From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 13 14:54:55 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C7E237B409; Sun, 13 Apr 2003 14:54:55 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB5C243F75; Sun, 13 Apr 2003 14:54:54 -0700 (PDT) (envelope-from dwmalone@FreeBSD.org) Received: from freefall.freebsd.org (dwmalone@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h3DLssUp037040; Sun, 13 Apr 2003 14:54:54 -0700 (PDT) (envelope-from dwmalone@freefall.freebsd.org) Received: (from dwmalone@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h3DLssSc037036; Sun, 13 Apr 2003 14:54:54 -0700 (PDT) Date: Sun, 13 Apr 2003 14:54:54 -0700 (PDT) From: David Malone Message-Id: <200304132154.h3DLssSc037036@freefall.freebsd.org> To: dwmalone@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/50806: The action "skipto" does not work in ipfw2 on FreeBSD 5.0-RELEASE only X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2003 21:54:55 -0000 Synopsis: The action "skipto" does not work in ipfw2 on FreeBSD 5.0-RELEASE only Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: dwmalone Responsible-Changed-When: Sun Apr 13 14:52:53 PDT 2003 Responsible-Changed-Why: Assign this PR to the ipfw list. I'd guess this bug may already have been fixed. http://www.freebsd.org/cgi/query-pr.cgi?pr=50806 From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 13 15:01:16 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A4BA37B401; Sun, 13 Apr 2003 15:01:16 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08B3243FCB; Sun, 13 Apr 2003 15:01:16 -0700 (PDT) (envelope-from dwmalone@FreeBSD.org) Received: from freefall.freebsd.org (dwmalone@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h3DM1FUp039196; Sun, 13 Apr 2003 15:01:15 -0700 (PDT) (envelope-from dwmalone@freefall.freebsd.org) Received: (from dwmalone@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h3DM1FkR039189; Sun, 13 Apr 2003 15:01:15 -0700 (PDT) Date: Sun, 13 Apr 2003 15:01:15 -0700 (PDT) From: David Malone Message-Id: <200304132201.h3DM1FkR039189@freefall.freebsd.org> To: dwmalone@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: bin/50749: ipfw2 incorrectly parses ports and port ranges X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Apr 2003 22:01:16 -0000 Synopsis: ipfw2 incorrectly parses ports and port ranges Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: dwmalone Responsible-Changed-When: Sun Apr 13 15:00:31 PDT 2003 Responsible-Changed-Why: Another PR for the ipfw list. Contains a patch for review. http://www.freebsd.org/cgi/query-pr.cgi?pr=50749 From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 13 21:42:37 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAB9A37B401; Sun, 13 Apr 2003 21:42:37 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 570B843FDD; Sun, 13 Apr 2003 21:42:37 -0700 (PDT) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h3E4gbUp084500; Sun, 13 Apr 2003 21:42:37 -0700 (PDT) (envelope-from maxim@freefall.freebsd.org) Received: (from maxim@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h3E4gaNC084496; Sun, 13 Apr 2003 21:42:36 -0700 (PDT) Date: Sun, 13 Apr 2003 21:42:36 -0700 (PDT) From: Maxim Konovalov Message-Id: <200304140442.h3E4gaNC084496@freefall.freebsd.org> To: proks@uptel.net, maxim@FreeBSD.org, ipfw@FreeBSD.org, maxim@FreeBSD.org Subject: Re: kern/50806: The action "skipto" does not work in ipfw2 on FreeBSD 5.0-RELEASE only X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2003 04:42:38 -0000 Synopsis: The action "skipto" does not work in ipfw2 on FreeBSD 5.0-RELEASE only State-Changed-From-To: open->closed State-Changed-By: maxim State-Changed-When: Sun Apr 13 21:41:12 PDT 2003 State-Changed-Why: Already fixed in -CURRENT. Please check ERRATA for 5.0-RELEASE: http://www.freebsd.org/releases/5.0R/errata.html#AEN210 Responsible-Changed-From-To: ipfw->maxim Responsible-Changed-By: maxim Responsible-Changed-When: Sun Apr 13 21:41:12 PDT 2003 Responsible-Changed-Why: Already fixed in -CURRENT. Please check ERRATA for 5.0-RELEASE: http://www.freebsd.org/releases/5.0R/errata.html#AEN210 http://www.freebsd.org/cgi/query-pr.cgi?pr=50806 From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 14 11:01:31 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BFE937B401 for ; Mon, 14 Apr 2003 11:01:31 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94F7743FBD for ; Mon, 14 Apr 2003 11:01:29 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h3EI1TUp047033 for ; Mon, 14 Apr 2003 11:01:29 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h3EI1TLg047015 for ipfw@freebsd.org; Mon, 14 Apr 2003 11:01:29 -0700 (PDT) Date: Mon, 14 Apr 2003 11:01:29 -0700 (PDT) Message-Id: <200304141801.h3EI1TLg047015@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2003 18:01:31 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h o [2003/01/15] bin/47120 ipfw [patch] Sanity check in ipfw(8) o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 15 07:20:54 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01AFF37B401 for ; Tue, 15 Apr 2003 07:20:54 -0700 (PDT) Received: from news.lucky.net (news.lucky.net [193.193.193.