From owner-freebsd-ipfw Fri Jun 9 16: 1:12 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from post.xecu.net (post.xecu.net [216.127.136.211]) by hub.freebsd.org (Postfix) with ESMTP id 20BA737C6AE for ; Fri, 9 Jun 2000 16:01:07 -0700 (PDT) (envelope-from andy@xecu.net) Received: from shell.xecu.net (shell.xecu.net [216.127.136.216]) by post.xecu.net (Postfix) with ESMTP id 32722475E for ; Fri, 9 Jun 2000 18:59:02 -0400 (EDT) Received: from localhost (andy@localhost) by shell.xecu.net (8.8.8+Sun/8.8.8) with ESMTP id TAA23693 for ; Fri, 9 Jun 2000 19:01:00 -0400 (EDT) X-Authentication-Warning: shell.xecu.net: andy owned process doing -bs Date: Fri, 9 Jun 2000 19:01:00 -0400 (EDT) From: Andy Dills To: freebsd-ipfw@freebsd.org Subject: Hijacking DNS with ipfw Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG (I'm not a member of this list, so please cc me on replies. Thanks.) I'm having what appears to be a fundemental problem, and I was hoping somebody on the list might have an idea on how to proceed. As far as I can tell from the archives, this hasn't been addressed. I'm in a situation where I have customers with various DNS servers configured. These customers are all behind a FreeBSD (4.0-R) box. The FreeBSD box is running named (among other things). I had thought that this rule would cut it: ipfw add 10 fwd 127.0.0.1,53 udp from any to any 53 recv xl1 But that just doesn't work. I'm assuming it's because maybe named gets confused because fwd rules preserve the dest IP (as fwd rules are intended to be used in transparent cacheing). Does anybody have a suggestion on how to approach this? Thanks, Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jun 9 16:40:59 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 9F4FF37C256 for ; Fri, 9 Jun 2000 16:40:48 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id QAA32102; Fri, 9 Jun 2000 16:40:45 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda32100; Fri Jun 9 16:40:32 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id QAA01838; Fri, 9 Jun 2000 16:40:31 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdnN1828; Fri Jun 9 16:39:43 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.2/8.9.1) id e59Ndgw02026; Fri, 9 Jun 2000 16:39:42 -0700 (PDT) Message-Id: <200006092339.e59Ndgw02026@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdyZ2022; Fri Jun 9 16:39:39 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: Andy Dills Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Hijacking DNS with ipfw In-reply-to: Your message of "Fri, 09 Jun 2000 19:01:00 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 09 Jun 2000 16:39:39 -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message , Andy Dill s writes: > > (I'm not a member of this list, so please cc me on replies. Thanks.) > > I'm having what appears to be a fundemental problem, and I was hoping > somebody on the list might have an idea on how to proceed. As far as I can > tell from the archives, this hasn't been addressed. > > I'm in a situation where I have customers with various DNS servers > configured. These customers are all behind a FreeBSD (4.0-R) box. The > FreeBSD box is running named (among other things). > > I had thought that this rule would cut it: > > ipfw add 10 fwd 127.0.0.1,53 udp from any to any 53 recv xl1 > > But that just doesn't work. I'm assuming it's because maybe named gets > confused because fwd rules preserve the dest IP (as fwd rules are intended > to be used in transparent cacheing). > > Does anybody have a suggestion on how to approach this? This just changes the next hop a packet would take to its final destination. You'll need to use NAT to do what you want. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jun 9 18:48:46 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from post.xecu.net (post.xecu.net [216.127.136.211]) by hub.freebsd.org (Postfix) with ESMTP id 2495037C5C7 for ; Fri, 9 Jun 2000 18:48:43 -0700 (PDT) (envelope-from andy@xecu.net) Received: from shell.xecu.net (shell.xecu.net [216.127.136.216]) by post.xecu.net (Postfix) with ESMTP id 99EEA48F1; Fri, 9 Jun 2000 21:44:46 -0400 (EDT) Received: from localhost (andy@localhost) by shell.xecu.net (8.8.8+Sun/8.8.8) with ESMTP id VAA27699; Fri, 9 Jun 2000 21:46:44 -0400 (EDT) X-Authentication-Warning: shell.xecu.net: andy owned process doing -bs Date: Fri, 9 Jun 2000 21:46:44 -0400 (EDT) From: Andy Dills To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Hijacking