From owner-freebsd-security Mon Oct 26 17:18:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA18516 for freebsd-security-outgoing; Mon, 26 Oct 1998 17:18:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA18486 for ; Mon, 26 Oct 1998 17:18:33 -0800 (PST) (envelope-from mike@seidata.com) From: mike@seidata.com Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id UAA04350; Mon, 26 Oct 1998 20:17:27 -0500 (EST) Date: Mon, 26 Oct 1998 20:17:26 -0500 (EST) To: Mike Jenkins cc: chadth@atvideo.com, freebsd-security@FreeBSD.ORG Subject: Re: FW: firewall + internal mail server In-Reply-To: <199810262340.RAA08360@carp.gbr.epa.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 26 Oct 1998, Mike Jenkins wrote: Interesting that this thread is going on... I've been playing with natd myself this week. :) FWIW, some comments about my setup... I'm just experimenting with a basic straight-through setup, which will eventually expand to cover a small-ish LAN: [serverA]--x--[ipfw_nat]---[inet] 'serverA' (NT4) is connected to 'ipfw_nat' (FreeBSD 3.0-REL). The fbsd box is doing basic ipfw stuff + nat, since the 'serverA' box (and eventually the internal net) are on a dummy class (192.168.1.0). Everything must pass through the fbsd box to get to the internal server, and everything from the server must pass through the fbsd box to reach the world... the fbsd and NT boxes are attached via a de facto cross-over. serverA is 192.168.1.2 and it connects to xl1 (internal net) on the fbsd box which is 192.168.1.1. From there nat will hopefully work its magic and translate to the real IP addy associated with xl0 (external net) on the fbsd box. > So you're starting natd sort of like (minus the pop3): > /usr/sbin/natd -interface ed0 -redirect_port tcp internalhost:smtp smtp Personally, it's something like this (xl0 is my public 'world' interface): natd -f /etc/natd.conf -u -m -n xl0 /etc/natd.conf just contains: redirect_port tcp 192.168.1.2:21 21 redirect_port tcp 192.168.1.2:80 80 As you can see, I'm only interested in letting ftp and http traffic hit the internal server. I'm not running ftpd or httpd on the fbsd box, so the ports are open... and the ports are allowing 'pass' to the internal box from the host I'm testing from... > and you've got IPFIREWALL in the kernel and you're diverting packets to natd: The relevant options entries from my kernel config are: options IPFIREWALL options IPDIVERT > /sbin/ipfw add 100 divert natd all from any to any via ed0 Yes, I'm just using the 'simple' firewall config from rc.firewall, with a few modifications (which will be removed when I'm done testing)... rc.firewall adds this automatically if natd is setup. > And it doesn't work? Nope... attempts to ftp to the internal box from 'outside' just results in a long pause followed by an 'operation timed out' message. > Maybe read the natd manual page to make sure you got it set up > correctly. Also maybe add the -log option to see if natd is having > problems. I have... I've been staring at it for a few hours now - maybe that's my problem. You know how managemnet is... 'We need a firewall for x number of hosts - as cheaply as possible... today.' ;P Of course I know I've fumble-fingered something... somewhere. I just happened to check my mail and, since this thread was already going on, I figured I'd detail my setup (maybe someone can help me, or maybe this will help someone else). Later, -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message