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id C44E543FBF for ; Tue, 15 Apr 2003 07:20:48 -0700 (PDT) (envelope-from vit@volia.com) Received: (from mail@localhost) by news.lucky.net (8.Who.Cares/8.Who.Cares) id RHZ14315 for freebsd-ipfw@freebsd.org; Tue, 15 Apr 2003 17:20:44 +0300 (envelope-from vit@volia.com) From: "Belov V." To: freebsd-ipfw@freebsd.org Date: Tue, 15 Apr 2003 15:53:30 +0300 Organization: TopNET NEWS Server (news.top.net.ua) Message-ID: <1050411211.383975@smtp.top.net.ua> X-Trace: vega.esico.lucky.net 1050411217 94529 193.109.60.198 (15 Apr 2003 12:53:37 GMT) X-Complaints-To: usenet@news.esico.net X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Cache-Post-Path: smtp.top.net.ua!unknown@193.109.61.226 X-Cache: nntpcache 3.0.1 (see http://www.nntpcache.org/) MIME-Version: 1.0 X-Verify-Sender: verified Subject: allow vpn clients to connect to internal vpn server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 14:20:54 -0000 Hi My privat net is 192.168.0.0/24 and has Win VPN server in it. Natd has redirection: redirect_port tcp 192.168.0.1:1723 1723 What should be added to allow external vpn clients to connect to my internal vpn server? My current BSD router has the following ipfw rules: add allow ip from any to any via lo0 add deny all from any to 127.0.0.0/8 add deny all from 127.0.0.0/8 to any add deny all from 192.168.0.0/24 to any in recv de0 add deny all from any to 10.0.0.0/8 via de0 add deny all from any to 172.16.0.0/12 via de0 add deny all from any to 192.168.0.0/16 via de0 add deny all from any to 0.0.0.0/8 via de0 add deny all from any to 169.254.0.0/16 via de0 add deny all from any to 192.0.2.0/24 via de0 add deny all from any to 224.0.0.0/4 via de0 add deny all from any to 240.0.0.0/4 via de0 add deny tcp from any to any 137-139 via de0 add deny tcp from any to any 137-139 via de0 add fwd 192.168.0.10,3128 tcp from 192.168.0.0/24 to any 80 add divert 8668 all from any to any via de0 add pass tcp from any to any established add pass ip from any to any frag add pass tcp from any to ip_of_external_interface 25 setup add pass tcp from any to any 1723 setup add pass tcp from any to any 4899 setup add pass tcp from any to ip_of_external_interface 53 setup add pass udp from any to ip_of_external_interface 53 add pass udp from ip_of_external_interface 53 to any add deny log tcp from any to any in via de0 setup add pass tcp from any to any setup add pass udp from any to any 53 keep-state From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 15 07:29:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9515237B401 for ; Tue, 15 Apr 2003 07:29:15 -0700 (PDT) Received: from uwa.unitedway.org (msmail.unitedway.org [208.253.57.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5521A43FAF for ; Tue, 15 Apr 2003 07:29:14 -0700 (PDT) (envelope-from Johnny.Dang@uwa.unitedway.org) Received: by msmail.unitedway.org with Internet Mail Service (5.5.2653.19) id ; Tue, 15 Apr 2003 10:29:08 -0400 Message-ID: <4353ECE13C553F46B95EA6A1EFC82BEF01C3EA20@msmail.unitedway.org> From: "Dang.Johnny" To: "'Belov V.'" , freebsd-ipfw@freebsd.org Date: Tue, 15 Apr 2003 10:29:02 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C3035B.5C5B4B20" Subject: RE: allow vpn clients to connect to internal vpn server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 14:29:16 -0000 This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C3035B.5C5B4B20 Content-Type: text/plain You will also need the gre protocol. Also on the WAN side you will need to allow both in and out of tcp 1723 and gre. I hope this help. JD -----Original Message----- From: Belov V. [mailto:vit@volia.com] Sent: Tuesday, April 15, 2003 8:54 AM To: freebsd-ipfw@freebsd.org Subject: allow vpn clients to connect to internal vpn server Hi My privat net is 192.168.0.0/24 and has Win VPN server in it. Natd has redirection: redirect_port tcp 192.168.0.1:1723 1723 What should be added to allow external vpn clients to connect to my internal vpn server? My current BSD router has the following ipfw rules: add allow ip from any to any via lo0 add deny all from any to 127.0.0.0/8 add deny all from 127.0.0.0/8 to any add deny all from 192.168.0.0/24 to any in recv de0 add deny all from any to 10.0.0.0/8 via de0 add deny all from any to 172.16.0.0/12 via de0 add deny all from any to 192.168.0.0/16 via de0 add deny all from any to 0.0.0.0/8 via de0 add deny all from any to 169.254.0.0/16 via de0 add deny all from any to 192.0.2.0/24 via de0 add deny all from any to 224.0.0.0/4 via de0 add deny all from any to 240.0.0.0/4 via de0 add deny tcp from any to any 137-139 via de0 add deny tcp from any to any 137-139 via de0 add fwd 192.168.0.10,3128 tcp from 192.168.0.0/24 to any 80 add divert 8668 all from any to any via de0 add pass tcp from any to any established add pass ip from any to any frag add pass tcp from any to ip_of_external_interface 25 setup add pass tcp from any to any 1723 setup add pass tcp from any to any 4899 setup add pass tcp from any to ip_of_external_interface 53 setup add pass udp from any to ip_of_external_interface 53 add pass udp from ip_of_external_interface 53 to any add deny log tcp from any to any in via de0 setup add pass tcp from any to any setup add pass udp from any to any 53 keep-state _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" ------_=_NextPart_000_01C3035B.5C5B4B20 Content-Type: application/octet-stream; name="Dang, Johnny (johnny.dang@johnnydang.net).vcf" Content-Disposition: attachment; filename="Dang, Johnny (johnny.dang@johnnydang.net).vcf" BEGIN:VCARD VERSION:2.1 N:Dang;Johnny FN:Johnny Dang (johnny.dang@johnnydang.net) TITLE:Senior Network Engineer TEL;WORK;VOICE:(703) 836-7122 #405 TEL;HOME;VOICE:(301) 439-3097 TEL;CELL;VOICE:(301) 332-8667 ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;9304 Piney Branch Road =0D=0A#105;Silver Spring;MD;20903;United States of = America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:9304 Piney Branch Road =0D=0A#105=0D=0ASilver Spring, MD 20903=0D=0AUnited S= tates of America URL;WORK:http://www.johnnydang.net EMAIL;PREF;INTERNET:johnny.dang@johnnydang.net REV:20030228T135749Z END:VCARD ------_=_NextPart_000_01C3035B.5C5B4B20-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 15 12:31:59 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8E0337B401; Tue, 15 Apr 2003 12:31:59 -0700 (PDT) Received: from hotmail.com (dav36.sea2.hotmail.com [207.68.164.