Date: Wed, 20 Sep 2000 09:58:40 CDT From: "Konan Houphoue" <bahobab@hotmail.com> To: cjclark@alum.mit.edu Cc: ari@suutari.iki.fi, marcs@draenor.org, archie@whistle.com, freebsd-net@freebsd.org, virtual_olympus@yahoo.com Subject: Re: Port 80 redirect: Good news!! Message-ID: <F44YgXiJHyBhs3zXgVE0000475f@hotmail.com>
next in thread | raw e-mail | index | archive | help
Hi, Crist, thanks for your comments about what I said about finding a solution to my problems. Listening and reading all you (all) said actually helped me understand a little deeper what's going on in the rc.firewall rules. I'd probably not have gotten this knowledge if someone just gave me the magic answer. I apologize if I ofended anyone. Ben, thanks and hope that Crist's input provided answer to your questions. Here's my final rc.firewall file. And it WORKS!!!!!! ############ # Setup system for firewall service. # $FreeBSD: src/etc/rc.firewall,v 1.30 2000/02/06 19:24:37 paul Exp $ # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi ############ # Define the firewall type in /etc/rc.conf. Valid values are: # open - will allow anyone in # client - will try to protect just this machine # simple - will try to protect a whole network # closed - totally disables IP services except via lo0 interface # UNKNOWN - disables the loading of firewall rules. # filename - will load the rules in the given filename (full path required) # # For ``client'' and ``simple'' the entries below should be customized # appropriately. ############ # # If you don't know enough about packet filtering, we suggest that you # take time to read this book: # # Building Internet Firewalls # Brent Chapman and Elizabeth Zwicky # # O'Reilly & Associates, Inc # ISBN 1-56592-124-0 # http://www.ora.com/ # # For a more advanced treatment of Internet Security read: # # Firewalls & Internet Security # Repelling the wily hacker # William R. Cheswick, Steven M. Bellowin # # Addison-Wesley # ISBN 0-201-6337-4 # http://www.awl.com/ # if [ -n "${1}" ]; then firewall_type="${1}" fi ############ # Set quiet mode if requested # case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" ;; *) fwcmd="/sbin/ipfw" ;; esac ############ # Flush out the list before we begin. # ${fwcmd} -f flush ############ # These rules are required for using natd. All packets are passed to # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, # minus any divert rules (see natd(8)). # case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add divert natd all from any to any via ${natd_interface} fi ;; esac ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # then you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. # # ${fwcmd} add 65000 pass all from any to any ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # If you're using 'options BRIDGE', uncomment the following line to pass ARP ${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 # Prototype setups. # case ${firewall_type} in [Oo][Pp][Ee][Nn]) ${fwcmd} add 65000 pass all from any to any ;; [Cc][Ll][Ii][Ee][Nn][Tt]) ############ # This is a prototype setup that will protect your system somewhat # against people from outside your own network. ############ # set these to your network and netmask and ip net="192.168.1.0" mask="255.255.255.0" ip="192.168.1.2" # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} ${fwcmd} add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${ip} ${fwcmd} add pass udp from ${ip} to any 53 # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to ${ip} ${fwcmd} add pass udp from ${ip} to any 123 # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; [Ss][Ii][Mm][Pp][Ll][Ee]) ############ # This is a prototype setup for a simple firewall. Configure this # machine as a named server and ntp server, and point all the machines # on the inside at this machine for those services. ############ # set these to your outside interface network and netmask and ip oif="fxp0" onet="207.208.254.0" omask="255.255.255.0" oip="207.208.254.234" # set these to your inside interface network and netmask and ip iif="xl0" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.2" # set this my internal web server ip ihttpip="192.168.1.40" #/sbin/ipfw add divert natd all from any to any via oif # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup # Allow access to our DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any # Allow access to our WWW #${fwcmd} add pass tcp from any to ${oip} 80 setup # >>>>>>>>>> New rule <<<<<<<<<<<<<<<<<<<<<<< ${fwcmd} add pass tcp from any to ${ihttpip} 80 in via ${oif} setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${oip} ${fwcmd} add pass udp from ${oip} to any 53 # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to ${oip} ${fwcmd} add pass udp from ${oip} to any 123 # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) if [ -r "${firewall_type}" ]; then ${fwcmd} ${firewall_flags} ${firewall_type} fi ;; esac Thanks again, Konan ----Original Message Follows---- From: "Crist J . Clark" <cjclark@reflexnet.net> Reply-To: cjclark@alum.mit.edu To: Konan Houphoue <bahobab@hotmail.com> CC: ari@suutari.iki.fi, marcs@draenor.org, archie@whistle.com, freebsd-net@freebsd.org Subject: Re: Port 80 redirect: Good news!! Date: Mon, 18 Sep 2000 20:54:23 -0700 MIME-Version: 1.0 Received: from [64.6.192.82] by hotmail.com (3.2) with ESMTP id MHotMailBB902ECA003240042A164006C05209680; Mon Sep 18 20:55:55 2000 Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 18 Sep 2000 20:53:50 -0700 Received: (from cjc@localhost)by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8J3sOe09324;Mon, 18 Sep 2000 20:54:24 -0700 (PDT)(envelope-from cjc) From cjc@149.211.6.64.reflexcom.com Mon Sep 18 20:56:57 2000 Message-ID: <20000918205423.E367@149.211.6.64.reflexcom.com> References: <F135rByg67HF4x0Hgx10000d75b@hotmail.com> X-Mailer: Mutt 1.0i In-Reply-To: <F135rByg67HF4x0Hgx10000d75b@hotmail.com>; from bahobab@hotmail.com on Mon, Sep 18, 2000 at 10:00:42AM -0500 Return-Path: cjc@149.211.6.64.reflexcom.com On Mon, Sep 18, 2000 at 10:00:42AM -0500, Konan Houphoue wrote: > Thanks to all of you who tried to help me with this problem. > And I with Ari about the rules a the begining of /etc/rc.firewall > > A little reminder. > The issue was that I'm trying to redirect all tcp/port 80 requests that > arrive on the outside interface of my firewall to an IIS server that resides > on my internal private network. > Before the idea to redirect port 80, my web pages were served by Apache 1.3 > on the firewall server, and everything was working just fine. > > So I was advided to use the "-redirect_port proto targetIP:port port" flag > in /etc/rc.conf: > > firewall_enable="YES" > firewall_type="simple" > natd_flags="-redirect_port tcp 192.168.1.40:80 80" > > But the port forwarding rule was not working. > Howerver, with firewall_type="open", the forwarding works. > > I tried all the sugestions I recieved but the forwarding always fails if > firewall_type="simple". > > Then I went on to comment out the rules one by one. > Here'e the rule in the "simple" section of /etc/rc.firewall that's blocking > the forwarding: > > # Reject&Log all setup of incoming connections from the outside > ${fwcmd} add deny log tcp from any to any in via ${oif} setup > > When this rule is commented, everything works well. > > Now could you tell me whether doing so opens a security breach? Yes. You pretty much might as well be using the 'open' configuration if you comment that out. Like it says, that's rule that disallows arbitrary incoming connections. Now, let's see how to edit these rules. [snip] > # Allow access to our WWW > ${fwcmd} add pass tcp from any to ${oip} 80 setup This rule is useless since we redirect this traffic. You want, ${fwcmd} add pass tcp from any to ${internal_http} 80 in via ${oif} setup > #My rules > #${fwcmd} add pass tcp from ${oip} to ${inet}:${imask} 80 in via ${iip} setup This rule seems strange. Pass traffic FROM the outer IP address to the INTERNAL net that is coming IN the internal interface? I think s/in/out/? > #${fwcmd} add pass tcp from ${oif} to any in via ${iif} setup Again, huh? The previous rule is a subset of this rule, i.e. anything that was passed in the previous rule would pass this one. The previous rule is unnecessary. Once you get this figured out, you can make it a stateful firewall rather than having the 'pass established' rule. ;) -- Crist J. Clark cjclark@alum.mit.edu _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F44YgXiJHyBhs3zXgVE0000475f>