Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 30 Sep 2006 20:30:28 -0400
From:      Matt Herzog <msh@blisses.org>
To:        freebsd-stable@freebsd.org
Subject:   ipfilter nat w/IPFILTER_DEFAULT_BLOCK kernel
Message-ID:  <20061001003028.GK13429@mail.blisses.org>

next in thread | raw e-mail | index | archive | help

--b5gNqxB1S1yM7hjW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi.

As the Subject states, I'm trying to get a FreeBSD 6.1 on sparc64 to be a
firewall/gateway/nat machine using a IPFILTER_DEFAULT_BLOCK kernel.
(hme0 is the external NIC. hme1 is the internal NIC.)

If I remove the line: 

pass in quick on hme0 all

none of the machines inside the NAT can reach the Internet although I can still ssh
into the firewall/gateway machine from inside the NAT. 
i.e. NAT breaks without "pass in quick on hme0 all"

"pass in quick on hme0 all" pretty obviously defeats the purpose of the 
IPFILTER_DEFAULT_BLOCK kernel so I'm trying to figure out a rule set that
will work with NAT. I'm running a caching named on 127.0.0.1 if that makes
any difference.

All the files are attached.

-- 
Announcing your plans is a good way to hear the gods' laughter.

--b5gNqxB1S1yM7hjW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="dhcpd.conf"

# $Id: dhcpd.conf,v 1.6 2001/06/01 06:09:25 mason Exp $
authoritative;
ddns-updates off;
ddns-update-style none;

# Class C, 10/24
subnet 192.168.0.0 netmask 255.255.255.0 {
        range 192.168.0.10 192.168.0.40;
        default-lease-time 660000;
        max-lease-time 1288000;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.0.255;
        option routers 192.168.0.1;
	option domain-name-servers 192.168.0.1; 
#	option domain-name-servers 68.87.71.226 68.87.73.242;

        host elink0 {
                hardware ethernet 00:11:94:C2:4D:D2;
                fixed-address 192.168.0.51;
}
        host elink1 {
                hardware ethernet 00:11:94:CF:34:CF;
                fixed-address 192.168.0.52;
}
	host BGH {
		hardware ethernet 02:11:24:21:29:36;
		fixed-address 192.168.0.53;
}
	host bung {
		hardware ethernet 00:0F:3D:AE:36:E0;
		fixed-address 192.168.0.41;
}
}

--b5gNqxB1S1yM7hjW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipf.conf"

# Shebang! not needed.
#
# external interface is hme0 IP obtained via DHCP from ISP
# internal interface is hme1 at 192.168.0.1

pass out quick on hme0 all 
pass in quick on hme0 all 
pass out quick on hme1 all 
pass in quick on hme1 all
pass in quick on lo0 all
pass out quick on lo0 all

# Allow internal traffic
pass in quick on hme1 from 192.168.0.0/24 to any
pass out quick on hme1 from 192.168.0.0/24 to any
pass out quick on hme1 from any to 127.0.0.0/8

# Allow outgoing DNS requests from our servers on .1, .2, and .3
pass in quick on hme1 proto tcp/udp from 192.168.0.0/24 to any port = domain keep state
pass out quick on hme0 proto tcp/udp from 0/32 to any port = domain keep state
pass out quick on hme0 proto tcp/udp from 192.168.0.0/24 to any port = domain keep state

# Allow NTP from any internal hosts to any external NTP server.
pass in quick on hme1 proto udp from 192.168.0.0/24 to any port = 123 keep state
pass out quick on hme0 proto udp from any to any port = 123 keep state

# Allow incoming mail
pass in quick on hme0 proto tcp from any to 0/32 port = smtp keep state
pass out quick on hme0 proto tcp from 192.168.1.0/24 to any port = smtp keep state

# Allow outgoing connections: SSH, WWW, NNTP, mail, whois

pass in quick on hme1 proto tcp from 192.168.0.0/24 to any port = 33654 keep state
pass out quick on hme0 proto tcp from 192.168.0.0/24 to any port = 33654 keep state

pass in quick on hme1 proto tcp from 192.168.0.0/24 to any port = 80 keep state
pass out quick on hme0 proto tcp from 192.168.0.0/24 to any port = 80 keep state
pass in quick on hme1 proto tcp from 192.168.0.0/24 to any port = 443 keep state
pass out quick on hme0 proto tcp from 192.168.0.0/24 to any port = 443 keep state

pass in quick on hme1 proto tcp from 192.168.0.0/24 to any port = smtp keep state

pass in quick on hme0 proto tcp from 192.168.0.0/24 to any port = whois keep state
pass out quick on hme1 proto tcp from any to any port = whois keep state


