From owner-freebsd-ipfw Tue Jan 22 6:19:29 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.palnet.com (mail.palnet.com [217.66.226.37]) by hub.freebsd.org (Postfix) with ESMTP id DBC6C37B402 for ; Tue, 22 Jan 2002 06:19:25 -0800 (PST) Received: from rami (bombay.idsintl.com [217.66.232.34] (may be forged)) by mail.palnet.com (8.11.1/8.11.1) with ESMTP id g0MEBNf79584 for ; Tue, 22 Jan 2002 16:11:23 +0200 (IST) Reply-To: From: "Rami W. Qutub" To: Subject: Gateway & Firewall Date: Tue, 22 Jan 2002 16:19:45 +0200 Organization: IDS Software Systems Message-ID: <008001c1a34f$d809cf70$9600000a@rami> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi All, I am facing a problem in installing and configuring my FreeBSD Gateway Server. I installed FreeBSD 4.4 on the server, and then change the /etc/rc.conf file by adding the following lines gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_interface="xl1" natd_flags="" The I re-compiled the kernal after adding options IPFIREWALL options IPDIVERT options IPFIREWALL_VERBOSE Options IPFIREWALL_FORWARD Before doing all the above I installed 2 network cards on the server, and I gave the first one "xl1" the extrnal ip with DNS name, ...etc. And I gave the second one an Internal ip. So what else shall I do to run the system !!?? Please advise. Rami To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 22 6:23:20 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.palnet.com (mail.palnet.com [217.66.226.37]) by hub.freebsd.org (Postfix) with ESMTP id 3E6D237B402 for ; Tue, 22 Jan 2002 06:23:11 -0800 (PST) Received: from rami (bombay.idsintl.com [217.66.232.34] (may be forged)) by mail.palnet.com (8.11.1/8.11.1) with ESMTP id g0MEF8f80003 for ; Tue, 22 Jan 2002 16:15:08 +0200 (IST) Reply-To: From: "Rami W. Qutub" To: Subject: Gateway & Firewall Date: Tue, 22 Jan 2002 16:23:30 +0200 Organization: IDS Software Systems Message-ID: <008201c1a350$5e63e240$9600000a@rami> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi All, I am facing a problem in installing and configuring my FreeBSD Gateway Server. I installed FreeBSD 4.4 on the server, and then change the /etc/rc.conf file by adding the following lines gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_interface="xl1" natd_flags="" The I re-compiled the kernal after adding options IPFIREWALL options IPDIVERT options IPFIREWALL_VERBOSE Options IPFIREWALL_FORWARD Before doing all the above I installed 2 network cards on the server, and I gave the first one "xl1" the extrnal ip with DNS name, ...etc. And I gave the second one an Internal ip. So what else shall I do to run the system !!?? Please advise. Rami To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 22 6:27:42 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by hub.freebsd.org (Postfix) with ESMTP id 6B25E37B41C for ; Tue, 22 Jan 2002 06:27:32 -0800 (PST) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.33 #2) id 16T1vM-0007oX-00 for FREEBSD-IPFW@freebsd.org; Tue, 22 Jan 2002 16:29:20 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.33 #2) id 16T1vL-0007oJ-00; Tue, 22 Jan 2002 16:29:19 +0200 Received: from bvi by shell.devco.net with local (Exim 3.33 #4) id 16T1yw-0004Ow-00; Tue, 22 Jan 2002 16:33:02 +0200 Date: Tue, 22 Jan 2002 16:33:02 +0200 From: Barry Irwin To: "Rami W. Qutub" Cc: FREEBSD-IPFW@freebsd.org Subject: Re: Gateway & Firewall Message-ID: <20020122163302.V32746@itouchlabs.com> References: <008201c1a350$5e63e240$9600000a@rami> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <008201c1a350$5e63e240$9600000a@rami>; from rami@idsintl.com on Tue, Jan 22, 2002 at 04:23:30PM +0200 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 30037-1011709759-80885@mx1.dev.itouchnet.net version $Name: REL_2_0_2 $ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG you need a firewall rule to pass traffic to the natd have a look at the natd man page and it describes this. you need something like: ipfw add 100 divert natd ip from any to any via xl1 but please refer to the manpage above for more details. the ipfw man page should also be read. Barry -- Barry Irwin bvi@itouchlabs.com +27214875150 Systems Administrator: Networks And Security Itouch Labs http://www.itouchlabs.com South Africa > > > Hi All, > > I am facing a problem in installing and configuring my FreeBSD Gateway > Server. I installed FreeBSD 4.4 on the server, and then change the > /etc/rc.conf file by adding the following lines > gateway_enable="YES" > firewall_enable="YES" > firewall_type="OPEN" > natd_enable="YES" > natd_interface="xl1" > natd_flags="" > > The I re-compiled the kernal after adding > options IPFIREWALL > options IPDIVERT > options IPFIREWALL_VERBOSE > Options IPFIREWALL_FORWARD > > Before doing all the above I installed 2 network cards on the server, > and I gave the first one "xl1" the extrnal ip with DNS name, ...etc. And > I gave the second one an Internal ip. > > So what else shall I do to run the system !!?? > > Please advise. > > Rami > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > > -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 22 9:18:37 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from unix.megared.net.mx (megamail.megared.com.mx [200.52.207.52]) by hub.freebsd.org (Postfix) with ESMTP id D834837B405 for ; Tue, 22 Jan 2002 09:18:29 -0800 (PST) Received: from ramiro (customer-GDL-193-9.megared.net.mx [200.52.193.9] (may be forged)) by unix.megared.net.mx (8.11.6/8.11.6) with SMTP id g0MHHaJ67081 for ; Tue, 22 Jan 2002 11:17:36 -0600 (CST) (envelope-from lrvazquez@megared.net.mx) Message-ID: <008101c1a368$f23b1890$1500a8c0@corp.megared.net.mx> From: =?iso-8859-1?Q?Ramiro_V=E1zquez?= To: Subject: Using ipfw to make a "Dynamic NAT depending of protocol L7" Date: Tue, 22 Jan 2002 11:19:27 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, We work at a cable-ISP and we are using NAT & PAT to provide enough IP Addresses to our customers. We have experienced problems with certains applications, mostly with peer to peer applications like MSN Messenger. Some features like send files function don't work. We put a sniffer and discover that when one of our customer try to send a file to someone out of our net does this: 1.- The application opens a port ( 6891-6899 ). 2.- Sends the IP of the machine ( the private IP ) and the port that is listening. 3.- The another peer try to connect to the private IP and the port that it had received. 4.- The connection fails. We modify a proxy to change the packet that the application sends with the private IP and the local port to replace them for a public IP and another port, then the proxy sends this changes to an application that just maps or forwards the port that we sent to the peer outside to the real IP and port of our costumer. This solution works and we going to begin with the test with more connections, but maybe is not the best solution, one disadvantage is that the costumer must to specify a proxy and it's a hard work. We think that if we could make this changes with ipfw or ip-filters and then add a rule to natd or ip-nat to forward the port, it would be more efficient. Then we can redirect the traffic of MSN to ipfw or ip-filters and make all transparent to our costumers. We think that we can do this for the most important applications to solve this problem, and its very important because we use a lot of PAT and many applications can't work with the complete features. Is it possible make this with ipfw ?? Is anybody working arround this ?? Any idea or comment would be helpful !! Thanks. Ramiro Vazquez Megacable To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 22 9:24: 5 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.palnet.com (mail.palnet.com [217.66.226.37]) by hub.freebsd.org (Postfix) with ESMTP id 9E9D537B402 for ; Tue, 22 Jan 2002 09:23:39 -0800 (PST) Received: from Stinky.palnet.com (dogbert.palnet.com [192.116.17.51]) by mail.palnet.com (8.11.1/8.11.1) with ESMTP id g0MHFNf07341; Tue, 22 Jan 2002 19:15:23 +0200 (IST) Message-Id: <5.1.0.14.0.20020122192225.00b4c9c0@mail.palnet.com> X-Sender: mustafa@mail.palnet.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 22 Jan 2002 19:23:03 +0200 To: Ramiro =?iso-8859-1?Q?V=E1zquez?