Date: Tue, 6 Mar 2001 11:56:51 -0700 From: Bradley Senff <brad@iBizcorp.com> To: "'freebsd-ipfw@freebsd.org'" <freebsd-ipfw@freebsd.org> Subject: IPFW and forwarding from one interface to another (LONG) Message-ID: <40DFA2708D54D41193F20001025665B61ABBB7@MAIL>
next in thread | raw e-mail | index | archive | help
Like most of the posters, I have an issue with IPFW that perhaps this group can assist me with. I am pretty familiar with IPFW, and very familiar with FreeBSD. I have a firewall, with 5 ethernet ports. (for this case, we'll call them ports 1 through 5). For the purpose of explanation, the view of the firewall is explained from the PUBLIC side into the PRIVATE side. Quick NOTE: the kernel is made with the following options: options TCP_DROP_SYNFIN, options TCP_RESTRICT_RST, options IPFIREWALL,options IPFIREWALL_VERBOSE, options IPFIREWALL_FORWARD, options DUMMYNET, and options IPSTEALTH. The rc.conf has: gateway_enable="YES", firewall_enable="YES", among other unrelated items. Port 1 is the firewall's main ethernet port. This port should be used only for connecting to the firewall itself. Ports 2 through 5 are used for traffic. I use the "even" ports (2,4) for INBOUND traffic. Ports 3,4 are OUTBOUND to the protected segments. There are two segments. Port 2 is the public side for Segment 1 (we'll say 1.1.1.0/24). Port 3 is the actual segment 1 (and has the IP 1.1.1.1/24). Port 4 is the public side for segment 2 (2.2.2.0/24), port 5 has the IP of 2.2.2.1/24. Since port 1 is the main port for the firewall, the IP 9.9.9.9/30 is used, and directly connected to the upstream gateway. The upstream gateway (9.9.9.10/30), is the default gateway for the firewall. (netstat -rn shows 0.0.0.0 to have a gateway of 9.9.9.10). When setting up the rules, I have placed filters for the incoming traffic on ports 2 and 4. Those ports work great. No problems there. However, I have some filters on ports 3 and 5 to keep that side of the firewall's segments separate. I also have a global forward command. Any packets coming from the public to segment 2 are coming in through port 2. I want the reverse to be true as well: All traffic from the PRIVATE side of segment 2 MUST be redirected (next hop changed etc) to the PUBLIC port (port 2). Port 3's traffic should be pushed to go back to the public via port 2. NOT PORT 1!!!! Due to the default gateway set in the kernel's routing table, (I assume) the return traffic is going out Port 1. Look at the firewall config below (IP's changed to protect the innocents) to see what the explanation is attempting to illustrate. Is that configuration correct to remap the traffic coming in port 3 from the private side to go out port 2 on the public side? #Ports in the firewall, and their IP's: #fxp0 3.3.3.1/30 (firewall traffic only.. or at least should be!) #dc0 5.5.5.5/30 (public side for segment 1) #dc1 1.1.1.1/24 (private side for segment 1) #dc2 6.6.6.5/30 (public side for segment 2) #dc3 2.2.2.1/24 (private side for segment 2) #allow loopback traffic add 00010 allow ip from any to any via lo0 #default deny all add 65534 deny ip from any to any #deny all non-routed IP's from going anywhere through firewall add 0100 deny all from 192.168.0.0/16 to any via any add 0101 deny all from any to 192.168.0.0/16 via any add 0102 deny all from 172.16.0.0/12 to any via any add 0103 deny all from any to 172.16.0.0/12 via any add 0104 deny all from 10.0.0.0/8 to any via any add 0105 deny all from any to 10.0.0.0/8 via any #deny 127 traffic on all interfaces except lo0 add 0106 deny ip from any to 127.0.0.0/8 via fxp0 add 0107 deny ip from 127.0.0.0/8 to any via fxp0 add 0108 deny ip from any to 127.0.0.0/8 via dc* add 0109 deny ip from 127.0.0.0/8 to any via dc* # fxp0 is the firewall.. we should let everything in from my network, and allow established out # not an entirely correct entry, I removed the real ones, and put this in as an example only # so as to represent the port in this config. add 500 allow ip from <my network> to 3.3.3.1/30 in via fxp0 add 510 allow ip from 3.3.3.1/30 to any established out via fxp0 # 520 and 530 had to be added to allow the traffic to incorrectly go out fxp0 .. I don't want this # but I have no choice since the fwd statements are not working. add 520 allow ip from 1.1.1.0/24 to any out fxp0 add 530 allow ip from 2.2.2.0/24 to any out fxp0 #deny all shares if not specifically allowed add 60400 deny tcp from any to any 135 via dc* add 60410 deny tcp from any to any 138 via dc* add 60420 deny tcp from any to any 139 via dc* add 60430 deny tcp from any 135 to any via dc* add 60440 deny tcp from any 138 to any via dc* add 60450 deny tcp from any 139 to any via dc* #for