From owner-freebsd-net  Fri Feb  2  7:14:37 2001
Delivered-To: freebsd-net@freebsd.org
Received: from cgaylord.async.vt.edu (e028121.vtacs.vt.edu [63.164.28.121])
	by hub.freebsd.org (Postfix) with ESMTP id 0F8C837B4EC
	for <freebsd-net@freebsd.org>; Fri,  2 Feb 2001 07:14:15 -0800 (PST)
Received: by cgaylord.async.vt.edu (Postfix, from userid 1000)
	id 7756BFD; Fri,  2 Feb 2001 10:14:13 -0500 (EST)
To: freebsd-net@freebsd.org
Subject: (fwd) Re: FreeBSD ip masq, ip aliasing
From: cgaylord@vt.edu
Message-Id: <20010202151413.7756BFD@cgaylord.async.vt.edu>
Date: Fri,  2 Feb 2001 10:14:13 -0500 (EST)
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I recently posted this to comp.unix.bsd.misc and thought I'd go
ahead and air this idea here.  I'd appreciate any criticism,
constructive or otherwise, this group would care to heap upon me.

Thanks.
Clark


John M Cherko wrote:
>         I am confused as to how to accomplish ip aliasing/ip masqing (I
> believe they are the same) on a FreeBSD system. I currently run Linux 2.2
> now and have stuck with it because I know how to run ip masqing on it.
> I have been wanting to switch over to a BSD, mainly FreeBSD because of the

The way it works is via BSD's "divert" sockets.  You have ipfw (or
ipfirewall, if you like) divert traffic to natd.  It is all spelled out
very nicely in the natd man page.  The other firewall config is done via
ipfw.  You will likely want to hack rc.firewall to suit your needs; this
is a very readable script, so mods are pretty straight-forward.  The
SIMPLE method may work ok for you, though; read the script and see.  I
am working on a way to do a larger class of firewalls via rc.conf
variables, but that still needs some work.

man natd
man ipfw
man divert
build kernel with IPFIREWALL
vi /etc/rc.conf
vi /etc/rc.firewall

I can't really compare it to Linux.  It works well, the code is readable
(if you are interested in that).  It is quite flexible.  Following, for
example, is my ipfw setup (via ipfw list).  I've cleaned off my IP
address; rl0 is inside; rl1 is outside.  My setup is perhaps a bit
promiscuous for some people's taste, but I run POP3, IMAP, web, ftp, et
al.  I also run tcpwrappers (actually this is built into FreeBSD's
inetd!) to clean some of this up, and I log pretty gratuitously except
as noted below (you'll notice I don't pay attention to probes on tcp113,
udp137, or udp138).  I use 10.0.1.0/24 for my inside.

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 allow ip from 10.0.1.0/24 to any via rl0
00400 allow ip from any to 10.0.1.0/24 via rl0
00500 allow udp from 0.0.0.0 68 to 255.255.255.255 67 via rl0
00600 deny log logamount 100 ip from any to any via rl0
00700 deny ip from 10.0.1.0/24 to any in recv rl1
00800 deny ip from <outsideNet/mask> to any in recv rl0
00900 deny ip from any to 10.0.0.0/8 via rl1
01000 deny ip from any to 172.16.0.0/12 via rl1
01100 deny ip from any to 192.168.0.0/16 via rl1
01200 deny ip from any to 0.0.0.0/8 via rl1
01300 deny ip from any to 169.254.0.0/16 via rl1
01400 deny ip from any to 192.0.2.0/24 via rl1
01500 deny ip from any to 224.0.0.0/4 via rl1
01600 deny ip from any to 240.0.0.0/4 via rl1
01700 divert 8668 ip from any to any via rl1
01800 deny ip from 10.0.0.0/8 to any via rl1
01900 deny ip from 172.16.0.0/12 to any via rl1
02000 deny ip from 192.168.0.0/16 to any via rl1
02100 deny ip from 0.0.0.0/8 to any via rl1
02200 deny ip from 169.254.0.0/16 to any via rl1
02300 deny ip from 192.0.2.0/24 to any via rl1
02400 deny ip from 224.0.0.0/4 to any via rl1
02500 deny ip from 240.0.0.0/4 to any via rl1
02600 allow tcp from any to any established
02700 allow ip from any to any frag
02800 allow tcp from any to <homeIP> 9 setup
02900 allow tcp from any to <homeIP> 21 setup
03000 allow tcp from any to <homeIP> 22 setup
03100 allow tcp from any to <homeIP> 23 setup
03200 allow tcp from any to <homeIP> 25 setup
03300 allow tcp from any to <homeIP> 37 setup
03400 allow tcp from any to <homeIP> 79 setup
03500 allow tcp from any to <homeIP> 80 setup
03600 allow tcp from any to <homeIP> 110 setup
03700 allow tcp from any to <homeIP> 143 setup
03800 allow tcp from any to <homeIP> 515 setup
03900 allow tcp from any to <homeIP> 51210 setup
04000 allow udp from any to <homeIP> 37
04100 allow udp from any 37 to <homeIP>
04200 allow udp from any to <homeIP> 53
04300 allow udp from any 53 to <homeIP>
04400 allow udp from any to <homeIP> 123
04500 allow udp from any 123 to <homeIP>
04600 allow udp from any to <homeIP> 161
04700 allow udp from any 161 to <homeIP>
04800 allow udp from any to <homeIP> 51200
04900 allow udp from any 51200 to <homeIP>
05000 allow udp from any to <homeIP> 51201
05100 allow udp from any 51201 to <homeIP>
05200 deny tcp from any to <homeIP> 113 setup
05300 deny udp from any to any 137 via rl1
05400 deny udp from any to any 138 via rl1
05500 deny log logamount 100 tcp from any to <homeIP> via rl1 setup
05600 deny log logamount 100 udp from any to <homeIP> via rl1
65535 allow ip from any to any