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0358B43FAF; Tue, 15 Apr 2003 12:31:59 -0700 (PDT) (envelope-from jetman516@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 15 Apr 2003 12:31:58 -0700 Received: from 216.66.58.184 by dav36.sea2.hotmail.com with DAV; Tue, 15 Apr 2003 19:31:57 +0000 X-Originating-IP: [216.66.58.184] X-Originating-Email: [jetman516@hotmail.com] From: "The Jetman" To: "FBSD IPFW" Date: Tue, 15 Apr 2003 15:30:22 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4920.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Message-ID: X-OriginalArrivalTime: 15 Apr 2003 19:31:58.0855 (UTC) FILETIME=[AE6F0170:01C30385] Subject: Why Does This Work ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: The Jetman List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 19:32:00 -0000 I'm using 4.8-RELEASE to implement MAC-filtering bridge for my wireless network. Altho I am relatively new w/ FBSD (since Apr '02), I've been getting the desired results writing my own rules for IPFW. My 1st attempt w/ IPFW2 was successful, but I can't figure out why ! ${fwcmd} -f flush #### permit all traffic from our wksta to anywhere via our internal iface (1) ${fwcmd} add permit ${ipanyany} MAC any ${wksmac} in via ${iif} ${fwcmd} add permit ${ipanyany} MAC ${wksmac} any out via ${iif} #### permit all traffic from/to the outside iface.... ${fwcmd} add permit ${ipanyany} MAC ${oifmac} any in via ${oif} ${fwcmd} add permit ${ipanyany} MAC any ${oifmac} out via ${oif} #### block anything else coming from/going to the internal iface.... (2) ${fwcmd} add deny log ${ipanyany} MAC any any in via ${iif} (3) ${fwcmd} add allow ${ipanyany} Only rules (1), (2), and (3) fire. Rule (1) fires for obvious reasons (bec it matches the pattern I've anticipated.) Bec of how IP-based IPFW1 rules work, I *thought* one would have to have matching inbound/outbound rules. What's most baffling is that while non-approved MAC addrs are blocked as desired [at rule (2)], but legal traffic is permitted back thru the bridge to its sender [via rule (3).] WHY ???? I'm only showing the simplest example of the scripts I've been experimenting with. I've got other scripts that do permit other MACs thru the bridge (either wireless of Ethernet), so I'm close to what I want. My principal concern is that I don't rely on bogus (ie. broken) behavior of IPFW2, only to discover at some unspecified time in the future, this was never really working and my LAN was never really protected. Or worse still, after I start making the script more complex, something unrelated goes wrong. The only help I've been able to find is a single site, where a guy showed his 1st effort at an IPFW2 script, intended to do the same thing I'm trying to do. Actually, I used his script, as a starting place for my efforts. TIA....Jet =============== From the desk of Jethro Wright, III ================ + Never attribute to malice that which is adequately explained by + + incompetence. + === jetman516@hotmail.com ===================== Hanlon's Razor === From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 15 14:59:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5680837B401 for ; Tue, 15 Apr 2003 14:59:03 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA7EB43F3F for ; Tue, 15 Apr 2003 14:58:59 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h3FLwrhJ058721 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 16 Apr 2003 00:58:55 +0300 (EEST) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h3FLwq44058716; Wed, 16 Apr 2003 00:58:52 +0300 (EEST) (envelope-from ru) Date: Wed, 16 Apr 2003 00:58:52 +0300 From: Ruslan Ermilov To: "Belov V." Message-ID: <20030415215852.GA57610@sunbay.com> References: <1050411211.383975@smtp.top.net.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OXfL5xGRrasGEqWY" Content-Disposition: inline In-Reply-To: <1050411211.383975@smtp.top.net.ua> User-Agent: Mutt/1.5.4i cc: freebsd-ipfw@freebsd.org Subject: Re: allow vpn clients to connect to internal vpn server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 21:59:03 -0000 --OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 15, 2003 at 03:53:30PM +0300, Belov V. wrote: > Hi > My privat net is 192.168.0.0/24 and has Win VPN server in it. > Natd has redirection: redirect_port tcp 192.168.0.1:1723 1723 > What should be added to allow external vpn clients to connect to my inter= nal > vpn server? >=20 > My current BSD router has the following ipfw rules: >=20 > add allow ip from any to any via lo0 > add deny all from any to 127.0.0.0/8 > add deny all from 127.0.0.0/8 to any > add deny all from 192.168.0.0/24 to any in recv de0 > add deny all from any to 10.0.0.0/8 via de0 > add deny all from any to 172.16.0.0/12 via de0 > add deny all from any to 192.168.0.0/16 via de0 > add deny all from any to 0.0.0.0/8 via de0 > add deny all from any to 169.254.0.0/16 via de0 > add deny all from any to 192.0.2.0/24 via de0 > add deny all from any to 224.0.0.0/4 via de0 > add deny all from any to 240.0.0.0/4 via de0 > add deny tcp from any to any 137-139 via de0 > add deny tcp from any to any 137-139 via de0 > add fwd 192.168.0.10,3128 tcp from 192.168.0.0/24 to any 80 > add divert 8668 all from any to any via de0 > add pass tcp from any to any established > add pass ip from any to any frag > add pass tcp from any to ip_of_external_interface 25 setup > add pass tcp from any to any 1723 setup > add pass tcp from any to any 4899 setup > add pass tcp from any to ip_of_external_interface 53 setup > add pass udp from any to ip_of_external_interface 53 > add pass udp from ip_of_external_interface 53 to any > add deny log tcp from any to any in via de0 setup > add pass tcp from any to any setup > add pass udp from any to any 53 keep-state >=20 With the default ``allow ip from any to any'' it was enough to redirect only TCP port 1723 to an internal machine: : src/lib/libalias/alias_pptp.c revision 1.4 : date: 2000/10/30 12:39:41; author: ru; state: Exp; lines: +129 -53 : A significant rewrite of PPTP aliasing code. :=20 : PPTP links are no longer dropped by simple (and inappropriate in this : case) "inactivity timeout" procedure, only when requested through the : control connection. :=20 : It is now possible to have multiple PPTP servers running behind NAT. : Just redirect the incoming TCP traffic to port 1723, everything else : is done transparently. :=20 : Problems were reported and the fix was tested by: : Michael Adler , : David Andersen If your default rule is ``deny ip from any to any'', you should also allow for the protocol ``gre'' traffic. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+nICcUkv4P6juNwoRAmZ2AJ9IzKEqUIRRGsBPiUha+Ri4TnFUbACeLHCD 8/VPLCbllDDGaXTQDJd0n/4= =4VSu -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 15 15:46:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 446C137B401 for ; Tue, 15 Apr 2003 15:46:49 -0700 (PDT) Received: from ns1.itga.com.au (ns1.itga.com.au [202.53.40.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6507E43FBD for ; Tue, 15 Apr 2003 15:46:47 -0700 (PDT) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns1.itga.com.au (8.12.9/8.12.9) with ESMTP id h3FMkjm2069176; Wed, 16 Apr 2003 08:46:45 +1000 (EST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (localhost [127.0.0.1]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id IAA18651; Wed, 16 Apr 2003 08:46:41 +1000 (EST) Message-Id: <200304152246.IAA18651@lightning.itga.com.au> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.4 From: Gregory Bond To: "Belov V." In-reply-to: Your message of Tue, 15 Apr 2003 15:53:30 +0300. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 16 Apr 2003 08:46:41 +1000 Sender: gnb@itga.com.au cc: freebsd-ipfw@freebsd.org Subject: Re: allow vpn clients to connect to internal vpn server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 22:46:49 -0000 > My privat net is 192.168.0.0/24 and has Win VPN server in it. > Natd has redirection: redirect_port tcp 192.168.0.1:1723 1723 > What should be added to allow external vpn clients to connect to my internal > vpn server? This is what we have for the VPN server rules, _AFTER_ the NATD diversion: ${fwcmd} add pass gre from any to ${terminator} ${fwcmd} add pass gre from ${terminator} to any ${fwcmd} add pass gre from ${oip} to any out xmit ${oif} ${fwcmd} add pass tcp from any to ${terminator} pptp setup where of course ${terminator} is the IP address of the internal VPN server. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 15 18:49:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30C0237B401 for ; Tue, 15 Apr 2003 18:49:50 -0700 (PDT) Received: from metroplex.netnation.com (metroplex.netnation.com [204.174.223.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92D6143FAF for ; Tue, 15 Apr 2003 18:49:49 -0700 (PDT) (envelope-from chris.ahlers@mail-space.net) Received: from [66.120.33.30] (helo=neptune) by metroplex.netnation.com with asmtp (Exim 3.36 #1) id 195c3Z-0003BK-00 for freebsd-ipfw@freebsd.org; Tue, 15 Apr 2003 18:49:49 -0700 From: To: Date: Tue, 15 Apr 2003 18:49:46 -0700 Organization: chris.ahlers@mail-space.net Message-ID: <000001c303ba$75cc27a0$3401a8c0@neptune> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: IPFW/NATD: Client behind firewall connecting to server behind firewall AS IF it were really EXTERNAL X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: chris.ahlers@mail-space.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2003 01:49:50 -0000 I have successfully implemented NAT w/ dynamic rules on my firewall, and have a question about a SPECIAL case that I would like to implement. Everything works for external (internet) hosts coming in to my internal (NAT-ed, behind firewall) webserver. Everything works for my client pc's to access the internet, etc. I will spare everybody the typical and predictable rulesets that everybody uses in common, instead I will only give the relevant information for the discussion. firewall external IP = a.a.a.15 (internet ip address) firewall internal IP = b.b.b.254 (private ip address) NATD: alias_address = a.a.a.15 NATD: redirect_port tcp b.b.b.100:80 80 NATD: deny_incoming webserver internal IP = b.b.b.100 example client pc IP = b.b.b.57 client pc gateway IP = b.b.b.254 (firewall) QUESTION: So, EXTERNAL hosts will connect to a.a.a.15 to connect to my webserver, and the nat/redirect happens just fine. However, INTERNAL hosts are unable to connect to my webserver via a.a.a.15 (since this is not actually the webserver's address). How can I get an internal host to connect to my internal webserver as if the webserver were actually at the external IP? BEFORE anybody starts recommending that I simply just point the internal host directly at the internal webserver OR that I change my DNS config to have an inside view, etc., I would like to point out that my $75 linksys router will do EXACTLY what I am asking for automatically. It seems that when the internal client pc attempts to connect I have to NAT the external webserver IP to the INTERNAL IP, then NAT & connect on behalf of the client pc. Any suggestions? C_Ahlers code-space.com From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 15 23:24:14 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D049637B401 for ; Tue, 15 Apr 2003 23:24:14 -0700 (PDT) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30CC043F85 for ; Tue, 15 Apr 2003 23:24:14 -0700 (PDT) (envelope-from dmp@pantherdragon.org) Received: from sparx.techno.pagans (12-224-208-117.client.attbi.com [12.224.208.117]) by spork.pantherdragon.org (Postfix) with ESMTP id 1231FFD90; Tue, 15 Apr 2003 23:24:13 -0700 (PDT) Received: from speck.techno.pagans (speck.techno.pagans [172.21.42.2]) by sparx.techno.pagans (Postfix) with SMTP id 39A3BA913; Tue, 15 Apr 2003 23:24:12 -0700 (PDT) Date: Tue, 15 Apr 2003 23:23:49 -0700 From: Darren Pilgrim To: chris.ahlers@mail-space.net Message-Id: <20030415232349.45b4e8a1.dmp@pantherdragon.org> In-Reply-To: <000001c303ba$75cc27a0$3401a8c0@neptune> References: <000001c303ba$75cc27a0$3401a8c0@neptune> X-Mailer: Sylpheed version 0.8.9claws (GTK+ 1.2.10; i386-portbld-freebsd5.