DNS with ipfw In-Reply-To: <200006092339.e59Ndgw02026@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 9 Jun 2000, Cy Schubert - ITSD Open Systems Group wrote: > > I had thought that this rule would cut it: > > > > ipfw add 10 fwd 127.0.0.1,53 udp from any to any 53 recv xl1 > > > > But that just doesn't work. I'm assuming it's because maybe named gets > > confused because fwd rules preserve the dest IP (as fwd rules are intended > > to be used in transparent cacheing). > > > > Does anybody have a suggestion on how to approach this? > > This just changes the next hop a packet would take to its final > destination. You'll need to use NAT to do what you want. That is correct and incorrect. In my experience and according to the man page, if the "next hop" is an address on the box in question, it is dumped into the specified port such that the reply packets have a source address of the dest addr of the original packet. I'm not forwarding the packet to another host, I'm forwarding it to localhost so that the DNS server can handle it. Regarding NAT, I am using NAT. However, I'm not interested in DNS packets leaving my network, as many customers will have DNS servers in private IP space. So, while I'm doing NAT for everything else, I need to hijack dns to dump it to the local named. I'm positive this is possible, I'm just not sure how to do it :> Thanks, Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jun 9 22: 1: 1 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail1.rdc3.on.home.com (mail1.rdc3.on.home.com [24.2.9.40]) by hub.freebsd.org (Postfix) with ESMTP id A7BDC37B6ED for ; Fri, 9 Jun 2000 22:00:57 -0700 (PDT) (envelope-from super@purpledreams.com) Received: from purple ([24.114.51.163]) by mail1.rdc3.on.home.com (InterMail vM.4.01.02.00 201-229-116) with SMTP id <20000610050057.HEXV416.mail1.rdc3.on.home.com@purple>; Fri, 9 Jun 2000 22:00:57 -0700 Message-ID: <003301bfd299$61e21920$a3337218@purpledreams.com> From: "purpledreams.com system administrator" To: "Andy Dills" Cc: References: Subject: Re: Hijacking DNS with ipfw Date: Sat, 10 Jun 2000 01:04:03 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG But if all you do is redirect the packet to a different port, without NAT, then the result will not be forwarded back correctly. i.e. : 1 - 10.11.12.13 (host) sends DNS to 10.11.13.2 2 - 10.11.12.1 (ipfw gateway) redirects to 127.0.0.1 3 - local DNS answers request, sends results back to 10.11.12.13 without NAT, the packet from number 3 will have a destination of 10.11.12.13 and a source of 10.11.12.1, not 10.11.13.2, and therefore the host making the query won't properly process the packet. NAT would change the source and destination info on the packets (as opposed to merely re-routing them), making them route correctly. all this is, of course, assuming i understand it correctly. it all comes down to the query host receiving the result correctly, not specifically a routing issue at all..... -- dana lacoste purpledreams.com sysadmin FreeBSD since 1997 ----- Original Message ----- From: "Andy Dills" To: "Cy Schubert - ITSD Open Systems Group" Cc: Sent: Friday, June 09, 2000 9:46 PM Subject: Re: Hijacking DNS with ipfw > On Fri, 9 Jun 2000, Cy Schubert - ITSD Open Systems Group wrote: > > > > I had thought that this rule would cut it: > > > > > > ipfw add 10 fwd 127.0.0.1,53 udp from any to any 53 recv xl1 > > > > > > But that just doesn't work. I'm assuming it's because maybe named gets > > > confused because fwd rules preserve the dest IP (as fwd rules are intended > > > to be used in transparent cacheing). > > > > > > Does anybody have a suggestion on how to approach this? > > > > This just changes the next hop a packet would take to its final > > destination. You'll need to use NAT to do what you want. > > That is correct and incorrect. In my experience and according to the man > page, if the "next hop" is an address on the box in question, it is dumped > into the specified port such that the reply packets have a source address > of the dest addr of the original packet. I'm not forwarding the packet to > another host, I'm forwarding it to localhost so that the DNS server can > handle it. > > Regarding NAT, I am using NAT. However, I'm not interested in DNS packets > leaving my network, as many customers will have DNS servers in private IP > space. So, while I'm doing NAT for everything else, I need to hijack dns > to dump it to the local named. I'm positive this is possible, I'm