= , From: "Mustafa N. Deeb" Subject: Re: Using ipfw to make a "Dynamic NAT depending of protocol L7" In-Reply-To: <008101c1a368$f23b1890$1500a8c0@corp.megared.net.mx> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG well, the msn guys, say that MSN behind private addressing wont' work unless you use a socks server.. ONLY... CHeers At 11:19 AM 1/22/2002 -0600, Ramiro V=E1zquez wrote: >Hi, > > We work at a cable-ISP and we are using NAT & PAT to provide enough IP >Addresses to our customers. > > We have experienced problems with certains applications, mostly with >peer to peer applications like MSN Messenger. > Some features like send files function don't work. > We put a sniffer and discover that when one of our customer try to= send >a file to someone out of our net does this: > 1.- The application opens a port ( 6891-6899 ). > 2.- Sends the IP of the machine ( the private IP ) and the port that= is >listening. > 3.- The another peer try to connect to the private IP and the port= that >it had received. > 4.- The connection fails. > > We modify a proxy to change the packet that the application sends with >the private IP and the local port to replace them for a public IP and >another port, then the proxy sends this changes to an application that just >maps or forwards the port that we sent to the peer outside to the real IP >and port of our costumer. > > This solution works and we going to begin with the test with more >connections, but maybe is not the best solution, one disadvantage is that >the costumer must to specify a proxy and it's a hard work. > > We think that if we could make this changes with ipfw or ip-filters= and >then add a rule to natd or ip-nat to forward the port, it would be more >efficient. > > Then we can redirect the traffic of MSN to ipfw or ip-filters and make >all transparent to our costumers. > > We think that we can do this for the most important applications to >solve this problem, and its very important because we use a lot of PAT and >many applications can't work with the complete features. > > Is it possible make this with ipfw ?? Is anybody working arround= this >?? > > Any idea or comment would be helpful !! > > Thanks. > >Ramiro Vazquez >Megacable > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 22 9:26:35 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 8E2AD37B400 for ; Tue, 22 Jan 2002 09:26:18 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id g0MHQ3R60458; Tue, 22 Jan 2002 19:26:03 +0200 (EET) (envelope-from ru) Date: Tue, 22 Jan 2002 19:26:03 +0200 From: Ruslan Ermilov To: Ramiro V?zquez Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Using ipfw to make a "Dynamic NAT depending of protocol L7" Message-ID: <20020122192603.C58453@sunbay.com> References: <008101c1a368$f23b1890$1500a8c0@corp.megared.net.mx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <008101c1a368$f23b1890$1500a8c0@corp.megared.net.mx> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jan 22, 2002 at 11:19:27AM -0600, Ramiro V?zquez wrote: > Hi, > > We work at a cable-ISP and we are using NAT & PAT to provide enough IP > Addresses to our customers. > > We have experienced problems with certains applications, mostly with > peer to peer applications like MSN Messenger. > Some features like send files function don't work. > We put a sniffer and discover that when one of our customer try to send > a file to someone out of our net does this: > 1.- The application opens a port ( 6891-6899 ). > 2.- Sends the IP of the machine ( the private IP ) and the port that is > listening. > 3.- The another peer try to connect to the private IP and the port that > it had received. > 4.