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW/NATD: Client behind firewall connecting to server behind firewall AS IF it were really EXTERNAL X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2003 06:24:15 -0000 wrote: [trimmed for relevance] >firewall external IP = a.a.a.15 (internet ip address) >firewall internal IP = b.b.b.254 (private ip address) > >NATD: alias_address = a.a.a.15 >NATD: redirect_port tcp b.b.b.100:80 80 >NATD: deny_incoming > >webserver internal IP = b.b.b.100 >example client pc IP = b.b.b.57 >client pc gateway IP = b.b.b.254 (firewall) > <...> >However, INTERNAL hosts are unable to connect to my webserver via >a.a.a.15 (since this is not actually the webserver's address). <...> >Any suggestions? Use an ipfw forward rule for the requests coming from the LAN. Read ipfw(8) for the appropriate syntax. Explanation: a.a.a.15 is a local address according to the firewall box, so it isn't going to route anything destined for a.a.a.15 out an interface. Since natd is configured to only act upon packets crossing the external interface, it never sees the LAN-sourced requests for a.a.a.15, thus the redirection never takes place. From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 16 14:12:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9043C37B401 for ; Wed, 16 Apr 2003 14:12:17 -0700 (PDT) Received: from metroplex.netnation.com (metroplex.netnation.com [204.174.223.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 069EE43FA3 for ; Wed, 16 Apr 2003 14:12:17 -0700 (PDT) (envelope-from freebsd@code-space.com) Received: from [66.120.33.30] (helo=neptune) by metroplex.netnation.com with asmtp (Exim 3.36 #1) id 195uCW-0006Pp-00; Wed, 16 Apr 2003 14:12:16 -0700 From: "C_Ahlers" To: "'Darren Pilgrim'" Date: Wed, 16 Apr 2003 14:12:13 -0700 Organization: code-space.com Message-ID: <000001c3045c$da5d0f20$3401a8c0@neptune> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal In-Reply-To: <20030415232349.45b4e8a1.dmp@pantherdragon.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 cc: freebsd-ipfw@freebsd.org Subject: RE: IPFW/NATD: Client behind firewall connecting to server behind firewall AS IF it were really EXTERNAL X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@code-space.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2003 21:12:17 -0000 Thank you. I do understand what your are suggesting in principal, and I do understand the syntax of ipfw forward rules. However, I just am not sure exactly how to create the correct forward rule. Would this be correct?: ipfw add fwd a.a.a.15 all from b.b.b.0/24 to a.a.a.15 I forgot to describe earlier that: gateway_enable="YES" , Does this have any effect on the discussion? (sorry if it seems that I have concrete between my ears) C_ahlers -----Original Message----- From: Darren Pilgrim [mailto:dmp@pantherdragon.org] Sent: Tuesday, April 15, 2003 11:24 PM To: chris.ahlers@mail-space.net Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW/NATD: Client behind firewall connecting to server behind firewall AS IF it were really EXTERNAL wrote: [trimmed for relevance] >firewall external IP = a.a.a.15 (internet ip address) firewall >internal IP = b.b.b.254 (private ip address) > >NATD: alias_address = a.a.a.15 >NATD: redirect_port tcp b.b.b.100:80 80 >NATD: deny_incoming > >webserver internal IP = b.b.b.100 >example client pc IP = b.b.b.57 >client pc gateway IP = b.b.b.254 (firewall) > <...> >However, INTERNAL hosts are unable to connect to my webserver via >a.a.a.15 (since this is not actually the webserver's address). <...> >Any suggestions? Use an ipfw forward rule for the requests coming from the LAN. Read ipfw(8) for the appropriate syntax. Explanation: a.a.a.15 is a local address according to the firewall box, so it isn't going to route anything destined for a.a.a.15 out an interface. Since natd is configured to only act upon packets crossing the external interface, it never sees the LAN-sourced requests for a.a.a.15, thus the redirection never takes place. From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 16 14:40:43 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43FFD37B401 for ; Wed, 16 Apr 2003 14:40:43 -0700 (PDT) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A94E43FBD for ; Wed, 16 Apr 2003 14:40:41 -0700 (PDT) (envelope-from dmp@pantherdragon.org) Received: from sparx.techno.pagans (12-224-208-117.client.attbi.com [12.224.208.117]) by spork.pantherdragon.org (Postfix) with ESMTP id 1596BFD90; Wed, 16 Apr 2003 14:40:41 -0700 (PDT) Received: from speck.techno.pagans (speck.techno.pagans [172.21.42.2]) by sparx.techno.pagans (Postfix) with SMTP id 4EFEAA913; Wed, 16 Apr 2003 14:40:40 -0700 (PDT) Date: Wed, 16 Apr 2003 14:40:35 -0700 From: Darren Pilgrim To: Message-Id: <20030416144035.1f7711e1.dmp@pantherdragon.org> In-Reply-To: <000001c3045c$da5d0f20$3401a8c0@neptune> References: <20030415232349.45b4e8a1.dmp@pantherdragon.org> <000001c3045c$da5d0f20$3401a8c0@neptune> X-Mailer: Sylpheed version 0.8.9claws (GTK+ 1.2.10; i386-portbld-freebsd5.