Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 2 Aug 2001 00:41:54 +0200
From:      "Dennis Berger" <HypnotiZer@gmx.net>
To:        <freebsd-ipfw@freebsd.org>
Subject:   ipfw dynamic-rules
Message-ID:  <000801c11adb$29da7ff0$650110ac@nachpolierer>

Next in thread | Raw E-Mail | Index | Archive | Help
This is a multi-part message in MIME format.

------=_NextPart_000_0005_01C11AEB.ED4DF330
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi,
following devices are attached.

tun0: dynamic-IP
rl0:10.0.0.148 <-- is connected to the adsl-modem
xl0:172.16.1.1

Ok now here is my Problem I have IPFW set up with the following ruleset
------------------------------------------------------------------
fwcmd=3D"/sbin/ipfw"

$fwcmd -f flush
$fwcmd add 20 pass all from any to any via lo0
$fwcmd add 30 pass all from any to any via rl0
$fwcmd add 40 pass all from any to any via xl0

$fwcmd add 50 deny log all from 192.168.0.0/16 to any in via tun0
$fwcmd add 60 deny log all from 172.16.0.0/12 to any in via tun0
$fwcmd add 70 deny log all from 10.0.0.0/8 to any in via tun0
$fwcmd add 80 deny log all from 127.0.0.0/8 to any in via tun0
$fwcmd add 90 deny log all from 0.0.0.0/8 to any in via tun0
$fwcmd add 100 deny log all from 169.254.0.0/16 to any in via tun0
$fwcmd add 110 deny log all from 192.0.2.0/24 to any in via tun0
$fwcmd add 120 deny log all from 204.152.64.0/23 to any in via tun0
$fwcmd add 130 deny log all from 224.0.0.0/3 to any in via tun0

$fwcmd add 131 count tcp from any to any via tun0
$fwcmd add 132 count udp from any to any 27000-28000 out via tun0=20
$fwcmd add 133 count tcp from any 1024-65535 to any 21 in via tun0
$fwcmd add 134 count tcp from any 20 to any 1024-65535 out via tun0=20
$fwcmd add 135 count tcp from any 49153-65535 to any 1024-65535 out via =
tun0=20
$fwcmd add 136 count tcp from any to any 80 in via tun0=20
$fwcmd add 136 count tcp from any to any 80 out via tun0

$fwcmd add 140 pipe 1 tcp from any to any 22,1494 via tun0=20
$fwcmd add 141 pipe 2 udp from any to any 27000-28000 out via tun0
$fwcmd add 142 pipe 3 tcp from any to any in via tun0
$fwcmd add 143 pipe 4 tcp from any to any out via tun0=20
$fwcmd pipe 1 config bandwidth 0 queue 10Kbyte
$fwcmd pipe 2 config bandwidth 0 queue 20Kbyte
$fwcmd pipe 3 config bandwidth 728Kbit/s queue 50Kbyte
$fwcmd pipe 4 config bandwidth 96Kbit/s queue 10Kbyte=20

$fwcmd add 149 divert natd ip from any to any via tun0=20
$fwcmd add 160 check-state

$fwcmd add 200 pass icmp from any to any in via tun0 icmptypes 0,11
$fwcmd add 210 pass tcp from any to any 22 in via tun0 keep-state =
tcpflags syn=20
$fwcmd add 220 pass tcp from any to any 80 in via tun0 keep-state =
tcpflags syn=20
$fwcmd add 230 pass tcp from any to any 443 in via tun0 keep-state =
tcpflags syn=20
$fwcmd add 240 pass tcp from any to any 21 in via tun0 keep-state =
tcpflags syn
$fwcmd add 250 pass tcp from any 1024-65535 to any 49153-65535  in via =
tun0 keep-state tcpflags syn
$fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0=20
$fwcmd add 270 deny log tcp from any to any 6666-6669 out via tun0=20
$fwcmd add 280 pass tcp from any to any out via tun0 setup keep-state=20
$fwcmd add 290 pass udp from any to any out via tun0 keep-state=20
$fwcmd add 300 pass icmp from any to any out via tun0 keep-state=20
$fwcmd add 65530 deny log all from any to any=20
-------------------------------------------------------------------
and the following natd.cf
--------------------------------------
redirect_port udp 127.0.0.1:27952 192.246.40.56:27952
use_sockets yes
unregistered_only no
interface tun0
dynamic yes
same_ports yes
punch_fw 500:100
--------------------------------------
Ok when a packet tries to go out it passes the divert rule and gets =
rewitten now it passes rewritten with my external IP the keep-state =
rule. This rule add a dynamic rule like this=20