just not > sure how to do it :> > > Thanks, > Andy > > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > Andy Dills 301-682-9972 > Xecunet, LLC www.xecu.net > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > Dialup * Webhosting * E-Commerce * High-Speed Access > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jun 9 22:24:23 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from post.xecu.net (post.xecu.net [216.127.136.211]) by hub.freebsd.org (Postfix) with ESMTP id CA7FE37BD11 for ; Fri, 9 Jun 2000 22:24:19 -0700 (PDT) (envelope-from andy@xecu.net) Received: from shell.xecu.net (shell.xecu.net [216.127.136.216]) by post.xecu.net (Postfix) with ESMTP id 84C374912; Sat, 10 Jun 2000 01:21:40 -0400 (EDT) Received: from localhost (andy@localhost) by shell.xecu.net (8.8.8+Sun/8.8.8) with ESMTP id BAA04870; Sat, 10 Jun 2000 01:23:38 -0400 (EDT) X-Authentication-Warning: shell.xecu.net: andy owned process doing -bs Date: Sat, 10 Jun 2000 01:23:38 -0400 (EDT) From: Andy Dills To: "purpledreams.com system administrator" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Hijacking DNS with ipfw In-Reply-To: <003301bfd299$61e21920$a3337218@purpledreams.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 10 Jun 2000, purpledreams.com system administrator wrote: > But if all you do is redirect the packet to a different port, without NAT, > then the result will not be forwarded back correctly. > > i.e. : > > 1 - 10.11.12.13 (host) sends DNS to 10.11.13.2 > 2 - 10.11.12.1 (ipfw gateway) redirects to 127.0.0.1 > 3 - local DNS answers request, sends results back to 10.11.12.13 > > without NAT, the packet from number 3 will have a destination of 10.11.12.13 > and a source of 10.11.12.1, not 10.11.13.2, and therefore the host making > the query won't properly process the packet. NAT would change the source > and destination info on the packets (as opposed to merely re-routing them), > making them route correctly. > > all this is, of course, assuming i understand it correctly. it all comes down > to the query host receiving the result correctly, not specifically a routing > issue > at all..... You're quite possibly right; I've been agonizing over the description of fwd in `man ipfw`: -===- fwd ipaddr[,port] Change the next-hop on matching packets to ipaddr, which can be an IP address in dotted quad or a host name. If ipaddr is not a directly-reachable address, the route as found in the local routing table for that IP is used in stead. If ipaddr is a local address, then on a packet entering the system from a remote host it will be diverted to port on the local machine, keeping the local address of the socket set to the original IP address the packet was destined for. This is intended for use with transparent proxy servers. If the IP is not a local address then the port number (if specified) is ignored and the rule only applies to packets leaving the system. -===- The way I understand that is: 1) 10.0.0.1 requests DNS from 10.0.0.200 2) Via proxy arp, the packet gets sucked into the FreeBSD box. (I'm effectively proxy arping the entire internet...long story, but this part of the project is working flawlessly) 3) I fwd it to the localhost:53, and the source address of the reply is set to 10.0.0.200, and the dest address is set to 10.0.0.1. Am I incorrect? Maybe we'll have to wait for one of the ipfw developers to give some insight. Thanks, Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jun 10 0:26:26 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from kestrel.prod.itd.earthlink.net (kestrel.prod.itd.earthlink.net [207.217.121.155]) by hub.freebsd.org (Postfix) with ESMTP id D289237C691 for ; Sat, 10 Jun 2000 00:26:23 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool0285.cvx21-bradley.dialup.earthlink.net [209.179.193.30]) by kestrel.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id AAA18537; Sat, 10 Jun 2000 00:26:21 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id AAA13614; Sat, 10 Jun 2000 00:24:56 -0700 (PDT) Date: Sat, 10 Jun 2000 00:24:54 -0700 From: "Crist J. Clark" To: Andy Dills Cc: "purpledreams.com system administrator" , freebsd-ipfw@FreeBSD.ORG Subject: Re: Hijacking DNS with ipfw Message-ID: <20000610002454.A13393@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu References: <003301bfd299$61e21920$a3337218@purpledreams.