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW/NATD: Client behind firewall connecting to server behind firewall AS IF it were really EXTERNAL X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2003 21:40:43 -0000 "C_Ahlers" wrote: >I do understand what your are suggesting in principal, and I do >understand the syntax of ipfw forward rules. >However, I just am not sure exactly how to create the correct forward >rule. Would this be correct?: > >ipfw add fwd a.a.a.15 all from b.b.b.0/24 to a.a.a.15 The ipaddr immediately after "fwd" is the ip address you want the packets forwarded to. The scope of that rule is dangerous, IMO. It could interfere with natd since it will also match on the external interface. A better rule is one made very specific: ipfw add fwd b.b.b.100,80 tcp from b.b.b.0/24 to a.a.a.15 80 in via $iif Where iff is replaced with the name of your internal interface. >I forgot to describe earlier that: gateway_enable="YES" , Does this have >any effect on the discussion? No, the gateway_enable option just tells the system to function as a router for arriving packets destined for non-local addresses. >(sorry if it seems that I have concrete between my ears) What happens inside firewalls isn't always obvious or simple. >From: Darren Pilgrim [mailto:dmp@pantherdragon.org] > wrote: > >[trimmed for relevance] > >>firewall external IP = a.a.a.15 (internet ip address) firewall >>internal IP = b.b.b.254 (private ip address) >> >>NATD: alias_address = a.a.a.15 >>NATD: redirect_port tcp b.b.b.100:80 80 >>NATD: deny_incoming >> >>webserver internal IP = b.b.b.100 >>example client pc IP = b.b.b.57 >>client pc gateway IP = b.b.b.254 (firewall) >> ><...> >>However, INTERNAL hosts are unable to connect to my webserver via >>a.a.a.15 (since this is not actually the webserver's address). ><...> >>Any suggestions? > >Use an ipfw forward rule for the requests coming from the LAN. Read >ipfw(8) for the appropriate syntax. > >Explanation: > >a.a.a.15 is a local address according to the firewall box, so it isn't >going to route anything destined for a.a.a.15 out an interface. Since >natd is configured to only act upon packets crossing the external >interface, it never sees the LAN-sourced requests for a.a.a.15, thus the >redirection never takes place. > From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 16 16:36:21 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE52437B401 for ; Wed, 16 Apr 2003 16:36:21 -0700 (PDT) Received: from metroplex.netnation.com (metroplex.netnation.com [204.174.223.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6C6543FE1 for ; Wed, 16 Apr 2003 16:36:20 -0700 (PDT) (envelope-from freebsd@code-space.com) Received: from [66.120.33.30] (helo=neptune) by metroplex.netnation.com with asmtp (Exim 3.36 #1) id 195wRw-0004BU-00; Wed, 16 Apr 2003 16:36:20 -0700 From: "C_Ahlers" To: "'Darren Pilgrim'" Date: Wed, 16 Apr 2003 16:36:16 -0700 Organization: code-space.com Message-ID: <000001c30470$f9d63840$3401a8c0@neptune> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal In-Reply-To: <20030416144035.1f7711e1.dmp@pantherdragon.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 cc: freebsd-ipfw@freebsd.org Subject: RE: IPFW/NATD: Client behind firewall connecting to server behind firewall AS IF it were really EXTERNAL X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@code-space.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2003 23:36:22 -0000 Am i missing something? if do: {...) ipfw add divert natd all from any to any via $oif ipfw add fwd b.b.b.100,80 tcp from b.b.b.0/24 to a.a.a.15 80 in via $iif (...) And say, client b.b.b.57 attempts to connect to a.a.a.15:80 - the forward rule will send out AS IS to b.b.b.100:80 on the internal interface 1) No NAT will occur because NAT is setup only on external interface 2) The packet's dest ipaddr is not changed: it is still a.a.a.15, and will not be routed to anything on b.b.b.0/24 Do I need to NAT on $iif as well? Or do I: ipfw add fwd a.a.a.15,80 tcp from b.b.b.0/24 to a.a.a.15 in via $iif ? Not trying to argue, just trying get the bottom of this... Respectfully, C_Ahlers -----Original Message----- From: Darren Pilgrim [mailto:dmp@pantherdragon.org] Sent: Wednesday, April 16, 2003 2:41 PM To: freebsd@code-space.com Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW/NATD: Client behind firewall connecting to server behind firewall AS IF it were really EXTERNAL "C_Ahlers" wrote: >I do understand what your are suggesting in principal, and I do >understand the syntax of ipfw forward rules. However, I just am not >sure exactly how to create the correct forward rule. Would this be >correct?: > >ipfw add fwd a.a.a.15 all from b.b.b.0/24 to a.a.a.15 The ipaddr immediately after "fwd" is the ip address you want the packets forwarded to. The scope of that rule is dangerous, IMO. It could interfere with natd since it will also match on the external interface. A better rule is one made very specific: ipfw add fwd b.b.b.100,80 tcp from b.b.b.0/24 to a.a.a.15 80 in via $iif Where iff is replaced with the name of your internal interface. >I forgot to describe earlier that: gateway_enable="YES" , Does this >have any effect on the discussion? No, the gateway_enable option just tells the system to function as a router for arriving packets destined for non-local addresses. >(sorry if it seems that I have concrete between my ears) What happens inside firewalls isn't always obvious or simple. >From: Darren Pilgrim [mailto:dmp@pantherdragon.org] > wrote: > >[trimmed for relevance] > >>firewall external IP = a.a.a.15 (internet ip address) firewall >>internal IP = b.b.b.254 (private ip address) >> >>NATD: alias_address = a.a.a.15 >>NATD: redirect_port tcp b.b.b.100:80 80 >>NATD: deny_incoming >> >>webserver internal IP = b.b.b.100 >>example client pc IP = b.b.b.57 >>client pc gateway IP = b.b.b.254 (firewall) >> ><...> >>However, INTERNAL hosts are unable to connect to my webserver via >>a.a.a.15 (since this is not actually the webserver's address). ><...