- The connection fails. > > We modify a proxy to change the packet that the application sends with > the private IP and the local port to replace them for a public IP and > another port, then the proxy sends this changes to an application that just > maps or forwards the port that we sent to the peer outside to the real IP > and port of our costumer. > > This solution works and we going to begin with the test with more > connections, but maybe is not the best solution, one disadvantage is that > the costumer must to specify a proxy and it's a hard work. > > We think that if we could make this changes with ipfw or ip-filters and > then add a rule to natd or ip-nat to forward the port, it would be more > efficient. > > Then we can redirect the traffic of MSN to ipfw or ip-filters and make > all transparent to our costumers. > > We think that we can do this for the most important applications to > solve this problem, and its very important because we use a lot of PAT and > many applications can't work with the complete features. > > Is it possible make this with ipfw ?? Is anybody working arround this > ?? > > Any idea or comment would be helpful !! > If you know MSN protocol, it should be pretty easy to add the required glue to libalias(3) to do the necessary payload stubs, etc., so that this works transparently through a natd(8) and/or ppp(8). Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 22 12:14:49 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id B4A1737B405 for ; Tue, 22 Jan 2002 12:14:37 -0800 (PST) Received: (qmail 76179 invoked from network); 22 Jan 2002 20:14:11 -0000 Received: from oxyetb.com (HELO alexus) (66.92.98.145) by secure.nexgen.com with SMTP; 22 Jan 2002 20:14:11 -0000 Message-ID: <007f01c1a381$669739e0$0d00a8c0@alexus> From: "alexus" To: Subject: Fw: -1 refuse ? Date: Tue, 22 Jan 2002 15:14:04 -0500 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG or like other day i got this icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 Subject: -1 refuse ? i just never seen anythin like that ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) c# ipfw show|grep deny 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 01313 11 528 deny tcp from any to any 65535 in recv fxp0 03306 0 0 deny tcp from any to any 3306 in recv fxp0 65535 1 60 deny ip from any to any c# which rule it did deny?? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 22 12:18:11 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by hub.freebsd.org (Postfix) with ESMTP id 60FBB37B41A for ; Tue, 22 Jan 2002 12:17:36 -0800 (PST) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.33 #2) id 16T7OA-000Bzj-00 for freebsd-ipfw@freebsd.org; Tue, 22 Jan 2002 22:19:26 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.33 #2) id 16T7O9-000BzV-00; Tue, 22 Jan 2002 22:19:25 +0200 Received: from bvi by shell.devco.net with local (Exim 3.33 #4) id 16T7Rk-0005Bc-00; Tue, 22 Jan 2002 22:23:08 +0200 Date: Tue, 22 Jan 2002 22:23:08 +0200 From: Barry Irwin To: alexus Cc: freebsd-ipfw@freebsd.org Subject: Re: Fw: -1 refuse ? Message-ID: <20020122222308.B32746@itouchlabs.com> References: <007f01c1a381$669739e0$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <007f01c1a381$669739e0$0d00a8c0@alexus>; from ml@db.nexgen.com on Tue, Jan 22, 2002 at 03:14:04PM -0500 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 46107-1011730765-89915@mx1.dev.itouchnet.net version $Name: REL_2_0_2 $ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG from ipfw(8) man page: FINE POINTS o There is one kind of packet that the firewall will always discard, that is a TCP packet's fragment with a fragment offset of one. This is a valid packet, but it only has one use, to try to circumvent firewalls. When logging is enabled, these packets are reported as being dropped by rule -1. this is caught by the kernel, an not by your rules listed below. ICMP redirects probably have nothing to do with this. Barry On Tue 2002-01-22 (15:14), alexus wrote: > > or like other day i got this > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > Subject: -1 refuse ? > > > i just never seen anythin like that > > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > > c# ipfw show|grep deny > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 01313 11 528 deny tcp from any to any 65535 in recv fxp0 > 03306 0 0 deny tcp from any to any 3306 in recv fxp0 > 65535 1 60 deny ip from any to any > c# > > which rule it did deny?? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > > -- Barry Irwin bvi@itouchlabs.com +27214875150 Systems Administrator: Networks And Security Itouch Labs http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 22 15:19:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail2.dbitech.ca (radius.wavefire.com [139.142.95.252]) by hub.freebsd.org (Postfix) with SMTP id E0C2437B41A for ; Tue, 22 Jan 2002 15:19:26 -0800 (PST) Received: (qmail 8334 invoked from network); 17 Jan 2002 22:40:09 -0000 Received: from ccliii.caniserv.com (HELO dbitech) (139.142.95.253) by 139.142.95.252 with SMTP; 17 Jan 2002 22:40:09 -0000 Message-Id: <3.0.32.20020117142236.03eeaad0@mail.ok-connect.com> X-Sender: darcyb@mail.ok-connect.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 17 Jan 2002 14:22:37 -0800 To: freebsd-ipfw@freebsd.org From: Darcy Buskermolen Subject: Re: ipfw and nat Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Try changing ifconfig_fxp0="inet xxx.xxx.xxx.xxx netmask 255.255.255.252" ifconfig_fxp0="inet 192.168.111.1 netmask 255.255.255.0"defaultrouter="xxx.xxx.xxx.xxy" to ifconfig_fxp0="inet xxx.xxx.xxx.xxx netmask 255.255.255.252" ifconfig_fxp1="inet 192.168.111.1 netmask 255.255.255.0"defaultrouter="xxx.xxx.xxx.xxy" Problem is you overwrote your outside interface IP with the IP address of your insider interface... At 02:13 PM 1/17/02 -0800, you wrote: >I cant get thrue my firewall. >If I try to ping the firewall or anything outside I get a no response, and if I >try to ping from the firewall to a ip behind it I get a permission denied, or >something like that. >I tryed to go to grab a web page outside the firewall, and it seemed like after >droping a lot of the packages I got something thrue, but it was only a small >fragment of the packages. >Any hints to what I'm doing wrong would be most wellcome. > >/Flemming > >Kernel is 4.5RC and I have added: >options IPFIREWALL >options IPFIREWALL_VERBOSE >options IPFIREWALL_VERBOSE_LIMIT=100options IPDIVERT > >In RC.conf I have: >ifconfig_fxp0="inet xxx.xxx.xxx.xxx netmask 255.255.255.252" >ifconfig_fxp0="inet 192.168.111.1 netmask >255.255.255.0"defaultrouter="xxx.xxx.xxx.xxy" >gateway_enable="YES" >firewall_enable="YES" >firewall_type="simple" >natd_enable="YES" >natd_interface="fxp0" > >If I set the firewall_type to open then I can get out, but I would like a little >more security than that. > >in rc.firewall I have edited the following: >oif="fxp0" >onet="xxx.xxx.xxx.xxz" >omask="255.255.255.252" >oip="xxx.xxx.xxx.xxx" > >iif="fxp1" >inet="192.168.111.0" >imask="255.255.255.0" >iip="192.168.111.1" >Everything else is left to default. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-ipfw" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 23 14:24:31 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from unix.megared.net.mx (megamail.megared.com.mx [200.52.207.52]) by hub.freebsd.org (Postfix) with ESMTP id 65DCC37B402; Wed, 23 Jan 2002 14:24:20 -0800 (PST) Received: from ramiro (customer-GDL-193-9.megared.net.mx [200.52.193.9] (may be forged)) by unix.megared.net.mx (8.11.6/8.11.6) with SMTP id g0NMNUh54511; Wed, 23 Jan 2002 16:23:30 -0600 (CST) (envelope-from lrvazquez@megared.net.mx) Message-ID: <002801c1a45c$ed273240$1500a8c0@corp.megared.net.mx> From: =?iso-8859-1?Q?Ramiro_V=E1zquez?= To: "Ruslan Ermilov" Cc: References: <008101c1a368$f23b1890$1500a8c0@corp.megared.net.mx> <20020122192603.C58453@sunbay.com> Subject: Re: Using ipfw to make a "Dynamic NAT depending of protocol L7" Date: Wed, 23 Jan 2002 16:25:52 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG OK, I going to make some tests and I'll tell you if I can make it. Thanks a lot! Ramiro. Megacable. ----- Original Message ----- From: "Ruslan Ermilov" To: "Ramiro V?zquez" Cc: Sent: Tuesday, January 22, 2002 11:26 AM Subject: Re: Using ipfw to make a "Dynamic NAT depending of protocol L7" > On Tue, Jan 22, 2002 at 11:19:27AM -0600, Ramiro V?zquez wrote: > > Hi, > > > > We work at a cable-ISP and we are using NAT & PAT to provide enough IP > > Addresses to our customers. > > > > We have experienced problems with certains applications, mostly with > > peer to peer applications like MSN Messenger. > > Some features like send files function don't work. > > We put a sniffer and discover that when one of our customer try to send > > a file to someone out of our net does this: > > 1.- The application opens a port ( 6891-6899 ). > > 2.- Sends the IP of the machine ( the private IP ) and the port that is > > listening. > > 3.