Date: 08 Aug 2002 10:37:05 -0400 From: Ean Kingston <eankingston@rogers.com> To: Carl Forsythe <cforsythe@avantgo.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw+nat rules question Message-ID: <1028817426.32616.69.camel@prosporo.hedron.org> In-Reply-To: <4C4CB317C3CD6A40AAF9B1C7686696699018C7@kali.avantgo.com> References: <4C4CB317C3CD6A40AAF9B1C7686696699018C7@kali.avantgo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Carl, I don't know if your question belongs in -questions or -ipfw. I don't monitor -questions. I have seen this sort of questions in the newsgroup and I believe I can answer them for you. On Wed, 2002-08-07 at 18:08, Carl Forsythe wrote: > Hi folks, > Some questions about rule processing with ipfw and natd, if this is > better suited for -questions let me know and I'll send it off to > there. > > Ok the situation/network layout is thus: > > Box A provides NAT/ipfw services to Box B which is on a private > network, Box A is dual homed to Net A and Net B. Box B has certain > services on it that need to be accessible to a block of addresses > only, or in some cases only a certain other server. Box B also has a > requirement that it needs to make outbound requests to an external > service provider. Box A acts as the default gateway for Box B. Net A > is firewalled from the internet by another firewall entirely. > > I setup an aliased IP on Box A to represent Box B to the machines that > need to talk to it. Was this necessary for external servers to talk to > Box B, or would normal port redirection be sufficient in this case? I > do however want Box B to be pingable for our monitoring system which > resides out on Net A. If you don't need to ping the external interface your firewall (box A) then you could get away without using an alias for box B but it is a lot simpler to use the alias (IMHO). The sample below assumes an alias for box B. > > So the questions I have at this point: > > 1) Using the redirect_port function of natd, can I specify a network with > mask instead of a host for the third argument? i.e. redirect_port tcp > Box_B:80 Box_A_Alias:80 Net_A/24 I do not believe that this is how the redirect-port directive works. > > Failing the above, where in the ipfw ruleset would I place any rules for > traffic destined to Box B, before the natd divert or after it? If > after the divert, what IP address do I use? the external Box A alias, > or the translated Box B address? What does the source address look > like after the divert? Has it been translated to Box A's Net B address > at that point? Either place. You just have to identify it differenly. I'll show you in the example below. > > /sbin/ipfw add pass tcp from Net A/24 to ??? 80 setup This needs to go after the divert statement so your ??? should be the real box B address. > > So to sum it up, Box B has a limited number of services that only need to > be available to servers that are on Net A. Box A provides NAT/ipfw > services to Box B. Box B needs to be able to talk to an external web > server(s), Box B needs to be able to resolve DNS, Box B needs to talk > to our NTP server. > > What I'm not grasping is what address to use in the ipfw rules to identify > Box B and where in the rules to place those checks, before the natd > divert using the external alias address or after the divert using ? > Please note, I don't have the resource to test these configs so there may be some minor errors (syntax and such) but the basic structure should be sound. This example does not include any way to get to the firewall (box-A) itself. Here is what I would do: // ipfw.conf -- configuration file for ipfw // usage: ipfw -p /usr/bin/cpp ipfw.conf #define IF_A // interface name of nic on net-A (IE: ed0) #define NET_A // network:mask of net-A network #define IF_B // interface name of nic on net-B (IE: ed1) #define BOX_B_ALIAS // ip address alias on net-A interface for box B #define BOX_B // ip address of box-B (found in box-B config) #define MONITOR // ip address of monitoring server #define NTP_MASTER // ip address of NTP server add divert natd all from any to any via IF_A // NOTE the divert happens as traffic travels through the IF_A // interface so: // 1 Anything coming from net-B will have the net-B address // when it comes in IF_B but will have the net-A-alias when // it passes out IF_A. // 2 Anything going to net-B will already have the net-B // address. add check-state // This checks all dynamic rules at this point. No dynamic rules // should be defined before this point. In this example, only the // outbound NTP service sets up dynamic rules. All others are // static. If you don't want dynamic rules, remove the directive. // for monitoring via icmp ping // NOTE the two rules for outbound, one for each interface add allow icmp from MONITOR to BOX_B icmptypes 8 add allow icmp from BOX_B to MONITOR in via IF_B icmptypes 0 add allow icmp from BOX_B_ALIAS to MONITOR out via IF_A icmptypes 0 // for inbound traffic to box-B (ssh and http in this example) // NOTE two rules for outbound again; also, you may use service // names or port numbers (see /etc/services file). // 'established' flag indicates session already initiated. add allow tcp from NET_A to BOX_B telnet,http add allow tcp from BOX_B ssh,http to NET_A in via IF_B established add allow tcp from BOX_B_ALIAS 22,80 to NET_A out via IF_A established // for outbound traffic from box-B (ntp via udp for this example) // NOTE keep-state configures a dynamic rule when box-B sends // a request to the ntp master server. This is more secure than // having static rules for udp services. add allow udp from BOX_B ntp to NTP_MASTER ntp in via IF_B keep-state add allow udp from BOX_B_ALIAS ntp to NTP_MASTER ntp via IF_A // If you don't want dynamic rules, remove the keep-state option from // the line above and add the following line for return traffic: // add allow udp from NTP_MASTER ntp to BOX_B // for outbound traffic from box-B (http and https for this example) // NOTE the 'established' directive is on the return traffic now. add allow tcp from BOX_B to any http,https in via IF_B add allow tcp from BOX_B_ALIAS to any http,https out via IF_A add allow tcp from any http,https to BOX_B established // end of ipfw.conf ## natd.conf for use with natd daemon ## usage: natd -f natd.conf interface IF_A ## need to change this to actual interface use_sockets same_ports redirect_address BOX_B BOX_B_ALIAS ## neet to change this to addresses ## end of natd.conf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1028817426.32616.69.camel>