> >>Any suggestions? > >Use an ipfw forward rule for the requests coming from the LAN. Read >ipfw(8) for the appropriate syntax. > >Explanation: > >a.a.a.15 is a local address according to the firewall box, so it isn't >going to route anything destined for a.a.a.15 out an interface. Since >natd is configured to only act upon packets crossing the external >interface, it never sees the LAN-sourced requests for a.a.a.15, thus >the redirection never takes place. > From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 16 17:20:43 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E091837B401 for ; Wed, 16 Apr 2003 17:20:43 -0700 (PDT) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54C8343F3F for ; Wed, 16 Apr 2003 17:20:43 -0700 (PDT) (envelope-from dmp@pantherdragon.org) Received: from sparx.techno.pagans (12-224-208-117.client.attbi.com [12.224.208.117]) by spork.pantherdragon.org (Postfix) with ESMTP id 80240FD92; Wed, 16 Apr 2003 17:20:39 -0700 (PDT) Received: from speck.techno.pagans (speck.techno.pagans [172.21.42.2]) by sparx.techno.pagans (Postfix) with SMTP id 77A0AA914; Wed, 16 Apr 2003 17:20:38 -0700 (PDT) Date: Wed, 16 Apr 2003 17:20:31 -0700 From: Darren Pilgrim To: Message-Id: <20030416172031.5497fc18.dmp@pantherdragon.org> In-Reply-To: <000001c30470$f9d63840$3401a8c0@neptune> References: <20030416144035.1f7711e1.dmp@pantherdragon.org> <000001c30470$f9d63840$3401a8c0@neptune> X-Mailer: Sylpheed version 0.8.9claws (GTK+ 1.2.10; i386-portbld-freebsd5.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW/NATD: Client behind firewall connecting to server behind firewall AS IF it were really EXTERNAL X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2003 00:20:44 -0000 "C_Ahlers" wrote: >Am i missing something? > >if do: > >{...) >ipfw add divert natd all from any to any via $oif >ipfw add fwd b.b.b.100,80 tcp from b.b.b.0/24 to a.a.a.15 80 in via $iif >(...) > >And say, client b.b.b.57 attempts to connect to a.a.a.15:80 - the >forward rule will send out AS IS to b.b.b.100:80 on the internal >interface > >1) No NAT will occur because NAT is setup only on external interface Correct. >2) The packet's dest ipaddr is not changed: it is still a.a.a.15, and >will not be routed to anything on b.b.b.0/24 The forarding behaviour is explained in ipfw(8). >Do I need to NAT on $iif as well? Probably, unless you don't need the webserver to answering from the address the client expects it to. From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 18 11:17:14 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30A5037B405 for ; Fri, 18 Apr 2003 11:17:14 -0700 (PDT) Received: from yossman.net (yossman.net [209.162.234.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 602B043FBD for ; Fri, 18 Apr 2003 11:17:12 -0700 (PDT) (envelope-from yossman@yossman.net) Received: from yossman.net (www@localhost [127.0.0.1]) by yossman.net (8.11.3/8.11.3) with SMTP id h3IIH9m85839; Fri, 18 Apr 2003 14:17:10 -0400 (EDT) (envelope-from yossman@yossman.net) From: yossman Received: from 66.46.224.251 (SquirrelMail authenticated user yossman) by ssl.yossman.net with HTTP; Fri, 18 Apr 2003 14:17:10 -0400 (EDT) Message-ID: <1107.66.46.224.251.1050689830.squirrel@ssl.yossman.net> Date: Fri, 18 Apr 2003 14:17:10 -0400 (EDT) To: X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal X-Mailer: SquirrelMail (version 1.2.7) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: yossman@waterloo.yossman.net Subject: ipfw dummynet: limiting packets per second (limit pps)? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2003 18:17:14 -0000 good day, i've been searching for the last while for a way to use FreeBSD's ipfw and dummynet implementations to limit the number of packets per second destined for any matching network traffic pipe. oddly, i can't find very much information on doing this at all, save for a patch written in 1999 that i found at: http://www.geocrawler.com/archives/3/165/1999/3/0/1433347/ "... ipfw pipe NNN config pps S where S is the allowed number of packets per second, and, of course, other parameters (bw, delay, queue and plr) can be given simultanously. -- NAGAO Tadaaki <> Applied Technology Division, Internet Initiative Japan Inc. ..." this of course doesn't seem to actually be in current ipfw though, i tried it. ;-) is there some reason limiting packets per second is not an option at the moment? or does the capability already exist, and i'm just looking in the wrong places? any hints would be appreciated, thanks! yossman From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 18 14:43:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1B8D37B405 for ; Fri, 18 Apr 2003 14:43:52 -0700 (PDT) Received: from hotmail.com (dav53.sea2.hotmail.com [207.68.164.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id E350643FD7 for ; Fri, 18 Apr 2003 14:43:51 -0700 (PDT) (envelope-from jetman516@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 18 Apr 2003 14:43:51 -0700 Received: from 216.66.58.184 by dav53.sea2.hotmail.com with DAV; Fri, 18 Apr 2003 21:43:51 +0000 X-Originating-IP: [216.66.58.184] X-Originating-Email: [jetman516@hotmail.com] From: "The Jetman" To: "FBSD IPFW" Date: Fri, 18 Apr 2003 17:47:50 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Message-ID: X-OriginalArrivalTime: 18 Apr 2003 21:43:51.0835 (UTC) FILETIME=[9A2D2EB0:01C305F3] Subject: [Q-4.8-R] Can Anyone Help With Questions About MAC Filtering and IPFW2 ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: The Jetman List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2003 21:43:53 -0000 I'm using 4.8-RELEASE to implement MAC-filtering bridge for my wireless network. Altho I am relatively new w/ FBSD (since Apr '02), I've been getting the desired results writing my own rules for IPFW. My 1st attempt w/ IPFW2 was successful, but I can't figure out why ! ${fwcmd} -f flush #### permit all traffic from our wksta to anywhere via our internal iface (1) ${fwcmd} add permit ${ipanyany} MAC any ${wksmac} in via ${iif} ${fwcmd} add permit ${ipanyany} MAC ${wksmac} any out via ${iif} #### permit all traffic from/to the outside iface.... ${fwcmd} add permit ${ipanyany} MAC ${oifmac} any in via ${oif} ${fwcmd} add permit ${ipanyany} MAC any ${oifmac} out via ${oif} #### block anything else coming from/going to the internal iface.... (2) ${fwcmd} add deny log ${ipanyany} MAC any any in via ${iif} (3) ${fwcmd} add allow ${ipanyany} Only rules (1), (2), and (3) fire. Rule (1) fires for obvious reasons (bec it matches the pattern I've anticipated.) Bec of how IP-based IPFW1 rules work, I *thought* one would have to have matching inbound/outbound rules. What's most baffling is that while non-approved MAC addrs are blocked as desired [at rule (2)], but legal traffic is permitted back thru the bridge to its sender [via rule (3).] WHY ???? I'm only showing the simplest example of the scripts I've been experimenting with. I've got other scripts that do permit other MACs thru the bridge (either wireless of Ethernet), so I'm close to what I want. My principal concern is that I don't rely on bogus (ie. broken) behavior of IPFW2, only to discover at some unspecified time in the future, this was never really working and my LAN was never really protected. Or worse still, after I start making the script more complex, something unrelated goes wrong. The only help I've been able to find is a single site, where a guy showed his 1st effort at an IPFW2 script, intended to do the same thing I'm trying to do. Actually, I used his script, as a starting place for my efforts. TIA....Jet =============== From the desk of Jethro Wright, III ================ + Never attribute to malice that which is adequately explained by + + incompetence. + === jetman516@hotmail.com ===================== Hanlon's Razor === From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 19 01:06:51 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A43137B445 for ; Sat, 19 Apr 2003 01:06:49 -0700 (PDT) Received: from mout2.freenet.de (mout2.freenet.de [194.97.50.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4806D43FD7 for ; Sat, 19 Apr 2003 01:06:48 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.136] (helo=mx3.freenet.de) by mout2.freenet.de with asmtp (Exim 4.14) id 196nN0-00052w-TL for freebsd-ipfw@freebsd.org; Sat, 19 Apr 2003 10:06:46 +0200 Received: from p3e9baaa4.dip.t-dialin.net ([62.155.170.164] helo=spotteswoode.dnsalias.org) by mx3.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.14 #2) id 196nN0-00007O-G6 for freebsd-ipfw@freebsd.org; Sat, 19 Apr 2003 10:06:46 +0200 Received: (qmail 1327 invoked by uid 0); 19 Apr 2003 08:07:07 -0000 Date: 19 Apr 2003 10:07:07 +0200 Message-ID: From: "clemens fischer" To: freebsd-ipfw@freebsd.org In-Reply-To: (The Jetman's message of "Fri, 18 Apr 2003 17:47:50 -0400") References: User-Agent: Gnus/5.090019 (Oort Gnus v0.19) Emacs/21.3.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: [Q-4.8-R] Can Anyone Help With Questions About MAC Filtering and IPFW2 ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2003 08:06:51 -0000 "The Jetman" : > I'm using 4.8-RELEASE to implement MAC-filtering bridge for my > wireless network. Altho I am relatively new w/ FBSD (since Apr '02), > I've been getting the desired results writing my own rules for IPFW. My > 1st attempt w/ IPFW2 was successful, but I can't figure out why ! please (i) check the packet flow picture in the man page, (ii) post your rules with variables substituted, (iii) post the original rules from "a guy showed his 1st effort" and (iv) your working ipfw1 rules, unless this gets to be several hundred lines, of course. also, there's no information on the structure of your network. "The recv interface can be tested on either incoming or outgoing packets, while the xmit interface can only be tested on outgoing packets. So out is required (and in is invalid) whenever xmit is used. A packet may not have a receive or transmit interface: packets originating from the local host have no receive interface, while packets destined for the local host have no transmit interface." > (3) ${fwcmd} add allow ${ipanyany} (3) is dangerous if you don't understand the matching! there's no anti-spoofing. clemens From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 19 14:36:14 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F060037B401 for ; Sat, 19 Apr 2003 14:36:14 -0700 (PDT) Received: from exchange.wan.no (exchange.wan.no [80.86.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id D163C43FBD for ; Sat, 19 Apr 2003 14:36:13 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Sat, 19 Apr 2003 23:36:02 +0200 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F07DE95@exchange.wanglobal.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: skipto doesnt jump backwards Thread-Index: AcMGu4b0ljHkxQ6bSACeugLeF38Rqg== From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: Subject: skipto doesnt jump backwards X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2003 21:36:15 -0000 Are there any reasons to why skipto can't jump backwards? - Sten From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 19 15:27:13 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50D9137B401 for ; Sat, 19 Apr 2003 15:27:13 -0700 (PDT) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5DBE43FDD for ; Sat, 19 Apr 2003 15:27:12 -0700 (PDT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id CE1082ED406; Sat, 19 Apr 2003 15:27:12 -0700 (PDT) Date: Sat, 19 Apr 2003 15:27:12 -0700 From: Bill Fumerola To: Sten Daniel S?rsdal Message-ID: <20030419222712.GA92365@elvis.mu.org> References: <0AF1BBDF1218F14E9B4CCE414744E70F07DE95@exchange.wanglobal.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DE95@exchange.wanglobal.net> User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD 4.8-MUORG-20030411 i386 cc: freebsd-ipfw@freebsd.org Subject: Re: skipto doesnt jump backwards X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2003 22:27:13 -0000 On Sat, Apr 19, 2003 at 11:36:02PM +0200, Sten Daniel S?rsdal wrote: > > Are there any reasons to why skipto can't jump backwards? 10 print "no good reason" 20 goto 10 yes you could detect this - for a cost. are there any reasons why you'd want skipto to jump backwards? what problem are you trying to solve? -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org