- The another peer try to connect to the private IP and the port that > > it had received. > > 4.- The connection fails. > > > > We modify a proxy to change the packet that the application sends with > > the private IP and the local port to replace them for a public IP and > > another port, then the proxy sends this changes to an application that just > > maps or forwards the port that we sent to the peer outside to the real IP > > and port of our costumer. > > > > This solution works and we going to begin with the test with more > > connections, but maybe is not the best solution, one disadvantage is that > > the costumer must to specify a proxy and it's a hard work. > > > > We think that if we could make this changes with ipfw or ip-filters and > > then add a rule to natd or ip-nat to forward the port, it would be more > > efficient. > > > > Then we can redirect the traffic of MSN to ipfw or ip-filters and make > > all transparent to our costumers. > > > > We think that we can do this for the most important applications to > > solve this problem, and its very important because we use a lot of PAT and > > many applications can't work with the complete features. > > > > Is it possible make this with ipfw ?? Is anybody working arround this > > ?? > > > > Any idea or comment would be helpful !! > > > If you know MSN protocol, it should be pretty easy to add the required > glue to libalias(3) to do the necessary payload stubs, etc., so that > this works transparently through a natd(8) and/or ppp(8). > > > Cheers, > -- > Ruslan Ermilov Oracle Developer/DBA, > ru@sunbay.com Sunbay Software AG, > ru@FreeBSD.org FreeBSD committer, > +380.652.512.251 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 24 14:48:12 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 7EAAD37B400 for ; Thu, 24 Jan 2002 14:48:07 -0800 (PST) Received: (qmail 98897 invoked from network); 24 Jan 2002 22:47:49 -0000 Received: from oxyetb.com (HELO alexus) (@66.92.98.145) by secure.nexgen.com with SMTP; 24 Jan 2002 22:47:49 -0000 Message-ID: <024e01c1a529$2eafa630$0d00a8c0@alexus> From: "alexus" To: "Barry Irwin" Cc: References: <007f01c1a381$669739e0$0d00a8c0@alexus> <20020122222308.B32746@itouchlabs.com> Subject: Re: Fw: -1 refuse ? Date: Thu, 24 Jan 2002 17:48:03 -0500 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG thank you for explanations ----- Original Message ----- From: "Barry Irwin" To: "alexus" Cc: Sent: Tuesday, January 22, 2002 3:23 PM Subject: Re: Fw: -1 refuse ? > from ipfw(8) man page: > > FINE POINTS > o There is one kind of packet that the firewall will always discard, > that is a TCP packet's fragment with a fragment offset of one. > This > is a valid packet, but it only has one use, to try to circumvent > firewalls. When logging is enabled, these packets are reported as > being dropped by rule -1. > > > this is caught by the kernel, an not by your rules listed below. > > ICMP redirects probably have nothing to do with this. > > Barry > > > On Tue 2002-01-22 (15:14), alexus wrote: > > > > or like other day i got this > > > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > icmp redirect from 66.157.145.63: 10.10.10.101 => 10.10.10.100 > > > > Subject: -1 refuse ? > > > > > > i just never seen anythin like that > > > > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > > ipfw: -1 Refuse TCP 207.202.255.35 66.181.169.114 in via fxp0 (frag 0:20@8) > > > > c# ipfw show|grep deny > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 01313 11 528 deny tcp from any to any 65535 in recv fxp0 > > 03306 0 0 deny tcp from any to any 3306 in recv fxp0 > > 65535 1 60 deny ip from any to any > > c# > > > > which rule it did deny?? > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > > -- > Barry Irwin bvi@itouchlabs.com +27214875150 > Systems Administrator: Networks And Security > Itouch Labs http://www.itouchlabs.com South Africa > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 24 21:56:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from femail22.sdc1.sfba.home.com (femail22.sdc1.sfba.home.com [24.0.95.147]) by hub.freebsd.org (Postfix) with ESMTP id B541737B416; Thu, 24 Jan 2002 21:56:06 -0800 (PST) Received: from stevehome ([24.81.145.39]) by femail22.