Date: Sun, 12 Aug 2001 01:44:24 +0200 From: Michael Lyngbøl <none@michael--lyngbol.dk.lh.bsd-dk.dk> To: bsd-dk@bsd-dk.dk Subject: Re: picobsd som firewall
On 11.08.2001 00:16:19 +0000, Jeppe Liisberg wrote:
> Jeg tror mest det drejer sig om min manglende viden på natd/divert området,
> men det er meget svært for mig rigtigt at blive klogere på man-siderne, så
> jeg ville høre om der er nogle der kender nogle (lidt lettere forståelige)
> how-to's eller noget i den stil. Jeg savner viden om "divert-porte" og ipfw
> syntax mht. natd og divert.
ep0 er dit ydre interface (ip 1.2.3.4), ep1 (ip 192.168.1.1/24) er dit
indre interface;
Først sørger du for at have IP forwarding enabled:
# sysctl -w net.inet.ip.forwarding=1
Dernæst starter du natd(8):
# natd -n ep0
Derefter konfigurerer du ipfw:
# ipfw add divert natd all from 192.168.1.0/24 to not 192.168.1.0/24
# ipfw add divert natd all from not 192.168.1.0/24 to 1.2.3.4
Du skulle nu være kørende ...
> Sagen er at jeg skal lade trafik udefra gå til min web-, mail-, og
> ftp-server, men stadig lade workstations connecte ud med alt hvad dertil
> hører af surf, icq, ftp, ssh, dns osv...
Det lader du natd(8) om, fx vil:
natd -n ep0 -redirect_port tcp 192.168.1.2:80 80
Redirecte forespørgsler til TCP port 80 til 192.168.1.2 port 80.
Du har også mulighed for at redirecte hele range af porte mm., læs mere
på mansiden.
> en helt anden ting er at picobsd ikke vil køre rc.firewall når den starter
> op, nogen gode løsningsforslag hertil er også velkomne.
Jeg lægger mine ipfw regler i /usr/local/etc/ipfw.rules, og har så flg.
i /etc/rc.conf:
firewall_enable="YES"
firewall_type="/usr/local/etc/ipfw.rules"
Sammen med opstart af natd:
gateway_enable="YES"
natd_enable="YES"
natd_interface="ep0"
natd_flags="-redirect_port tcp 192.168.1.2:80 80"
Jeg har vedhæftet en mail fra Matt Dillion til questions@FreeBSD.ORG,
fin læsning.
Dillon har også skrevet en ganske fin firewall(7) manside, findes på en
(post) 4.3-RELEASE box.
Endelig kan du kigge på http://dot.adsl.dk/natd/
/Michael
-- Michael Lyngbøl -- michael at lyngbol dot dk TDC Tele Danmark, DataNetworks, IP section
attached mail follows:
Date: Thu, 26 Apr 2001 16:21:51 -0700 (PDT) From: Matt Dillon <none@dillon--earth.backplane.com.lh.bsd-dk.dk> To: Jesús Arnáiz <none@jesus--pasapues.com.lh.bsd-dk.dk> Subject: Re: NAT and IPFiltering
:Hi! : :I'm configuring a server able to do NAT and IP FILTERING (IPF). : :What are the required options that I should set to the kernel? : :I have this: :... :Jesús Arnáiz
I think all you need is:
options IPFIREWALL options IPDIVERT
I usually also have (because it is useful):
options IPFILTER options IPFIREWALL_FORWARD
--
For my firewall configuration
firewall_enable="YES" firewall_type="/etc/ipfw.conf" ip_portrange_first=4000 ip_portrange_last=5000
My /etc/ipfw.conf file contains:
# do not allow an outside entity to spoof our internal network # IPs add 00300 deny all from 10.0.0.0/8 in via fxp0
# NATD diversions # add 00400 divert 8668 ip from 10.0.0.0/8 to not 10.0.0.0/8 add 00400 divert 8668 ip from not 10.0.0.0/8 to 208.161.114.67
# allow data related to already-established TCP connections # (near the top of the ruleset to packet switch efficiently) # add 01000 allow tcp from any to any established
# all all outgoing packets # add 01001 allow all from any to any out via fxp0 add 01001 allow all from any to any out via fxp1
# allow all strictly internal network traffic add 01010 allow all from 10.0.0.0/8 to 10.0.0.0/8
# allow temporary ports and specific UDP services # add 02000 allow udp from any to any 4000-65535,domain,ntalk,ntp add 02500 allow udp from any to any frag
# allow temporary ports and specific TCP services. Note that # TCP packet fragments are not allowed. # add 03000 allow tcp from any to any http,https add 03000 allow tcp from any to any 4000-65535,ssh,smtp,domain,ntalk add 03000 allow tcp from any to any auth,pop3,ftp,ftp-data
# allow certain icmp types through for ping, routing errors, and # tcp mtu path negotiation. # add 04000 allow icmp from any to any icmptypes 0,3,5,8,11,12,13,14
# log any remaining fragments that get through and deny the rest # add 05000 deny log ip from any to any frag add 65000 deny ip from any to any
The rc.conf setup for my ethernet port is roughly:
# Exposed network # ifconfig_fxp0="inet 208.161.114.65 netmask 255.255.255.192"
# Exposed for NAT # ifconfig_fxp0_alias1="inet 208.161.114.67 netmask 255.255.255.192"
# Internal network # ifconfig_fxp1="inet 10.0.0.2 netmask 255.255.255.0"
And I run natd from /etc/rc.local using:
natd -s -u -a 208.161.114.67
*ALL* exposed services run from this machine are tied to the machine's exposed IP address, in my case 208.161.114.65. It requires some work in named, sendmail.cf, and so forth to the services bound to the correct IP address (you don't want to bind services to your NAT address).
The .67 address in my case is only used for NAT traffic.
The 4000-65535 junk is only really necessary for programs which use UDP (like DNS) and expect replies via UDP. I don't run any internal TCP or UDP services on higher numbered ports but I like having the flexibility. With some care and hardwiring of UDP ports for the services that need them, you can rip out the 4000-65535 stuff entirely. I use it because it's reasonably secure and a 'file and forget' type of setup.
If you are using NAT, your internal network should be in the 10.x.x.x space, and your external network should of course be in your internet-visible space.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:13 CET