From owner-freebsd-ipfw Wed Aug 1 15:39:24 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from nipsi.home.net (dsl-213-023-032-173.arcor-ip.net [213.23.32.173]) by hub.freebsd.org (Postfix) with SMTP id 3B82A37B401 for ; Wed, 1 Aug 2001 15:39:13 -0700 (PDT) (envelope-from HypnotiZer@gmx.net) Received: (qmail 3749 invoked from network); 1 Aug 2001 22:37:25 -0000 Received: from nachpolierer.home.net (HELO nachpolierer) (172.16.1.101) by nipsi.home.net with SMTP; 1 Aug 2001 22:37:25 -0000 Message-ID: <000801c11adb$29da7ff0$650110ac@nachpolierer> From: "Dennis Berger" To: Subject: ipfw dynamic-rules Date: Thu, 2 Aug 2001 00:41:54 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C11AEB.ED4DF330" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C11AEB.ED4DF330 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, following devices are attached. tun0: dynamic-IP rl0:10.0.0.148 <-- is connected to the adsl-modem xl0:172.16.1.1 Ok now here is my Problem I have IPFW set up with the following ruleset ------------------------------------------------------------------ fwcmd=3D"/sbin/ipfw" $fwcmd -f flush $fwcmd add 20 pass all from any to any via lo0 $fwcmd add 30 pass all from any to any via rl0 $fwcmd add 40 pass all from any to any via xl0 $fwcmd add 50 deny log all from 192.168.0.0/16 to any in via tun0 $fwcmd add 60 deny log all from 172.16.0.0/12 to any in via tun0 $fwcmd add 70 deny log all from 10.0.0.0/8 to any in via tun0 $fwcmd add 80 deny log all from 127.0.0.0/8 to any in via tun0 $fwcmd add 90 deny log all from 0.0.0.0/8 to any in via tun0 $fwcmd add 100 deny log all from 169.254.0.0/16 to any in via tun0 $fwcmd add 110 deny log all from 192.0.2.0/24 to any in via tun0 $fwcmd add 120 deny log all from 204.152.64.0/23 to any in via tun0 $fwcmd add 130 deny log all from 224.0.0.0/3 to any in via tun0 $fwcmd add 131 count tcp from any to any via tun0 $fwcmd add 132 count udp from any to any 27000-28000 out via tun0=20 $fwcmd add 133 count tcp from any 1024-65535 to any 21 in via tun0 $fwcmd add 134 count tcp from any 20 to any 1024-65535 out via tun0=20 $fwcmd add 135 count tcp from any 49153-65535 to any 1024-65535 out via = tun0=20 $fwcmd add 136 count tcp from any to any 80 in via tun0=20 $fwcmd add 136 count tcp from any to any 80 out via tun0 $fwcmd add 140 pipe 1 tcp from any to any 22,1494 via tun0=20 $fwcmd add 141 pipe 2 udp from any to any 27000-28000 out via tun0 $fwcmd add 142 pipe 3 tcp from any to any in via tun0 $fwcmd add 143 pipe 4 tcp from any to any out via tun0=20 $fwcmd pipe 1 config bandwidth 0 queue 10Kbyte $fwcmd pipe 2 config bandwidth 0 queue 20Kbyte $fwcmd pipe 3 config bandwidth 728Kbit/s queue 50Kbyte $fwcmd pipe 4 config bandwidth 96Kbit/s queue 10Kbyte=20 $fwcmd add 149 divert natd ip from any to any via tun0=20 $fwcmd add 160 check-state $fwcmd add 200 pass icmp from any to any in via tun0 icmptypes 0,11 $fwcmd add 210 pass tcp from any to any 22 in via tun0 keep-state = tcpflags syn=20 $fwcmd add 220 pass tcp from any to any 80 in via tun0 keep-state = tcpflags syn=20 $fwcmd add 230 pass tcp from any to any 443 in via tun0 keep-state = tcpflags syn=20 $fwcmd add 240 pass tcp from any to any 21 in via tun0 keep-state = tcpflags syn $fwcmd add 250 pass tcp from any 1024-65535 to any 49153-65535 in via = tun0 keep-state tcpflags syn $fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0=20 $fwcmd add 270 deny log tcp from any to any 6666-6669 out via tun0=20 $fwcmd add 280 pass tcp from any to any out via tun0 setup keep-state=20 $fwcmd add 290 pass udp from any to any out via tun0 keep-state=20 $fwcmd add 300 pass icmp from any to any out via tun0 keep-state=20 $fwcmd add 65530 deny log all from any to any=20 ------------------------------------------------------------------- and the following natd.cf -------------------------------------- redirect_port udp 127.0.0.1:27952 192.246.40.56:27952 use_sockets yes unregistered_only no interface tun0 dynamic yes same_ports yes punch_fw 500:100 -------------------------------------- Ok when a packet tries to go out it passes the divert rule and gets = rewitten now it passes rewritten with my external IP the keep-state = rule. This rule add a dynamic rule like this=20 00280 2 96 (T 6, # 49) ty 0 tcp, 213.23.32.173 4264 <-> 216.239.35.100 = 80 thats ok. now the packet from externalhost come back with source ip = 216.239.35.100 and destination IP 213.32.23.173 which is my EXTERNAL ip. = it passes the ruleset and gets rewritten by the divert rule to source-IP = 216.239.35.100 and Destination-IP 172.16.1.101(this is my client on = LAN). But let us remeber which was the dynamic rule created by the = keep-state one. So the packet rewritten by the divert rule CAN'T pass = the dynamic rule created by the keep-state rule. Aug 2 00:31:38 Nipsi /kernel: ipfw: 65530 Deny TCP 216.136.35.100:80 = 172.16.1.101:4262 in via tun0 How could I fix this, or which is the clean implementation of keep-state = rules in combination with divert rules ? ------=_NextPart_000_0005_01C11AEB.ED4DF330 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
following devices are = attached.
 