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20020125055606.WZXV2359.femail22.sdc1.sfba.home.com@stevehome>; Thu, 24 Jan 2002 21:56:06 -0800 From: "Steve" To: =?iso-8859-1?Q?'Ramiro_V=E1zquez'?= , "'Ruslan Ermilov'" Cc: Subject: RE: Using ipfw to make a "Dynamic NAT depending of protocol L7" Date: Thu, 24 Jan 2002 22:56:02 -0700 Message-ID: <000001c1a564$f8df9740$0500000a@stevehome> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <002801c1a45c$ed273240$1500a8c0@corp.megared.net.mx> Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Actually, from what I've read the best solution to all of these Microsoft producted NAT problems is "UPNP". New products like Windows XP Remote assistance, MSN messenger file/video all apparently support UPNP firewalls. If we could add UPNP code to NATD it would all be transparent to the user. Basically MSN messenger learns about a UPNP firewall on the network and asks the firewall what its real public IP will be so it can use that in the packet. If needed the firewall is also told what ports to handle for the return connection. I don=92t know a lot about UPNP but have done some reading on http://upnp.org and there is a testkit out (originally produced by Intel for linux) on sourceforge.net. There seems to be little talk of UPNP except many firewall vendors are promising it in future versions. It sounds like its going to be the only way to fix these NAT problems.=20 Steve. -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG] On Behalf Of Ramiro V=E1zquez Sent: Wednesday, January 23, 2002 3:26 PM To: Ruslan Ermilov Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Using ipfw to make a "Dynamic NAT depending of protocol L7" OK, I going to make some tests and I'll tell you if I can make it. Thanks a lot! Ramiro. Megacable. ----- Original Message ----- From: "Ruslan Ermilov" To: "Ramiro V?zquez" Cc: Sent: Tuesday, January 22, 2002 11:26 AM Subject: Re: Using ipfw to make a "Dynamic NAT depending of protocol L7" > On Tue, Jan 22, 2002 at 11:19:27AM -0600, Ramiro V?zquez wrote: > > Hi, > > > > We work at a cable-ISP and we are using NAT & PAT to provide=20 > > enough IP > > Addresses to our customers. > > > > We have experienced problems with certains applications, mostly=20 > > with peer to peer applications like MSN Messenger. > > Some features like send files function don't work. > > We put a sniffer and discover that when one of our customer try=20 > > to send > > a file to someone out of our net does this: > > 1.- The application opens a port ( 6891-6899 ). > > 2.- Sends the IP of the machine ( the private IP ) and the port=20 > > that is > > listening. > > 3.- The another peer try to connect to the private IP and the=20 > > port that > > it had received. > > 4.- The connection fails. > > > > We modify a proxy to change the packet that the application=20 > > sends with > > the private IP and the local port to replace them for a public IP=20 > > and another port, then the proxy sends this changes to an=20 > > application that just > > maps or forwards the port that we sent to the peer outside to the=20 > > real IP > > and port of our costumer. > > > > This solution works and we going to begin with the test with=20 > > more connections, but maybe is not the best solution, one=20 > > disadvantage is that > > the costumer must to specify a proxy and it's a hard work. > > > > We think that if we could make this changes with ipfw or=20 > > ip-filters and > > then add a rule to natd or ip-nat to forward the port, it would be=20 > > more efficient. > > > > Then we can redirect the traffic of MSN to ipfw or ip-filters=20 > > and make > > all transparent to our costumers. > > > > We think that we can do this for the most important applications > > to solve this problem, and its very important because we use a lot=20 > > of PAT and > > many applications can't work with the complete features. > > > > Is it possible make this with ipfw ?? Is anybody working arround this > > ?? > > > > Any idea or comment would be helpful !! > > > If you know MSN protocol, it should be pretty easy to add