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from andy@xecu.net on Sat, Jun 10, 2000 at 01:23:38AM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Jun 10, 2000 at 01:23:38AM -0400, Andy Dills wrote: [snip] > You're quite possibly right; I've been agonizing over the description of > fwd in `man ipfw`: > > -===- > fwd ipaddr[,port] > > Change the next-hop on matching packets to ipaddr, which can be an IP > address in dotted quad or a host name. If ipaddr is not a > directly-reachable address, the route as found in the local routing table > for that IP is used in stead. If ipaddr is a local address, then on a > packet entering the system from a remote host it will be diverted to port > on the local machine, keeping the local address of the socket set to the > original IP address the packet was destined for. This is intended for use > with transparent proxy servers. If the IP is not a local address then > the port number (if specified) is ignored and the rule only applies to > packets leaving the system. > > -===- > > The way I understand that is: > > 1) 10.0.0.1 requests DNS from 10.0.0.200 > 2) Via proxy arp, the packet gets sucked into the FreeBSD box. (I'm > effectively proxy arping the entire internet...long story, but this part > of the project is working flawlessly) Looks good to here... > 3) I fwd it to the localhost:53, and the source address of the reply is > set to 10.0.0.200, and the dest address is set to 10.0.0.1. OK, who would be doing this change of source address if there is no NAT daemon? > Am I incorrect? Maybe we'll have to wait for one of the ipfw developers to > give some insight. My rule of thumb has always been to remember that ipfw(8) never actually changes the contents of a packet, it just changes where it gets piped to (except for some rare occasions). If any source address changes were to be made in the response packets, it would have to be named doing it, not ipfw(8). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jun 10 9:31:31 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from post.xecu.net (post.xecu.net [216.127.136.211]) by hub.freebsd.org (Postfix) with ESMTP id B55E237BBF9 for ; Sat, 10 Jun 2000 09:31:25 -0700 (PDT) (envelope-from andy@xecu.net) Received: from shell.xecu.net (shell.xecu.net [216.127.136.216]) by post.xecu.net (Postfix) with ESMTP id F2D1B48E5; Sat, 10 Jun 2000 12:28:24 -0400 (EDT) Received: from localhost (andy@localhost) by shell.xecu.net (8.8.8+Sun/8.8.8) with ESMTP id MAA16671; Sat, 10 Jun 2000 12:30:23 -0400 (EDT) X-Authentication-Warning: shell.xecu.net: andy owned process doing -bs Date: Sat, 10 Jun 2000 12:30:23 -0400 (EDT) From: Andy Dills To: cjclark@alum.mit.edu Cc: "purpledreams.com system administrator" , freebsd-ipfw@FreeBSD.ORG Subject: Re: Hijacking DNS with ipfw In-Reply-To: <20000610002454.A13393@dialin-client.earthlink.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 10 Jun 2000, Crist J. Clark wrote: > > 3) I fwd it to the localhost:53, and the source address of the reply is > > set to 10.0.0.200, and the dest address is set to 10.0.0.1. > > OK, who would be doing this change of source address if there is > no NAT daemon? It isn't changing the source address, it's replying with a source address of the destination address of the original packet. At least, that's how I understand this sentence from the description: "If ipaddr is a local address, then on a packet entering the system from a remote host it will be diverted to port on the local machine, keeping the local address of the socket set to the original IP address the packet was destined for." What I don't really understand is how NAT would help in this situation. What I need to do is re-write the destination address to a local ip upon receipt of the packet, and upon reply, rewrite the source address to the original destination address. The problem is, AFAIK nat will not do that under any circumstances. I tried this approach already: (I'm running on instance of natd on 8668 already. According to the manpage for natd, -reverse is the closest approximation to what I'm trying to do) natd -p 8669 -alias_address -reverse ipfw add 10 divert 8669 udp from any to any 53 via xl1 ipfw add 11 fwd 127.0.0.1,53 udp from to any 53 That's the only way I can think of to do this with nat, and that didn't work either. > > Am I incorrect? Maybe we'll have to wait for one of the ipfw developers to > > give some insight. > > My rule of thumb has always been to remember that ipfw(8) never > actually changes the contents of a packet, it just changes where it > gets piped to (except for some rare occasions). If