Date: Mon, 25 Feb 2002 22:23:57 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Florian Nigsch <flo@nigsch.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: private lan + natd: what to divert Message-ID: <20020225222357.F52727@blossom.cjclark.org> In-Reply-To: <20020226020956.A38543@nigsch.com>; from flo@nigsch.com on Tue, Feb 26, 2002 at 02:09:56AM %2B0100 References: <20020226020956.A38543@nigsch.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 26, 2002 at 02:09:56AM +0100, Florian Nigsch wrote:
> Hi all,
>
> I just spent the whole austrian evening and part of the night
> setting up a new firewall for my home lan. What a job....
>
> I have a FreeBSD 4.5-STABLE with two ethernet cards ed0 and ed1
>
> ed0: 1.2.3.4
> ed1: 192.168.2.1
>
> I have natd running with natd.conf reading:
>
> deny_incoming no
> log_denied
> use_sockets
> same_ports
> unregistered_only
>
> and a firewall script wit the following rules:
>
> add 100 allow ip from any to any via lo0
> ... some anti-spoof rules ...
> add 4400 skipto 5000 ip from 192.168.2.0/24 to 1.2.3.4
> add 4500 divert 8668 ip from 192.168.2.0/24 to not 192.168.2.0/24
> add 4600 divert 8668 ip from not 192.168.2.0/24 to 1.2.3.4
>
> add 5000 check-state
> add allow tcp from any to any established
> add allow ip from any to any via ed1 keep-state
> add allow ip from 1.2.3.4 to any keep-state
> ... some other rules ...
> add deny 65530 deny log ip from any to any
>
> -> With these rules I am not able to browse websites from behind the
> firewall. However, and that I find a bit confusing, I can do a
> mailcheck at my mailserver with Eudora (with TLS). I can ping
> outside hosts (like www.yahoo.com), name resolution is working
> but I can't seem to get www access working.
It would be strange if some TCP worked and others did not.
> -> If I change the divert rules instead of two separate rules to
> add 4500 divert 8668 ip from any to any via ed0
> everything is working just wonderful. This rule works fine but it
> also diverts the traffic for the public IP address, which isn't
> really necessary.
I don't understand. Rule 4600 is diverting everything that goes to the
public IP address, and it is necessary. You should really use the 'via
ed0' version.
> -> I think that if each connection is a dynamic one, is there the
> need to have a rule to allow established tcp packets?
The way you have it set up, yes. On the way out, you only create
dynamic rules like,
1.2.3.4 -> <some external IP>
While on the way back, you get,
<some external IP> -> 192.168.2.0/24
Before you check the rules.
> What is wrong with those two divert rules? Shouldn't they work as I
> expect them to? ;)
I don't immediately see why they are not working, but the rules as you
have them look dangerous. That is, they pass stuff you wouldn't want
to pass. But it's hard to say without seeing the whole ruleset.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020225222357.F52727>