00280 2 96 (T 6, # 49) ty 0 tcp, 213.23.32.173 4264 <-> 216.239.35.100 =
80

thats ok. now the packet from externalhost come back with source ip =
216.239.35.100 and destination IP 213.32.23.173 which is my EXTERNAL ip. =
it passes the ruleset and gets rewritten by the divert rule to source-IP =
216.239.35.100 and Destination-IP 172.16.1.101(this is my client on =
LAN). But let us remeber which was the dynamic rule created by the =
keep-state one. So the packet rewritten by the divert rule CAN'T pass =
the dynamic rule created by the keep-state rule.

Aug  2 00:31:38 Nipsi /kernel: ipfw: 65530 Deny TCP 216.136.35.100:80 =
172.16.1.101:4262 in via tun0

How could I fix this, or which is the clean implementation of keep-state =
rules in combination with divert rules ?



------=_NextPart_000_0005_01C11AEB.ED4DF330
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.3315.2870" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>following devices are =
attached.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>tun0: dynamic-IP</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>rl0:10.0.0.148&nbsp;&lt;--<FONT =
face=3DArial size=3D2>=20
is connected to the adsl-modem</FONT></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>xl0:172.16.1.1</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Ok now here is my Problem I have IPFW =
set up with=20
the following ruleset</FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2>----------------------------------------------------------------=
--</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>fwcmd=3D"/sbin/ipfw"</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>$fwcmd -f flush<BR>$fwcmd add 20 pass =
all from any=20
to any via lo0<BR>$fwcmd add 30 pass all from any to any via =
rl0<BR>$fwcmd add=20
40 pass all from any to any via xl0</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>$fwcmd add 50 deny log all from =
192.168.0.0/16 to=20
any in via tun0<BR>$fwcmd add 60 deny log all from 172.16.0.0/12 to any =
in via=20
tun0<BR>$fwcmd add 70 deny log all from 10.0.0.0/8 to any in via =
tun0<BR>$fwcmd=20
add 80 deny log all from 127.0.0.0/8 to any in via tun0<BR>$fwcmd add 90 =
deny=20
log all from 0.0.0.0/8 to any in via tun0<BR>$fwcmd add 100 deny log all =
from=20
169.254.0.0/16 to any in via tun0<BR>$fwcmd add 110 deny log all from=20
192.0.2.0/24 to any in via tun0<BR>$fwcmd add 120 deny log all from=20
204.152.64.0/23 to any in via tun0<BR>$fwcmd add 130 deny log all from=20
224.0.0.0/3 to any in via tun0</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>$fwcmd add 131 count tcp from any to =
any via=20
tun0<BR>$fwcmd add 132 count udp from any to any 27000-28000 out via =
tun0=20
<BR>$fwcmd add 133 count tcp from any 1024-65535 to any 21 in via =
tun0<BR>$fwcmd=20
add 134 count tcp from any 20 to any 1024-65535 out via tun0 <BR>$fwcmd =
add 135=20
count tcp from any 49153-65535 to any 1024-65535 out via tun0 <BR>$fwcmd =
add 136=20
count tcp from any to any 80 in via tun0 <BR>$fwcmd add 136 count tcp =
from any=20
to any 80 out via tun0</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>$fwcmd add 140 pipe 1 tcp from any to =
any 22,1494=20
via tun0 <BR>$fwcmd add 141 pipe 2 udp from any to any 27000-28000 out =
via=20
tun0<BR>$fwcmd add 142 pipe 3 tcp from any to any in via tun0<BR>$fwcmd =
add 143=20
pipe 4 tcp from any to any out via tun0 <BR>$fwcmd pipe 1 config =
bandwidth 0=20