any source address > changes were to be made in the response packets, it would have to be > named doing it, not ipfw(8). Ah, but that's the thing, I'm not suggesting it modifies the packets. I'm saying using fwd with a local address simulates the local machine being the dest ip address, and reply packets have a source address of the original dest ip and a dest ip of the original source. It doesn't actually rewrite anything, it 'emulates' the dest ip, just as you would if you were using squid. My theory is that named doesn't like answering requests for a dest IP it doesn't explicitly think it owns. That's basically what I'm trying to fine out. Thanks, Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jun 10 9:44:28 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail2.rdc3.on.home.com (mail2.rdc3.on.home.com [24.2.9.41]) by hub.freebsd.org (Postfix) with ESMTP id 613C037BD36 for ; Sat, 10 Jun 2000 09:44:24 -0700 (PDT) (envelope-from super@purpledreams.com) Received: from purple ([24.114.51.163]) by mail2.rdc3.on.home.com (InterMail vM.4.01.02.00 201-229-116) with SMTP id <20000610164423.BLMI1114.mail2.rdc3.on.home.com@purple>; Sat, 10 Jun 2000 09:44:23 -0700 Message-ID: <001201bfd2fb$971c45e0$a3337218@purpledreams.com> From: "purpledreams.com system administrator" To: "Andy Dills" , Cc: References: Subject: Re: Hijacking DNS with ipfw Date: Sat, 10 Jun 2000 12:47:39 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG From: "Andy Dills" Sent: Saturday, June 10, 2000 12:30 PM > What I don't really understand is how NAT would help in this situation. > What I need to do is re-write the destination address to a local ip upon > receipt of the packet, and upon reply, rewrite the source address to the > original destination address. > The problem is, AFAIK nat will not do that under any circumstances. I > tried this approach already: I think I understand where the confusion lies now. If I understand correctly : (from the natd man page, but the box I got this off is only 3.3-RELEASE, so there may have been some changes. YMMV) -redirect_port proto targetIP:targetPORT [aliasIP:]aliasPORT [re- moteIP[:remotePORT]] Redirect incoming connections arriving to given port to an- other host and port. Proto is either tcp or udp, targetIP is the desired target IP number, targetPORT is the desired tar- get PORT number, aliasPORT is the requested PORT number and aliasIP is the aliasing address. RemoteIP and remotePORT can be used to specify the connection more accurately if neces- sary. For example, the argument tcp inside1:telnet 6666 means that tcp packets destined for port 6666 on this machine will be sent to the telnet port on the inside1 machine. This is how natd describes port redirecting. this won't work for you because you don't know the IP address that the DNS request is going to: you only know that it's going to port 53. I think that you will still need natd or something similiar, as ipfw doesn't change the packets, and natd does, exactly as you describe above. The problem is how to make the redirection occur for _any_ connection attempt to port 53, instead of merely redirecting port 53 attempts to known IPs. From how I understand it, I would be extremely surprised if ipfw will do this independently : it _shouldn't_ be able to handle it, as sometimes you would need the functionality of redirecting without changing the source/destination info! In a former life :) I managed a Gauntlet firewall on NT. It had something called "transparent proxying" which would do what you intend (although it wouldn't do it for DNS : it treats DNS as a major security hole.) What it does is monitor (for example) any packets heading through on port 80 (as most people use transparent proxies for web access and little else) and manage the connection itself, transparently to the client. I don't think that natd supports this right now (maybe next weekend after I switch the aforementioned 3.3 box to 4.0 I will see more into this though.) Can someone please sanity check my explanation here? It makes sense to me, but I don't want to make anyone follow the wrong train of thought in figuring this out :) -- Dana Lacoste purpledreams.com sysadmin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jun 10 10:37:37 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from post.xecu.net (post.xecu.net [216.127.136.211]) by hub.freebsd.org (Postfix) with ESMTP id BF38B37BD1D for ; Sat, 10 Jun 2000 10:37:34 -0700 (PDT) (envelope-from andy@xecu.net) Received: from shell.xecu.net (shell.xecu.net [216.127.136.216]) by post.xecu.net (Postfix) with ESMTP id 071D14768; Sat, 10 Jun 2000 13:35:29 -0400 (EDT) Received: from localhost (andy@localhost) by shell.xecu.net (8.8.8+Sun/8.8.8) with ESMTP id NAA18115; Sat, 10 Jun 2000 13:37:26 -0400 (EDT) X-Authentication-Warning: shell.xecu.net: andy owned process doing -bs Date: Sat, 10 Jun 2000 13:37:26 -0400 (EDT) From: Andy Dills To: "purpledreams.com system administrator" Cc: cjclark@alum.mit.edu, freebsd-ipfw@FreeBSD.ORG Subject: Re: Hijacking DNS with ipfw In-Reply-To: <001201bfd2fb$971c45e0$a3337218@purpledreams.