From owner-freebsd-security Mon Feb 10 16:32:11 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73ED337B401 for ; Mon, 10 Feb 2003 16:32:03 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70CE343F93 for ; Mon, 10 Feb 2003 16:32:02 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (35c798dc3f12721764ab1e6df420ce99@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h1B0Mv74000875 for ; Mon, 10 Feb 2003 18:22:57 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h1B0Mvbp000874 for freebsd-security@freebsd.org; Mon, 10 Feb 2003 18:22:57 -0600 (CST) Date: Mon, 10 Feb 2003 18:22:56 -0600 From: Redmond Militante To: freebsd-security@freebsd.org Subject: n00b ipf/ipnat questions Message-ID: <20030211002256.GA824@darkpossum> Reply-To: Redmond Militante Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Favorite-Food: Pizza Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi all i've been trying to set up an ipf/ipnat gateway machine, to protect an inte= rnal network of two machines: webserver and a mysql server. i've been havi= ng some problems. my gateway machine has two nics - an external and internal nic. the intern= al nic is hooked up to a switch. the switch is hooked up to client machine= s on the internal network /etc/rc.conf on the gateway ------- ifconfig_lo0=3D"inet 127.0.0.1" ifconfig_xl0=3D"inet 129.x.x.35 netmask 255.255.255.0" network_interfaces=3D"xl0 xl1 lo0" #aliasing herald's ip to the outside nic of gateway box ifconfig_xl0_alias0=3D"inet 129.x.x.6 netmask 255.255.255.255" #inside nic of gateway box ifconfig_xl1=3D"inet 192.168.1.1 netmask 255.255.255.0" ipfilter_enable=3D"YES" ipfilter_flags=3D"" ipfilter_rules=3D"/etc/ipf.rules" ipmon_enable=3D"YES" ipmon_flags=3D"-Dsvn" ipnat_enable=3D"YES" ipnat_rules=3D"/etc/ipnat.rules" icmp_drop_redirects=3D"YES" gateway_enable=3D"YES" ------- kernel on gateway compiled with ------- options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK ------- /etc/ipf.rules on gateway -------#################################################################=20 # Outside Interface =20 #################################################################=20 =20 #----------------------------------------------------------------=20 # Allow out all TCP, UDP, and ICMP traffic & keep state on it=20 # so that it's allowed back in.=20 #=20 # If you wanted to do egress filtering...here's where you'd do it.=20 # You'd change the lines below so that rather than allowing out any=20 # arbitrary TCP connection, it would only allow out mail, pop3, and http=20 # connections (for example). So, the first line, below, would be =20 # replaced with:=20 # pass out quick on xl0 proto tcp from any to any port =3D 25 keep state= =20 # pass out quick on xl0 proto tcp from any to any port =3D 110 keep state= =20 # pass out quick on xl0 proto tcp from any to any port =3D 80 keep state= =20 # ...and then do the same for the remaining lines so that you allow=20 # only specified protocols/ports 'out' of your network=20 #----------------------------------------------------------------=20 pass out quick on xl0 proto tcp from any to any keep state=20 pass out quick on xl0 proto udp from any to any keep state=20 pass out quick on xl0 proto icmp from any to any keep state=20 block out quick on xl0 all=20 =20 #-----------------------------------------------------------------------=20 # Block all inbound traffic from non-routable or reserved address spaces=20 #-----------------------------------------------------------------------=20 block in log quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP= =20 block in log quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP=20 block in log quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP=20 block in log quick on xl0 from 127.0.0.0/8 to any #loopback=20 block in log quick on xl0 from 0.0.0.0/8 to any #loopback=20 block in log quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config=20 block in log quick on xl0 from 192.0.2.0/24 to any #reserved for doc's=20 block in log quick on xl0 from 204.152.64.0/23 to any #Sun cluster intercon= nect=20 block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast=20 =20 #----------------------------------------------------------------=20 # Allow bootp traffic in from your ISP's DHCP server only. =20 #----------------------------------------------------------------=20 pass in quick on xl0 proto udp from 129.105.49.1/32 to any port =3D 53 keep= state=20 pass in quick on xl0 proto udp from 129.105.49.10/32 to any port =3D 68 kee= p state=20 #----------------------------------------------------------------=20 # If you wanted to set up a web server or mail server on your box=20 # (which is outside the scope of this howto), or allow another system=20 # on the Internet to externally SSH into your firewall, you'd want to =20 # uncomment the following lines and modify as appropriate. If you =20 # have other services running that you need to allow external access=20 # to, just add more lines using these as examples.=20 #=20 # If the services are on a box on your internal network (rather than=20 # the firewall itself), you'll have to add both the filter listed below,=20 # plus a redirect rule in your /etc/ipnat.rules file.