This was generated by the following diff to rc.firewall (remember, this
is for illustration purposes only; I want to clean this up a little more
before submitting it ... but I'd be happy to hear comments/criticisms).

> [Cc][Uu][Ss][Tt][Oo][Mm])
> # Clark's custom setup.  Based loosely on simple.
> # Variables to snarf from rc.conf:
> #  outside_if
> #  outside_net
> #  outside_mask
> #  outside_ip
> #  inside_if
> #  inside_net
> #  inside_mask
> #  inside_ip
> #  tcp_allow
> #  udp_allow
> #  tcp_deny
> #  tcp_deny_log
> #  udp_deny
> #  udp_deny_log
> 
>       # Allow only inside net addresses and DHCP on inside interface
>       ${fwcmd} add allow all from ${inside_net}:${inside_mask} to any \
>               via ${inside_if}
>       ${fwcmd} add allow all from any to ${inside_net}:${inside_mask} \
>               via ${inside_if}
>       ${fwcmd} add allow udp from 0.0.0.0 68 to 255.255.255.255 67 \
>               via ${inside_if}
>       ${fwcmd} add deny log all from any to any via ${inside_if}
> 
>       # Stop spoofing
>       ${fwcmd} add deny all from ${inside_net}:${inside_mask} to any \
>               in via ${outside_if}
>       ${fwcmd} add deny all from ${outside_net}:${outside_mask} to any \
>               in via ${inside_if}
> 
>       # RFC1918
>       ${fwcmd} add deny all from any to 10.0.0.0/8 via ${outside_if}
>       ${fwcmd} add deny all from any to 172.16.0.0/12 via ${outside_if}
>       ${fwcmd} add deny all from any to 192.168.0.0/16 via ${outside_if}
> 
>       # manning
>       ${fwcmd} add deny all from any to 0.0.0.0/8 via ${outside_if}
>       ${fwcmd} add deny all from any to 169.254.0.0/16 via ${outside_if}
>       ${fwcmd} add deny all from any to 192.0.2.0/24 via ${outside_if}
>       ${fwcmd} add deny all from any to 224.0.0.0/4 via ${outside_if}
>       ${fwcmd} add deny all from any to 240.0.0.0/4 via ${outside_if}
> 
>       # NAT
>       case ${natd_enable} in
>       [Yy][Ee][Ss])
>               if [ -n "${natd_interface}" ]; then
>                       ${fwcmd} add divert natd all from any to any \
>                               via ${natd_interface}
>               fi
>               ;;
>       esac
> 
>       # I guess we can allow something
>       ${fwcmd} add allow tcp from any to any established
>       ${fwcmd} add allow all from any to any frag
> 
>       # need to check for null/unset
>       for port in ${tcp_allow}; do
>               ${fwcmd} add allow tcp from any to ${outside_ip} ${port} setup
>       done
>       for port in ${udp_allow}; do
>               ${fwcmd} add allow udp from any to ${outside_ip} ${port}
>               ${fwcmd} add allow udp from any ${port} to ${outside_ip}
>       done
> 
>       for port in ${tcp_deny_log}; do
>               ${fwcmd} add deny log tcp from any to ${outside_ip} ${port} setup
>       done
>       for port in ${tcp_deny}; do
>               ${fwcmd} add deny tcp from any to ${outside_ip} ${port} setup
>       done
> 
>       for port in ${udp_deny_log}; do
>               ${fwcmd} add deny log udp from any to any ${port} via ${outside_if}
>       done
>       for port in ${udp_deny}; do
>               ${fwcmd} add deny udp from any to any ${port} via ${outside_if}
>       done
> 
>       # deny and log all other connection attempts on outside interface
>       ${fwcmd} add deny log tcp from any to ${outside_ip} setup via ${outside_if}
>       ${fwcmd} add deny log udp from any to ${outside_ip} via ${outside_if}
>       ;;
> 


I don't often read this newsgroup, so if you want to respond to the
group send me a pointer e-mail or cc: me.  ;-)

-- 
Clark K. Gaylord
Senior Research Engineer
Communications Network Services
Virginia Tech, Blacksburg, Virginia 24061-0506
Voice: 540/231-2347    Fax: 540/231-3928     E-mail: cgaylord@cns.vt.edu
-- end of forwarded message --


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message