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 10 Jun 2000, purpledreams.com system administrator wrote: > I think that you will still need natd or something similiar, as ipfw > doesn't change the packets, and natd does, exactly as you describe > above. The problem is how to make the redirection occur for _any_ > connection attempt to port 53, instead of merely redirecting port 53 > attempts to known IPs. Well, to provide more input, I did this: I set up apache on this box, running on the standard port 80. I did a: ipfw add 200 fwd 127.0.0.1,80 tcp from any to any 80 recv xl1 And guess what...it worked perfectly. So, I'm growing closer to assuming this is a named issue. I'm considering trying out tinydns from bernstien, to see what happens with that. Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jun 10 12:17:59 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from merlin.prod.itd.earthlink.net (merlin.prod.itd.earthlink.net [207.217.120.156]) by hub.freebsd.org (Postfix) with ESMTP id 5579D37BE17 for ; Sat, 10 Jun 2000 12:17:54 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool0886.cvx21-bradley.dialup.earthlink.net [209.179.195.121]) by merlin.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id MAA14894; Sat, 10 Jun 2000 12:17:51 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id MAA01235; Sat, 10 Jun 2000 12:16:28 -0700 (PDT) Date: Sat, 10 Jun 2000 12:16:27 -0700 From: "Crist J. Clark" To: Andy Dills Cc: cjclark@alum.mit.edu, "purpledreams.com system administrator" , freebsd-ipfw@FreeBSD.ORG Subject: Re: Hijacking DNS with ipfw Message-ID: <20000610121626.A1197@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu References: <20000610002454.A13393@dialin-client.earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from andy@xecu.net on Sat, Jun 10, 2000 at 12:30:23PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Jun 10, 2000 at 12:30:23PM -0400, Andy Dills wrote: [snip] > The problem is, AFAIK nat will not do that under any circumstances. I > tried this approach already: > > (I'm running on instance of natd on 8668 already. According to the manpage > for natd, -reverse is the closest approximation to what I'm trying to do) > > natd -p 8669 -alias_address -reverse > ipfw add 10 divert 8669 udp from any to any 53 via xl1 > ipfw add 11 fwd 127.0.0.1,53 udp from to any 53 > > That's the only way I can think of to do this with nat, and that didn't > work either. Shouldn't this be, # cat /etc/natd_dns.conf # command line for natd getting long port 8669 interface xl1 reverse redirect_address 0.0.0.0 # natd -f /etc/natd_dns.conf # ipfw add 10 divert 8669 udp from any to any 53 via xl1 # ipfw add 11 divert 8669 tcp from any to any 53 via xl1 -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jun 10 13:39: 8 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from emu.prod.itd.earthlink.net (emu.prod.itd.earthlink.net [207.217.121.31]) by hub.freebsd.org (Postfix) with ESMTP id 9882D37B90D for ; Sat, 10 Jun 2000 13:39:05 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool0886.cvx21-bradley.dialup.earthlink.net [209.179.195.121]) by emu.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id NAA17879 for ; Sat, 10 Jun 2000 13:39:03 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id NAA01605 for freebsd-ipfw@freebsd.org; Sat, 10 Jun 2000 13:37:42 -0700 (PDT) Date: Sat, 10 Jun 2000 13:37:41 -0700 From: "Crist J. Clark" To: freebsd-ipfw@freebsd.org Subject: ARP Hack for BRIDGE? Message-ID: <20000610133741.G1197@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I just noticed the following code hiding in the 4.0-STABLE rc.firewall, # If you're using 'options BRIDGE', uncomment the following line to pass ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 All I have to say is, "Wha...?" -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message