Date: Sun, 08 Jul 2001 00:14:34 -0500 From: steve <steve@clublinux.org> To: freebsd-security@freebsd.org Subject: IPFilter/IPNat and rdr Message-ID: <3B47EC3A.2734754F@clublinux.org>
next in thread | raw e-mail | index | archive | help
Hi, First off, I'm quite new to FreeBSD and I hope I chose the correct list to mail to. In order to help teach myself FreeBSD, I'm recreating my home firewall using FreeBSD(ipfilter/ipnat) instead of Linux (ipchains). I'm using the 4.3 RELEASE of FreeBSD. I have a web server behind the firewall that I want to allow people to access from the outside. After reading the IPFilter How-To, this seems fairly easy: ipnat.rules ----------- rdr ep0 216.170.19.162/32 port 80 -> 192.168.1.100 port 80 ipfilter.rules -------------- pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80 flags S keep state keep frags However, because NAT occurs before the filtering, I can no longer have a rule to prevent packets from the outside that contain a destination IP on my internal network from passing through my firewall and entering my internal network like this: block in quick on ep0 from any to 192.168.0.0/16 I realize that packets with a source or destination of 192.168.0.0/16 should be dropped by routers on the internet, but I know this doesn't always happen as our firewall at work has recorded such packets in the past. Am I mis-understanding how IPFilter/IPNat work together correctly? If so, is there a way around this problem? If not, would the following provide the protection I'm looking for while still allowing people to access my web server from the outside? pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80 flags S keep state keep frags block in quick on ep0 from any to 192.168.0.0/16 This would prevent any packet from the outside with a destination address of my internal network from passing through the firewall unless it was specifically going to port 80 on my web server right? Please CC me on any replies as I'm not currently subscribed to the list. Thanks in advance, Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B47EC3A.2734754F>