incoming segment 1, skip to 10000 #remember, the public traffic comes in dc0, and #goes out dc1 to the private segment add 9000 skipto 10000 ip from any to 1.1.1.0/24 in via dc0 add 9010 skipto 10000 ip from any to 1.1.1.0/24 out via dc1 #for outgoing segment 1, skip to 10000 #from the private side, responses come in dc1, and go out dc0 add 9110 skipto 11000 ip from 1.1.1.0/24 to any in via dc1 add 9120 skipto 11000 ip from 1.1.1.0/24 to any out via dc0 #for incoming segment2 skip to 12000 add 9200 skipto 12000 ip from any to 2.2.2.0/24 in via dc2 add 9210 skipto 12000 ip from any to 2.2.2.0/24 out via dc3 #for outgoing segment2, skip to 13000 add 9301 skipto 13000 ip from 2.2.2.0/24 to any in via dc3 add 9302 skipto 13000 ip from 2.2.2.0/24 to any out via dc2 #anything that gets this far should be dropped, as it isn't for a segment here add 9999 skipto 60000 ip from any to any #END MAIN CONFIG #INFO-SEG Segment 1 #INFO-SUBNET 1.1.1.0/24 #INFO-PORT dc1 #INFO-RULESET 10000 11000 #first, deny forged packets from the net add 10000 deny ip from 1.1.1.0/24 to any in via dc0 #allow all traffic to all ports on subnet from specific IPs add 10030 allow ip from X.X.X.X/XX to 1.1.1.0/24 in via dc0 add 10040 allow ip from X.X.X.X/XX to 1.1.1.0/24 in via dc0 add 10050 allow ip from X.X.X.X/XX to 1.1.1.0/24 in via dc0 add 10060 allow ip from X.X.X.X/XX to 1.1.1.0/24 in via dc0 add 10070 allow ip from X.X.X.X/XX to 1.1.1.0/24 in via dc0 #specific ports allowed add 10110 allow tcp from any to 1.1.1.10/32 1111 in via dc0 add 10120 allow tcp from any to 1.1.1.11/32 2222 in via dc0 add 10130 allow tcp from any to 1.1.1.12/32 3333 in via dc0 add 10140 allow tcp from any to 1.1.1.13/32 4444 in via dc0 #globally allowed ports #all hosts on 1.1.1.0/24 need these ports open. # add 10200 check-state add 10210 allow tcp from any to any 1 in setup keep-state in via dc0 add 10250 allow tcp from any to any 5 in setup keep-state in via dc0 #deny access to windows shares from outside -- drop packets in from world, # and any originating within the firewall network from going out add 10310 deny tcp from any to 1.1.1.0/24 139 in via dc0 add 10310 deny udp from any to 1.1.1.0/24 139 in via dc0 add 10320 deny tcp from any to 1.1.1.0/24 135 in via dc0 add 10320 deny udp from any to 1.1.1.0/24 135 in via dc0 # allow setup and established to originate from within segment1's network add 10500 allow tcp from 1.1.1.0/24 to any established out via dc0 add 10600 allow tcp from 1.1.1.0/24 to any setup out via dc0 add 10700 allow tcp from any to 1.1.1.0/24 established in via dc0 # if it is trying to go out dc1, it should since everything is ok by now add 10800 allow ip from any to 1.1.1.0/24 out via dc1 # we are done with segment 1 add 10999 skipto 60000 ip from any to any # HERE IS what should be FORCING the traffic back through dc0 # but it isn't! # I have also tried to use 5.5.5.6/30 as well, but no dice. add 11000 fwd 5.5.5.5 ip from 1.1.1.0/24 to any via in dc1 # redundant , if 11000 worked, we wouldn't need 11010 add 11010 allow ip from 1.1.1.0/24 to any out via dc0 add 11040 skipto 10999 ip from any to any #INFO-SUBNET 2.2.2.0/24 #INFO-PORT dc3 #INFO-RULESET 12000 13000 #first, deny incoming packets from the net add 12000 deny ip from 2.2.2.0/24 to any in via dc2 #requested traffic to allow add 12300 check-state add 12310 allow tcp from any to 2.2.2.0/24 1 in setup keep-state in via dc2 add 12315 allow tcp from any to 2.2.2.0/24 2 in setup keep-state in via dc2 add 12320 allow tcp from any to 2.2.2.0/24 3 in setup keep-state in via dc2 add 12330 allow tcp from any to 2.2.2.0/24 4 in setup keep-state in via dc2 add 12340 allow tcp from any to 2.2.2.0/24 5 in setup keep-state in via dc2 add 12360 allow tcp from any to 2.2.2.0/24 established in via dc2 add 12370 allow udp from any to 2.2.2.0/24 55 in via dc2 # anything going out dc3 is ok add 12300 allow ip from any to 2.2.2.0/24 out via dc3 # we are done with segment 2 add 12999 skipto 60000 ip from any to any #segment 2's adaptor add 13000 deny tcp from any to any 135,137,138,139 via dc3 add 13001 deny udp from any to any 135,137,138,139 via dc3 # here is the other offending forward # NOTE: i *have* tried to use 6.6.6.6 (the next hop) as the forwarding # address, no dice add 13010 fwd 6.6.6.5 ip from 2.2.2.0/24 to any in via dc3 add 13020 allow ip from 2.2.2.0/24 to any out via dc2 add 13100 skipto 12999 ip from any to any Any help on this would be GREATLY appreciated. I have read the man pages for divert, fwd, etc. and it would seem that fwd is designed for what I want to do, but it isn't working. -brad To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40DFA2708D54D41193F20001025665B61ABBB7>