tun0: dynamic-IP
rl0:10.0.0.148 <--=20 is connected to the adsl-modem
xl0:172.16.1.1
 
Ok now here is my Problem I have IPFW = set up with=20 the following ruleset
----------------------------------------------------------------= --
fwcmd=3D"/sbin/ipfw"
 
$fwcmd -f flush
$fwcmd add 20 pass = all from any=20 to any via lo0
$fwcmd add 30 pass all from any to any via = rl0
$fwcmd add=20 40 pass all from any to any via xl0
 
$fwcmd add 50 deny log all from = 192.168.0.0/16 to=20 any in via tun0
$fwcmd add 60 deny log all from 172.16.0.0/12 to any = in via=20 tun0
$fwcmd add 70 deny log all from 10.0.0.0/8 to any in via = tun0
$fwcmd=20 add 80 deny log all from 127.0.0.0/8 to any in via tun0
$fwcmd add 90 = deny=20 log all from 0.0.0.0/8 to any in via tun0
$fwcmd add 100 deny log all = from=20 169.254.0.0/16 to any in via tun0
$fwcmd add 110 deny log all from=20 192.0.2.0/24 to any in via tun0
$fwcmd add 120 deny log all from=20 204.152.64.0/23 to any in via tun0
$fwcmd add 130 deny log all from=20 224.0.0.0/3 to any in via tun0
 
$fwcmd add 131 count tcp from any to = any via=20 tun0
$fwcmd add 132 count udp from any to any 27000-28000 out via = tun0=20
$fwcmd add 133 count tcp from any 1024-65535 to any 21 in via = tun0
$fwcmd=20 add 134 count tcp from any 20 to any 1024-65535 out via tun0
$fwcmd = add 135=20 count tcp from any 49153-65535 to any 1024-65535 out via tun0
$fwcmd = add 136=20 count tcp from any to any 80 in via tun0
$fwcmd add 136 count tcp = from any=20 to any 80 out via tun0
 
$fwcmd add 140 pipe 1 tcp from any to = any 22,1494=20 via tun0
$fwcmd add 141 pipe 2 udp from any to any 27000-28000 out = via=20 tun0
$fwcmd add 142 pipe 3 tcp from any to any in via tun0
$fwcmd = add 143=20 pipe 4 tcp from any to any out via tun0
$fwcmd pipe 1 config = bandwidth 0=20 queue 10Kbyte
$fwcmd pipe 2 config bandwidth 0 queue = 20Kbyte
$fwcmd pipe 3=20 config bandwidth 728Kbit/s queue 50Kbyte
$fwcmd pipe 4 config = bandwidth=20 96Kbit/s queue 10Kbyte
 
$fwcmd add 149 divert natd ip from any = to any via=20 tun0
$fwcmd add 160 check-state
 
$fwcmd add 200 pass icmp from any to = any in via=20 tun0 icmptypes 0,11
$fwcmd add 210 pass tcp from any to any 22 in via = tun0=20 keep-state tcpflags syn
$fwcmd add 220 pass tcp from any to any 80 = in via=20 tun0 keep-state tcpflags syn
$fwcmd add 230 pass tcp from any to any = 443 in=20 via tun0 keep-state tcpflags syn
$fwcmd add 240 pass tcp from any to = any 21=20 in via tun0 keep-state tcpflags syn
$fwcmd add 250 pass tcp from any=20 1024-65535 to any 49153-65535  in via tun0 keep-state tcpflags=20 syn
$fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0 =
$fwcmd=20 add 270 deny log tcp from any to any 6666-6669 out via tun0
$fwcmd = add 280=20 pass tcp from any to any out via tun0 setup keep-state
$fwcmd add = 290 pass=20 udp from any to any out via tun0 keep-state
$fwcmd add 300 pass icmp = from=20 any to any out via tun0 keep-state
$fwcmd add 65530 deny log all = from any to=20 any
----------------------------------------------------------------= ---
and the following natd.cf
--------------------------------------
redirect_port udp 127.0.0.1:27952=20 192.246.40.56:27952
use_sockets yes
unregistered_only = no
interface=20 tun0
dynamic yes
same_ports yes
punch_fw 500:100
--------------------------------------
Ok when a packet tries to go out it = passes the=20 divert rule and gets rewitten now it passes rewritten with my external = IP the=20 keep-state rule. This rule add a dynamic rule like this
 
00280 2 96 (T 6, # 49) ty 0 tcp, = 213.23.32.173 4264=20 <-> 216.239.35.100 80
 
thats ok. now the packet = from externalhost=20 come back with source ip 216.239.35.100 and destination IP 213.32.23.173 = which=20 is my EXTERNAL ip. it passes the ruleset and gets rewritten by the = divert rule=20 to source-IP 216.239.35.100 and Destination-IP 172.16.1.101(this is my = client on=20 LAN). But let us remeber which was the dynamic rule created by the = keep-state=20 one. So the packet rewritten by the divert rule CAN'T pass the dynamic = rule=20 created by the keep-state rule.
 
Aug  2 00:31:38 Nipsi /kernel: = ipfw: 65530=20 Deny TCP 216.136.35.100:80 172.16.1.101:4262 in via tun0
 
How could I fix this, or which is the = clean=20 implementation of keep-state rules in combination with divert = rules=20 ?
 
 
------=_NextPart_000_0005_01C11AEB.ED4DF330-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message