# Allow ssh from offsite
pass in quick on hme0 proto tcp from any to 0/32 port = 33654 keep state

# Allow ping out
pass in quick on hme1 proto icmp all keep state
pass out quick on hme0 proto icmp all keep state

# allow auth out
pass out quick on hme0 proto tcp from 0/32 to any port = 113 keep state
pass out quick on hme0 proto tcp from 0/32 port = 113 to any keep state

--b5gNqxB1S1yM7hjW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipnat.conf"

#rdr hme0 0.0.0.0/0 port 80 -> 192.168.0.52 port 80 tcp
#rdr ne0 0.0.0.0/0 port 3658 -> 10.0.0.10 port 3658 udp
#rdr ne0 0.0.0.0/0 port 443 -> 10.0.0.2 port 443 tcp
#rdr ne0 0.0.0.0/0 port 53 -> 10.0.0.2 port 53 tcp
#rdr ne0 0.0.0.0/0 port 53 -> 10.0.0.2 port 53 udp
#rdr ne0 0.0.0.0/0 port 80 -> 10.0.0.2 port 80 tcp
#map ne0 10.0.0.0/24 -> 0/32 proxy port ftp ftp/tcp

# rdr hme0 0.0.0.0/0 port 8660 >< 7000 -> 192.168.0.53 port 8660 >< 7000 tcp
#rdr hme0 0.0.0.0/0 port 6889 -> 192.168.0.27 port 6889 tcp
#map hme0 192.168.0.0/24 -> 0/32 portmap tcp/udp 10000:65000
#map hme0 192.168.0.0/24 -> 0/32
map hme0 192.168.0.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:65000
map hme0 192.168.0.0/24 -> 0.0.0.0/32 

--b5gNqxB1S1yM7hjW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="named.conf"

// $FreeBSD: src/etc/namedb/named.conf,v 1.21.2.1 2005/09/10 08:27:27 dougb Exp $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works.  Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.

options {
	directory	"/etc/namedb";
	pid-file	"/var/run/named/pid";
	dump-file	"/var/dump/named_dump.db";
	statistics-file	"/var/stats/named.stats";

// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
	listen-on	{ 192.168.0.1; };

// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver.  To give access to the network, specify
// an IPv6 address, or the keyword "any".
//	listen-on-v6	{ ::1; };

// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
//      forward only;

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
	forwarders {
		127.0.0.1;
	};
*/
	/*
	 * If there is a firewall between you and nameservers you want
	 * to talk to, you might need to uncomment the query-source
	 * directive below.  Previous versions of BIND always asked
	 * questions using port 53, but BIND versions 8 and later
	 * use a pseudo-random unprivileged UDP port by default.
	 */
	// query-source address * port 53;
};

// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.

zone "." {
	type hint;
	file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
	type master;
	file "master/localhost.rev";
};

// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
	type master;
	file "master/localhost-v6.rev";
};

// NB: Do not use the IP addresses below, they are faked, and only
// serve demonstration/documentation purposes!
//
// Example slave zone config entries.  It can be convenient to become
// a slave at least for the zone your own domain is in.  Ask
// your network administrator for the IP address of the responsible
// primary.
//
// Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
// (This is named after the first bytes of the IP address, in reverse
// order, with ".IN-ADDR.ARPA" appended.)
//
// Before starting to set up a primary zone, make sure you fully
// understand how DNS and BIND works.  There are sometimes
// non-obvious pitfalls.  Setting up a slave zone is simpler.
//
// NB: Don't blindly enable the examples below. :-)  Use actual names
// and addresses instead.

/* An example master zone
zone "example.net" {
	type master;
	file "master/example.net";
};
*/

/* An example dynamic zone
key "exampleorgkey" {
        algorithm hmac-md5;
        secret "sf87HJqjkqh8ac87a02lla==";
};
zone "example.org" {
	type master;
	allow-update {
		key "exampleorgkey";
	};
	file "dynamic/example.org";
};
*/

/* Examples of forward and reverse slave zones
zone "example.com" {
	type slave;
	file "slave/example.com";
	masters {
		192.168.1.1;
	};
};
zone "1.168.192.in-addr.arpa" {
	type slave;
	file "slave/1.168.192.in-addr.arpa";
	masters {
		192.168.1.1;
	};
};
*/


--b5gNqxB1S1yM7hjW--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061001003028.GK13429>