the required > glue to libalias(3) to do the necessary payload stubs, etc., so that=20 > this works transparently through a natd(8) and/or ppp(8). > > > Cheers, > -- > Ruslan Ermilov Oracle Developer/DBA, > ru@sunbay.com Sunbay Software AG, > ru@FreeBSD.org FreeBSD committer, > +380.652.512.251 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve http://www.oracle.com=20 > Enabling The Information Age > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 24 22:28:36 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from femail1.sdc1.sfba.home.com (femail1.sdc1.sfba.home.com [24.0.95.81]) by hub.freebsd.org (Postfix) with ESMTP id 3FBD537B404; Thu, 24 Jan 2002 22:28:30 -0800 (PST) Received: from stevehome ([24.81.145.39]) by femail1.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20020125062829.YROP28203.femail1.sdc1.sfba.home.com@stevehome>; Thu, 24 Jan 2002 22:28:29 -0800 From: "Steve" To: "'Ruslan Ermilov'" , "'Ramiro V?zquez'" Cc: Subject: RE: Using ipfw to make a "Dynamic NAT depending of protocol L7" Date: Thu, 24 Jan 2002 23:28:26 -0700 Message-ID: <000001c1a569$7f4df890$0500000a@stevehome> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal In-Reply-To: <20020122192603.C58453@sunbay.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Adding support to libalias would be great interim solution that we could all benefit from. I've heard that Windows Messenger with Windows XP uses SIP protocol, where has MSN Messenger used some other hybrid. Assuming everything is moving to SIP here is a good document about the protocol and which includes how to design this into a NAT system (ie libalias) http://www.cs.columbia.edu/sip/drafts/Ther0005_SIP.pdf This might help someone who has the time to get this going, I know many of us would be grateful. Steve. -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG] On Behalf Of Ruslan Ermilov Sent: Tuesday, January 22, 2002 10:26 AM To: Ramiro V?zquez Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Using ipfw to make a "Dynamic NAT depending of protocol L7" On Tue, Jan 22, 2002 at 11:19:27AM -0600, Ramiro V?zquez wrote: > Hi, > > We work at a cable-ISP and we are using NAT & PAT to provide > enough IP Addresses to our customers. > > We have experienced problems with certains applications, mostly > with peer to peer applications like MSN Messenger. > Some features like send files function don't work. > We put a sniffer and discover that when one of our customer try to > send a file to someone out of our net does this: > 1.- The application opens a port ( 6891-6899 ). > 2.- Sends the IP of the machine ( the private IP ) and the port > that is listening. > 3.- The another peer try to connect to the private IP and the port > that it had received. > 4.- The connection fails. > > We modify a proxy to change the packet that the application sends > with the private IP and the local port to replace them for a public IP > and another port, then the proxy sends this changes to an application > that just maps or forwards the port that we sent to the peer outside > to the real IP and port of our costumer. > > This solution works and we going to begin with the test with more > connections, but maybe is not the best solution, one disadvantage is > that the costumer must to specify a proxy and it's a hard work. > > We think that if we could make this changes with ipfw or > ip-filters and then add a rule to natd or ip-nat to forward the port, > it would be more efficient. > > Then we can redirect the traffic of MSN to ipfw or ip-filters and > make all transparent to our costumers. > > We think that we can do this for the most important applications > to solve this problem, and its very important because we use a lot of > PAT and many applications can't work with the complete features. > > Is it possible make this with ipfw ?? Is anybody working arround this > ?? > > Any idea or comment would be helpful !! > If you know MSN protocol, it should be pretty easy to add the required glue to libalias(3) to do the necessary payload stubs, etc., so that this works transparently through a natd(8) and/or ppp(8). Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message