Date: Sat, 25 Jun 2005 22:36:05 -0400 From: Andy Sutcliffe <andy.sutcliffe@gmail.com> To: fbsd_user@a1poweruser.com Cc: freebsd-questions@freebsd.org Subject: Re: IPNAT / IPF / rdr issue Message-ID: <9d124e1c05062519366c76d6d7@mail.gmail.com> In-Reply-To: <MIEPLLIBMLEEABPDBIEGGEKDHHAA.fbsd_user@a1poweruser.com> References: <9d124e1c0506251800635f8cf7@mail.gmail.com> <MIEPLLIBMLEEABPDBIEGGEKDHHAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I tried that as well, but am still getting the same 'connection refused' error from the web browser on the local client machine. On 6/25/05, fbsd_user <fbsd_user@a1poweruser.com> wrote: > Your using the public ip address of your gateway box from the > private LAN. > In this mode NAT and thus your rdr rule is never evoked. Your > request never exits your private network. The gateway system knows > himself by that public ip address. > What you should be doing is using the www.domainname.com so the > request has to go to your ISP DNS server to get your public ip > address, then it will enter on the external interface and be > nated/rdr to correct location. > There is nothing wrong with your ipfilter configuration, your just > using the wrong URL. >=20 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Andy > Sutcliffe > Sent: Saturday, June 25, 2005 9:01 PM > To: freebsd-questions@freebsd.org > Subject: IPNAT / IPF / rdr issue >=20 >=20 > I am having problems accessing internal resources (such as a web > server) from other internal clients when going from internal > client -> > public address -> internal resource. For example, when I attempt to > reach 'mydomain.com' from client machine X, the connection is > refused > (I am of course, able to reach the web server through the internal > IP), however, I am able to access the web server via that URL from > an > external network. I have 'mydomain.com' pointed towards the > external > IP of my gateway which in turn relays it to the internal web server. > I have included the pertinent contents of /etc/ipnat.rules as well > as > my /etc/ipf.conf file. I am at a loss at this point...can anyone > point me in the right direction ? >=20 > Thanks in advance, > - andy ( andy dot sutcliffe at gmail dot com) >=20 > Gateway: > OS:FreeBSD 5.4 > Firewall: IPFilter > Port Forwarding: IPNAT > External eth: dc0 > Internal eth: ed0 (10.0.0.0) >=20 > Web Server > OS: FreeBSD 5.4 > WWW: Apache 2.0 >=20 > Client Machine(s) > OS: Windows XP, FreeBSD, Linux >=20 > I have the following in /etc/ipnat.rules: >=20 > # innernet > map dc0 10.0.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 40000:65000 > map dc0 10.0.0.0/16 -> 0.0.0.0/32 >=20 > # www > rdr dc0 0.0.0.0/0 port 80 -> 10.0.0.3 port 80 >=20 > I have the following in /etc/ipf.conf: > ################################################################# > # No restrictions on Inside LAN Interface for private network > # Not needed unless you have LAN > ################################################################# >=20 > pass out quick on ed0 all > pass in quick on ed0 all >=20 > ################################################################# > # No restrictions on Loopback Interface > ################################################################# > pass in quick on lo0 all > pass out quick on lo0 all >=20 > ################################################################# > # Interface facing Public Internet (Outbound Section) > # Interrogate session start requests originating from behind the > # firewall on the private network > # or from this gateway server destine for the public Internet. > ################################################################# >=20 > # Allow out access to my ISP's Domain name server. > # xxx must be the IP address of your ISP's DNS. > # Dup these lines if your ISP has more than one DNS server > # Get the IP addresses from /etc/resolv.conf file > pass out quick on dc0 proto tcp from any to 67.43.192.6 port =3D 53 > flags S keep state > pass out quick on dc0 proto udp from any to 67.43.192.6 port =3D 53 > keep state > pass out quick on dc0 proto tcp from any to 137.118.1.33 port =3D 53 > flags S keep state > pass out quick on dc0 proto udp from any to 137.118.1.33 port =3D 53 > keep state >=20 > # Allow out access to my ISP's DHCP server for cable or DSL > networks. > # This rule is not needed for 'user ppp' type connection to the > # public Internet, so you can delete this whole group. > # Use the following rule and check log for IP address. > # Then put IP address in commented out rule & delete first rule > pass out quick on dc0 proto udp from any to 67.43.192.6 port =3D 67 > keep state >=20 >=20 > # Allow out non-secure standard www function > pass out quick on dc0 proto tcp from any to any port =3D 80 flags S > keep state > pass out quick on dc0 proto tcp from any to any port =3D 81 flags S > keep state >=20 > # Allow out secure www function https over TLS SSL > pass out quick on dc0 proto tcp from any to any port =3D 443 flags S > keep state >=20 > # Allow out send & get email function > pass out quick on dc0 proto tcp from any to any port =3D 110 flags S > keep state > pass out quick on dc0 proto tcp from any to any port =3D 25 flags S > keep state >=20 > # Allow out Time > pass out quick on dc0 proto tcp from any to any port =3D 37 flags S > keep state >=20 > # Allow out nntp news > pass out quick on dc0 proto tcp from any to any port =3D 119 