Date: Wed, 29 Mar 2006 08:01:03 -0500 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "Erik Norgaard" <norgaard@locolomo.org> Cc: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG> Subject: RE: FBSD 6.0 ipfilter nat redirect not working. Message-ID: <MIEPLLIBMLEEABPDBIEGIEHLHDAA.fbsd_user@a1poweruser.com> In-Reply-To: <442A3D2D.4080701@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Here are the complete firewall rules #################################################################=20 # No restrictions on Inside Lan Interface for private network #################################################################=20 =20 pass out quick on xl0 all # production server config pass in quick on xl0 all # production server config #################################################################=20 # No restrictions on Loopback Interface=20 #################################################################=20 pass in quick on lo0 all=20 pass out quick on lo0 all=20 ################################################################# # Interface facing Public internet (Outbound Section)=20 # Interrogate session start requests originating from behind the=20 # firewall on the private network=20 # or from this gateway server destine for the public internet. ################################################################# # Allow out access to my ISP's Domain name server. pass out quick on rl0 proto tcp from any to xx.168.240.5 port =3D 53 = flags S keep state pass out quick on rl0 proto udp from any to xx.168.240.5 port =3D 53 = keep state pass out quick on rl0 proto tcp from any to xx.168.240.2 port =3D 53 = flags S keep state pass out quick on rl0 proto udp from any to xx.168.240.2 port =3D 53 = keep state # Allow out access to my ISP's DHCP server for cable or DSL networks. pass out quick on rl0 proto udp from any to xx.173.0.1 port =3D 67 keep = state pass out quick on rl0 proto udp from any to xx.39.64.1 port =3D 67 keep = state # Allow out non-secure standard www function pass out quick on rl0 proto tcp from any to any port =3D 80 flags S keep = state # Allow out secure www function https over TLS SSL pass out quick on rl0 proto tcp from any to any port =3D 443 flags S = keep state # Allow out send & get email function pass out quick on rl0 proto tcp from any to any port =3D 25 flags S = keep state pass out quick on rl0 proto tcp from any to any port =3D 110 flags S = keep state # Allow out secure FTP, Telnet, and SCP=20 # This function is using SSH (secure shell) pass out quick on rl0 proto tcp from any to any port =3D 22 flags S keep = state # Allow out non-secure Telnet=20 pass out log quick on rl0 proto tcp from any to any port =3D 23 flags S = keep state # Allow out FBSD CVSUP function=20 pass out quick on rl0 proto tcp from any to any port =3D 5999 flags S = keep state # Allow out all icmp to public Internet pass out quick on rl0 proto icmp from any to any keep state # Allow out whois for LAN PC to public Internet pass out quick on rl0 proto tcp from any to any port =3D 43 flags S keep = state # Block and log only the first occurrence of everything=20 # else that's trying to get out. # This rule enforces the block all by default logic.=20 #block out log first quick on rl0 all block out log quick on rl0 all ################################################################# # Interface facing Public internet (Inbound Section) # Interrogate packets originating from the public internet # destine for this gateway server or the private network. ################################################################# # Block all inbound traffic from non-routable or reserved address spaces block in quick on rl0 from 192.168.0.0/16 to any #RFC 1918 private IP block in quick on rl0 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on rl0 from 10.0.0.0/8 to any #RFC 1918 private IP block in quick on rl0 from 127.0.0.0/8 to any #loopback block in quick on rl0 from 0.0.0.0/8 to any #loopback block in quick on rl0 from 169.254.0.0/16 to any #DHCP auto-config block in quick on rl0 from 192.0.2.0/24 to any #reserved for doc's block in quick on rl0 from 204.152.64.0/23 to any #Sun cluster = interconnect block in quick on rl0 from 224.0.0.0/3 to any #Class D & E = multicast ##### Block a bunch