netstat -i) while frontpage is
uploading. The problem could be packet loss.
Thursday, June 29, 2000, 10:40:21 AM, you wrote:
ML> Well, I got a FreeBSD firewall at work, after explaining how the
ML> commercial ones weren't any better and cost far more for not much
ML> gain. And it makes the enterprise-critical application fail.
ML> Sometimes life is just not fair.
ML> Anyway, I have a FreeBSD 4.-stable machine as our gateway box. I'm
ML> using ipfilter for NAT and connection control. Inside the network, I
ML> have a Windows machine, running FrontPage, that needs to publish data
ML> to the outside world via pptp tunnels. This machine pumps hundreds of
ML> meg a day.
ML> If we take this system and put it outside the firewall, it shoves data
ML> quickly. Inside the firewall, it runs painfully slowly. In the last
ML> 50 minutes, it's sent 1,181,971 bytes.
ML> Below, I replace the class C with a.b.c to protect the guilty.
ML> 192.168.1.105 is my pptp host.
ML> I'd appreciate any help anyone has to offer, or any tips on what to check.
ML> Thanks,
ML> Michael
ML> My ipnat.conf looks like:
ML> #then the general NAT for the office
ML> #first, pptp
ML> rdr fxp1 a.b.c.2/32 port 0 -> 192.168.1.105 port 0 gre
ML> rdr fxp1 a.b.c.2/32 port 1723 -> 192.168.1.105 port 1723 tcpudp
ML> #then regular networking
ML> map fxp1 192.168.1.1/24 -> a.b.c.2/32 proxy port ftp ftp/tcp
ML> map fxp1 192.168.1.1/24 -> a.b.c.2/32 portmap tcp/udp 10000:40000
ML> #finally, allow any any outgoing protocol
ML> map fxp1 192.168.1.0/24 -> a.b.c.2/32
ML> rdr fxp1 a.b.c.2/32 port 21 -> 192.168.1.254 port 21
ML> ... plus a bunch more "redirect this for incoming services"...
ML> My ipf.conf looks like:
ML> #universal rules
ML> block in log quick from any to any with ipopts
ML> block in log quick proto tcp from any to any with short
ML> #the outside interface
ML> #outgoing on outside
ML> pass out on fxp1 all head 350
ML> block out from 127.0.0.0/8 to any group 350
ML> block out from any to 127.0.0.0/8 group 350
ML> block out from any to 192.168.1.1/24 group 350
ML> pass out log quick proto tcp from a.b.c.2 to any keep state group 350
ML> pass out log quick proto udp from a.b.c.2 to any keep state group 350
ML> #incoming on outside
ML> #first, the rules for all traffic
ML> pass in on fxp1 all head 300
ML> block in log quick from 127.0.0.0/8 to any group 300
ML> block in log quick from 192.168.1.1/32 to any group 300
ML> block in log quick from 10.0.0.1/0xff000000 to any group 300
ML> #for DNS queries to firewall exterior
ML> pass in quick proto udp from any to a.b.c.2 port = 53 keep state group 300
ML> #for pptp tunnel
ML> pass in log quick proto gre from 135.145.11.128 to a.b.c.2 group 300
ML> pass in log quick proto gre from 135.145.11.129 to a.b.c.2 group 300
ML> pass in log quick proto gre from 135.145.11.128 to 192.168.1.105 group 300
ML> pass in log quick proto gre from 135.145.11.129 to 192.168.1.105 group 300
ML> #establish 3way handshake on a.b.c.2
ML> block in log proto tcp from any to a.b.c.2/32 flags S/SA head 302 group 300
ML> #allow DNS zone transfers
ML> pass in quick proto tcp from 209.69.70.3 to a.b.c.2 port = 53 keep state group 302
ML> #incoming connections proxied through the firewall on .2, in port order
ML> pass in log quick proto tcp from any to 192.168.1.254/32 port = 21 keep state group 302
ML> ...more of the same...
ML> pass in log quick proto tcp from 135.145.11.128 port = 1723 to 192.168.1.105/32 keep state group 302
ML> ...more of same...
ML> #finally, after everything else is processed, we bounce bad connections
ML> #this gives a proper response to UDP probes
ML> block return-icmp(port-unr) in log on fxp1 proto udp from any to any group 302
ML> block return-rst in log proto tcp from any to any group 302
ML> ############################################################################
ML> #the inside interface
ML> #outgoing on inside interface
ML> pass out log on fxp0 all head 450
ML> block out log quick from 127.0.0.0/8 to any group 450
ML> block out log quick from any to 127.0.0.0/8 group 450
ML> block out log quick from any to a.b.c.2/25 group 450
ML> #do not block syslogd
ML> pass out quick from any to 192.168.1.251 port = 514 group 450
ML> #incoming on inside interface
ML> pass in on fxp0 all head 400
ML> block in log quick from 127.0.0.0/8 to any group 400
ML> block in log quick from a.b.c.2/25 to any group 400
ML> block in log quick from 10.0.0.1/0xff000000 to any group 400
ML> pass in on fxp0 all head 400
ML> block in log quick from 127.0.0.0/8 to any group 400
ML> block in log quick from a.b.c.2/25 to any group 400
ML> block in log quick from 10.0.0.1/0xff000000 to any group 400
ML> block in quick from any to 206.154.102.240/24 group 400
ML> pass in log quick on fxp0 proto tcp from any to 192.168.1.1 port = 22 keep state group 400
ML> pass in quick on fxp0 proto udp from 192.168.1.251/32 to 192.168.1.1 port = 161 keep state group 400
ML> pass in log quick on fxp0 proto tcp from any to any keep state group 400
ML> pass in log quick on fxp0 proto udp from any to any keep state group 400
ML> pass in log quick on fxp0 proto gre from any to any group 400
--
Pierre
\\|//
(o o)
+-------------------------oOOo-(_)-oOOo-----------------------------+
EMail : mailto:webbie(at)everyday(dot)cx
PGP Key : http://www.everyday.cx/pgpkey.txt
PGP Fingerprint: 0B9F E081 35CD B9AF 58EA 7E43 38EC C84F 4AB4 792C
+-------------------------------------------------------------------+
network packets travelling uphill (use a carrier pigeon)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14149621401.20000629163443>