flags S > keep state >=20 > # Allow out gateway & LAN users non-secure FTP ( both passive & > active modes) > # This function uses the IPNAT built in FTP proxy function coded in > # the nat rules file to make this single rule function correctly. > # If you want to use the pkg_add command to install application > packages > # on your gateway system you need this rule. > pass out quick on dc0 proto tcp from any to any port =3D 21 flags S > keep state >=20 > # Allow out secure FTP, Telnet, and SCP > # This function is using SSH (secure shell) > pass out quick on dc0 proto tcp from any to any port =3D 22 flags S > keep state >=20 > # Allow out non-secure Telnet > pass out quick on dc0 proto tcp from any to any port =3D 23 flags S > keep state >=20 > # Allow out FBSD CVSUP function > pass out quick on dc0 proto tcp from any to any port =3D 5999 flags S > keep state >=20 > # Allow out ping to public Internet > pass out quick on dc0 proto icmp from any to any icmp-type 8 keep > state >=20 > # Allow out whois for LAN PC to public Internet > pass out quick on dc0 proto tcp from any to any port =3D 43 flags S > keep state >=20 > # Block and log only the first occurrence of everything > # else that's trying to get out. > # This rule enforces the block all by default logic. > block out log first quick on dc0 all >=20 > ################################################################# > # Interface facing Public Internet (Inbound Section) > # Interrogate packets originating from the public Internet > # destine for this gateway server or the private network. > ################################################################# >=20 > # Block all inbound traffic from non-routable or reserved address > spaces > block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 > private IP > block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 > private IP > # block in quick on dc0 from 10.0.0.0/8 to any #RFC 1918 > private IP > block in quick on dc0 from 127.0.0.0/8 to any #loopback > block in quick on dc0 from 0.0.0.0/8 to any #loopback > block in quick on dc0 from 169.254.0.0/16 to any #DHCP > auto-config > block in quick on dc0 from 192.0.2.0/24 to any #reserved for > docs > block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster > interconnect > block in quick on dc0 from 224.0.0.0/3 to any #Class D & E > multicast >=20 > ##### Block a bunch of different nasty things. ############ > # That I do not want to see in the log >=20 > # Block frags > block in quick on dc0 all with frags >=20 > # Block short tcp packets > block in quick on dc0 proto tcp all with short >=20 > # block source routed packets > block in quick on dc0 all with opt lsrr > block in quick on dc0 all with opt ssrr >=20 > # Block nmap OS fingerprint attempts > # Log first occurrence of these so I can get their IP address > block in log first quick on dc0 proto tcp from any to any flags FUP >=20 > # Block anything with special options > block in quick on dc0 all with ipopts >=20 > # Block public pings > block in quick on dc0 proto icmp all icmp-type 8 >=20 > # Block ident > block in quick on dc0 proto tcp from any to any port =3D 113 >=20 > # Block all Netbios service. 137=3Dname, 138=3Ddatagram, 139=3Dsession > # Netbios is MS/Windows sharing services. > # Block MS/Windows hosts2 name server requests 81 > block in log first quick on dc0 proto tcp/udp from any to any port =3D > 137 > block in log first quick on dc0 proto tcp/udp from any to any port =3D > 138 > block in log first quick on dc0 proto tcp/udp from any to any port =3D > 139 > block in log first quick on dc0 proto tcp/udp from any to any port =3D > 81 >=20 > # Allow traffic in from ISP's DHCP server. This rule must contain > # the IP address of your ISP's DHCP server as it's the only > # authorized source to send this packet type. Only necessary for > # cable or DSL configurations. This rule is not needed for > # 'user ppp' type connection to the public Internet. > # This is the same IP address you captured and > # used in the outbound section. > pass in quick on dc0 proto udp from 67.43.192.6 to any port =3D 68 > keep state >=20 > # Allow in standard www function because I have apache server > pass in quick on dc0 proto tcp from any to any port =3D 80 flags S > keep state > pass in quick on dc0 proto tcp from any to any port =3D 81 flags S > keep state >=20 > # Allow in secure FTP, Telnet, and SCP from public Internet > # This function is using SSH (secure shell) > pass in quick on dc0 proto tcp from any to any port =3D 22 flags S > keep state >=20 > # Allow in non-scure FTP access to file server (bombadil) > pass in quick on dc0 proto ftp from any to 10.0.0.2 port =3D 21 flags > S keep state > pass in quick on dc0 proto ftp from any to 10.0.0.2 port =3D 20 flags > S keep state > pass out quick on dc0 proto ftp from 10.0.0.2 to any port =3D 20 flags > S > keep state >=20 > # Block and log only first occurrence of all remaining traffic > # coming into the firewall. The logging of only the first > # occurrence stops a .denial of service. attack targeted > # at filling up your log file space. > # This rule enforces the block all by default logic. > block in log first quick on dc0 all > ################### End of rules file > ##################################### > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >=20 >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9d124e1c05062519366c76d6d7>