of different nasty things. ############ # That I don't want to see in the log=20 # Block frags #block in log quick on rl0 all with frags block in quick on rl0 all with frags # Block short tcp packets #block in log quick on rl0 proto tcp all with short block in quick on rl0 proto tcp all with short # block source routed packets #block in log quick on rl0 all with opt lsrr #block in log quick on rl0 all with opt ssrr block in quick on rl0 all with opt lsrr block in quick on rl0 all with opt ssrr # Block nmap OS fingerprint attempts block in quick on rl0 proto tcp from any to any flags FUP # Block anything with special options #block in log quick on rl0 all with ipopts=20 block in quick on rl0 all with ipopts # Block public pings=20 block in quick on rl0 proto icmp all icmp-type 8 # Block ident block in quick on rl0 proto tcp from any to any port =3D 113 # Block all Netbios service. 137=3Dname, 138=3Ddatagram, 139=3Dsession=20 # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 block in quick on rl0 proto tcp/udp from any to any port =3D 137 block in quick on rl0 proto tcp/udp from any to any port =3D 138 block in quick on rl0 proto tcp/udp from any to any port =3D 139 block in quick on rl0 proto tcp/udp from any to any port =3D 81 # Block all ftp attempts to login so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port =3D 21 # Block all SSH attempts to login so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port =3D 22 # Block all telnet attempts to login so count will show in daily cron = rpt block in quick on rl0 proto tcp/udp from any to any port =3D 23 # Block all www attempts so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port =3D 80 # Block all secure www attempts so count will show in daily cron rpt block in quick on rl0 proto tcp from any to any port =3D 443=20 # Block all smtp email server attempts so count will show in daily cron = rpt block in quick on rl0 proto tcp from any to any port =3D 25=20 # block range of Trojan udp ports 1021 thru 1039=20 # so count will show in daily cron rpt block in quick on rl0 proto udp from any to any port 1020 >< 1040 # block Trojan scan port block in quick on rl0 proto tcp from any port =3D 6000 to any=20 # Allow traffic in from ISP's DHCP server.=20 pass in quick on rl0 proto udp from xx.173.0.1 port =3D 67 to any keep = state pass in quick on rl0 proto udp from xx.39.64.1 port =3D 67 to any keep = state # Allow traffic in from ISP's DNS server.=20 pass in quick on rl0 proto udp from xx.168.240.5 port =3D 53 to any keep = state pass in quick on rl0 proto udp from xx.168.240.2 port =3D 53 to any keep = state # Allow in testing www function because I have apache server on lan pass in log quick on rl0 proto tcp from any to any port =3D 6188 flags S = keep state pass in log quick on rl0 proto tcp from any to 10.0.10.4 port =3D 80 = flags S keep state # Block all upd traffic block in log quick on rl0 proto udp all #block in quick on rl0 proto udp all # Block and log only first occurrence of all remaining traffic=20 # coming into the firewall.=20 # This rule enforces the block all by default logic.=20 #block in quick on rl0 all block in log quick on rl0 all -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Erik Norgaard Sent: Wednesday, March 29, 2006 2:54 AM To: fbsd_user@a1poweruser.com Cc: freebsd-questions@FreeBSD. ORG Subject: Re: FBSD 6.0 ipfilter nat redirect not working. fbsd_user wrote: > # /root >ipnat -l > List of active MAP/Redirect filters: > map rl0 10.0.10.0/29 -> 0.0.0.0/32 proxy port ftp ftp/tcp > map rl0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp > map rl0 10.0.10.0/29 -> 0.0.0.0/32 > rdr rl0 0.0.0.0/0 port 6188 -> 10.0.10.4 port 80 tcp >=20 > List of active sessions: > RDR 10.0.10.4 80 <- -> 79.69.59.49 6188 [65.45.227.95 > 2698] > MAP 10.0.10.6 1857 <- -> 79.69.59.49 1857 > [216.155.193.144 5050] >=20 > Nothing happens. No ipf.log records on gateway box and > no ipf.log records on the LAN web server box. > There is firewall rule to log & pass from any to 10.0.10.4 port =3D 80 > keep state > And any packet that does not match a firewall rule get logged and > dropped. Please post your filter ruleset also. Erik --=20 Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGIEHLHDAA.fbsd_user>