queue 10Kbyte<BR>$fwcmd pipe 2 config bandwidth 0 queue =
20Kbyte<BR>$fwcmd pipe 3=20
config bandwidth 728Kbit/s queue 50Kbyte<BR>$fwcmd pipe 4 config =
bandwidth=20
96Kbit/s queue 10Kbyte </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>$fwcmd add 149 divert natd ip from any =
to any via=20
tun0 <BR>$fwcmd add 160 check-state</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>$fwcmd add 200 pass icmp from any to =
any in via=20
tun0 icmptypes 0,11<BR>$fwcmd add 210 pass tcp from any to any 22 in via =
tun0=20
keep-state tcpflags syn <BR>$fwcmd add 220 pass tcp from any to any 80 =
in via=20
tun0 keep-state tcpflags syn <BR>$fwcmd add 230 pass tcp from any to any =
443 in=20
via tun0 keep-state tcpflags syn <BR>$fwcmd add 240 pass tcp from any to =
any 21=20
in via tun0 keep-state tcpflags syn<BR>$fwcmd add 250 pass tcp from any=20
1024-65535 to any 49153-65535&nbsp; in via tun0 keep-state tcpflags=20
syn<BR>$fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0 =
<BR>$fwcmd=20
add 270 deny log tcp from any to any 6666-6669 out via tun0 <BR>$fwcmd =
add 280=20
pass tcp from any to any out via tun0 setup keep-state <BR>$fwcmd add =
290 pass=20
udp from any to any out via tun0 keep-state <BR>$fwcmd add 300 pass icmp =
from=20
any to any out via tun0 keep-state <BR>$fwcmd add 65530 deny log all =
from any to=20
any </FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2>----------------------------------------------------------------=
---</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>and the following natd.cf</FONT></DIV>
<DIV><FONT face=3DArial =
size=3D2>--------------------------------------</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>redirect_port udp 127.0.0.1:27952=20
192.246.40.56:27952<BR>use_sockets yes<BR>unregistered_only =
no<BR>interface=20
tun0<BR>dynamic yes<BR>same_ports yes<BR>punch_fw 500:100</FONT></DIV>
<DIV><FONT face=3DArial =
size=3D2>--------------------------------------</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Ok when a packet tries to go out it =
passes the=20
divert rule and gets rewitten now it passes rewritten with my external =
IP the=20
keep-state rule. This rule add a dynamic rule like this </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>00280 2 96 (T 6, # 49) ty 0 tcp, =
213.23.32.173 4264=20
&lt;-&gt; 216.239.35.100 80</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>thats ok. now the packet =
from&nbsp;externalhost=20
come back with source ip 216.239.35.100 and destination IP 213.32.23.173 =
which=20
is my EXTERNAL ip. it passes the ruleset and gets rewritten by the =
divert rule=20
to source-IP 216.239.35.100 and Destination-IP 172.16.1.101(this is my =
client on=20
LAN). But let us remeber which was the dynamic rule created by the =
keep-state=20
one. So the packet rewritten by the divert rule CAN'T pass the dynamic =
rule=20
created by the keep-state rule.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Aug&nbsp; 2 00:31:38 Nipsi /kernel: =
ipfw: 65530=20
Deny TCP 216.136.35.100:80 172.16.1.101:4262 in via tun0</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>How could I fix this, or which is the =
clean=20
implementation&nbsp;of keep-state rules&nbsp;in combination with divert =
rules=20
?</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0005_01C11AEB.ED4DF330--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?000801c11adb$29da7ff0$650110ac>