From owner-freebsd-hackers Thu Apr 26 16:22:42 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id BBB8A37B43C; Thu, 26 Apr 2001 16:22:31 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.2/8.11.2) id f3QNLpx61257; Thu, 26 Apr 2001 16:21:51 -0700 (PDT) (envelope-from dillon) Date: Thu, 26 Apr 2001 16:21:51 -0700 (PDT) From: Matt Dillon Message-Id: <200104262321.f3QNLpx61257@earth.backplane.com> To: =?iso-8859-1?Q?Jes=FAs_Arn=E1iz?= Cc: , Subject: Re: NAT and IPFiltering References: Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG :Hi! : :I'm configuring a server able to do NAT and IP FILTERING (IPF). : :What are the required options that I should set to the kernel? : :I have this: :... :Jesús Arnáiz I think all you need is: options IPFIREWALL options IPDIVERT I usually also have (because it is useful): options IPFILTER options IPFIREWALL_FORWARD -- For my firewall configuration firewall_enable="YES" firewall_type="/etc/ipfw.conf" ip_portrange_first=4000 ip_portrange_last=5000 My /etc/ipfw.conf file contains: # do not allow an outside entity to spoof our internal network # IPs add 00300 deny all from 10.0.0.0/8 in via fxp0 # NATD diversions # add 00400 divert 8668 ip from 10.0.0.0/8 to not 10.0.0.0/8 add 00400 divert 8668 ip from not 10.0.0.0/8 to 208.161.114.67 # allow data related to already-established TCP connections # (near the top of the ruleset to packet switch efficiently) # add 01000 allow tcp from any to any established # all all outgoing packets # add 01001 allow all from any to any out via fxp0 add 01001 allow all from any to any out via fxp1 # allow all strictly internal network traffic add 01010 allow all from 10.0.0.0/8 to 10.0.0.0/8 # allow temporary ports and specific UDP services # add 02000 allow udp from any to any 4000-65535,domain,ntalk,ntp add 02500 allow udp from any to any frag # allow temporary ports and specific TCP services. Note that # TCP packet fragments are not allowed. # add 03000 allow tcp from any to any http,https add 03000 allow tcp from any to any 4000-65535,ssh,smtp,domain,ntalk add 03000 allow tcp from any to any auth,pop3,ftp,ftp-data # allow certain icmp types through for ping, routing errors, and # tcp mtu path negotiation. # add 04000 allow icmp from any to any icmptypes 0,3,5,8,11,12,13,14 # log any remaining fragments that get through and deny the rest # add 05000 deny log ip from any to any frag add 65000 deny ip from any to any The rc.conf setup for my ethernet port is roughly: # Exposed network # ifconfig_fxp0="inet 208.161.114.65 netmask 255.255.255.192" # Exposed for NAT # ifconfig_fxp0_alias1="inet 208.161.114.67 netmask 255.255.255.192" # Internal network # ifconfig_fxp1="inet 10.0.0.2 netmask 255.255.255.0" And I run natd from /etc/rc.local using: natd -s -u -a 208.161.114.67 *ALL* exposed services run from this machine are tied to the machine's exposed IP address, in my case 208.161.114.65. It requires some work in named, sendmail.cf, and so forth to the services bound to the correct IP address (you don't want to bind services to your NAT address). The .67 address in my case is only used for NAT traffic. The 4000-65535 junk is only really necessary for programs which use UDP (like DNS) and expect replies via UDP. I don't run any internal TCP or UDP services on higher numbered ports but I like having the flexibility. With some care and hardwiring of UDP ports for the services that need them, you can rip out the 4000-65535 stuff entirely. I use it because it's reasonably secure and a 'file and forget' type of setup. If you are using NAT, your internal network should be in the 10.x.x.x space, and your external network should of course be in your internet-visible space. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message