=20 # plus a redirect rule in your /etc/ipnat.rules file. #---------------------------------------------------------------- #the following allows httpd traffic, smtp, sendmail, ftp and webmin traffic pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port =3D 80 flag= s S kee p state keep frags pass in quick on xl0 proto tcp from any to any port =3D 25 flags S keep st= ate kee p frags pass in quick on xl0 proto tcp from any to any port =3D 22 flags S keep st= ate kee p frags pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port =3D 21 fla= gs S ke ep state keep frags pass in quick on xl0 proto tcp from any to any port =3D 443 flags S keep s= tate pass in quick on xl0 proto tcp from any to any port =3D 3306 flags S keep = state pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port =3D 10000 = flags S keep state keep frags pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port > 1023 fla= gs S keep state pass in quick on xl0 proto tcp from 129.x.x.32/24 to any keep state pass in quick on xl0 proto udp from 129.x.x.32/24 to any keep state #----------------------------------------------------------------=20 # Block and log all remaining traffic coming into the firewall=20 # - Block TCP with a RST (to make it appear as if the service =20 # isn't listening)=20 # - Block UDP with an ICMP Port Unreachable (to make it appear =20 # as if the service isn't listening)=20 # - Block all remaining traffic the good 'ol fashioned way=20 #----------X.X.X.X------------------------------------------------------=20 block return-rst in log quick on xl0 proto tcp from any to any=20 block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any = to any=20 block in log quick on xl0 all =20 =20 ################################################################# =20 # Inside Interface =20 ################################################################# =20 =20 #---------------------------------------------------------------- =20 # Allow out all TCP, UDP, and ICMP traffic & keep state =20 #---------------------------------------------------------------- =20 pass out quick on xl1 proto tcp from any to any keep state =20 pass out quick on xl1 proto udp from any to any keep state =20 pass out quick on xl1 proto icmp from any to any keep state =20 block out quick on xl1 all =20 =20 #----------------------------------------------------------------=20 # Allow in all TCP, UDP, and ICMP traffic & keep state =20 #---------------------------------------------------------------- =20 pass in quick on xl1 proto tcp from any to any keep state =20 pass in quick on xl1 proto udp from any to any keep state =20 pass in quick on xl1 proto icmp from any to any keep state =20 block in quick on xl1 all =20 =20 ################################################################# =20 # Loopback Interface =20 ################################################################# =20 =20 #---------------------------------------------------------------- =20 # Allow everything to/from your loopback interface so you =20 # can ping yourself (e.g. ping localhost) =20 #---------------------------------------------------------------- =20 pass in quick on lo0 all =20 pass out quick on lo0 all=20 /etc/ipnat.rules on gateway ------- #-------------------------------------------------------------------- # Do 'normal' IP address translation. This line will take all packets # going out on your external NIC (ed0) that have a source address coming # from your internal network (192.168.1.0), and translate it to whatever # IP address your external NIC happens to have at that time #-------------------------------------------------------------------- map xl0 192.168.1.0/24 -> 0/32 map xl0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp #-------------------------------------------------------------------- # If you have a system on your internal network that needs to be # 'reachable' by external systems on the internet, you'll nexl a rule # similar to the one below. This one takes all inbound http traffic # (TCP port 80) that hits the firewall's external interface (xl0) and # rxlirects it to port 80 on the 192.168.1.50 system on the internal networ= k. # Simply uncomment the rule, change the IP address and port number so that # it does what you nexl. Remember that you have to enable the corresponding # inbound filter in your /etc/ipf.rules file, too. #-------------------------------------------------------------------- rdr xl0 0.0.0.0/0 port 21 -> 192.168.1.50 port 21 tcp rdr xl0 0.0.0.0/0 port 22 -> any port 22 tcp rdr xl0 0.0.0.0/0 port 25 -> any port 25 tcp rdr xl0 0.0.0.0/0 port 80 -> 192.168.1.50 port 80 tcp rdr xl0 0.0.0.0/0 port 10000 -> 192.168.1.50 port 10000 tcp rdr xl0 0.0.0.0/0 port > 1023 -> 192.168.1.50 port > 1023 tcp rdr xl0 0.0.0.0/0 port 3306 -> any port 3306 tcp rdr xl0 129.x.x.32/24 -> any tcp rdr xl0 129.x.x.32/24 -> any udp ------- /etc/sysctl.conf on gateway ------- et.inet.tcp.blackhole=3D2 net.inet.udp.blackhole=3D1 ------- i've managed to get it nat'ing one machine so far, the webserver. the publi= c ip of the webserver is aliased to the external nic on the gateway machine= . httpd and ftp work ok behind the gateway box. i have many questions, how= ever. the first being why - despite the firewall rules i have in place on = the gateway, when i nmap the public ip of the webserver it shows me all sor= ts of ports being open. i can't make out from my gateway configuration whe= re this is happening. any advice would be appreciated thanks redmond=20 --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SEJgFNjun16SvHYRAmJaAKCCcrLqWW91RBotZB6JiJ5YMz9TJQCgnUlR E+RrlbKLFrEuVoeoIlK08UY= =AsND -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message