From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 9 11:02:28 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AA2D16A41F for ; Mon, 9 Jan 2006 11:02:28 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0519F43D46 for ; Mon, 9 Jan 2006 11:02:28 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k09B2R0N066106 for ; Mon, 9 Jan 2006 11:02:27 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k09B2Qr1066084 for freebsd-ipfw@freebsd.org; Mon, 9 Jan 2006 11:02:26 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 9 Jan 2006 11:02:26 GMT Message-Id: <200601091102.k09B2Qr1066084@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jan 2006 11:02:28 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2004/03/03] kern/63724 ipfw [ipfw] IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2005/11/08] kern/88664 ipfw [ipfw] ipfw stateful firewalling broken w 9 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/02/01] kern/76971 ipfw [ipfw] ipfw antispoof incorrectly blocks o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple o [2006/01/03] bin/91245 ipfw [patch] ipfw(8) sometimes treat ipv6 inpu 18 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 9 20:44:49 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63E2116A427 for ; Mon, 9 Jan 2006 20:44:49 +0000 (GMT) (envelope-from josefsen@wasd.dk) Received: from swip.net (mailfe05.swip.net [212.247.154.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 899CD43D55 for ; Mon, 9 Jan 2006 20:44:48 +0000 (GMT) (envelope-from josefsen@wasd.dk) X-T2-Posting-ID: KGmt/d/wOu6Babj+G0YSeg== X-Cloudmark-Score: 0.000000 [] Received: from tycho.ique.dk ([83.72.135.6] verified) by mailfe05.swip.net (CommuniGate Pro SMTP 5.0.2) with ESMTP id 78687853 for freebsd-ipfw@freebsd.org; Mon, 09 Jan 2006 21:44:43 +0100 Received: by tycho.ique.dk (Postfix, from userid 1001) id 813A39B44F; Mon, 9 Jan 2006 21:45:53 +0100 (CET) Date: Mon, 9 Jan 2006 21:45:53 +0100 From: Brian Josefsen To: freebsd-ipfw@freebsd.org Message-ID: <20060109204553.GB4033@wasd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline X-Value-Of-Pi: 3.1428571428571428 User-Agent: Mutt/1.5.11 Subject: Polling ipfw counters with snmp help.. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jan 2006 20:44:49 -0000 Hi all I have now for days tried to find some info on polling the ipfw counters via ipfw, and there's lots of people suggesting just to use the exec param in net-snmp. However, is it possible in any way with either bsnmpd or net-snmp to poll those counters with out alot of magic (shell script glue). I often create rules on the fly and have some added and removed automatically and would really love to be able to poll those rules immediatly. Any help or suggestions would be appreciated, i'm hoping to be able to do this within friday 4 days from now, else i'll just have to give up, so i'm actually willing to try anything. -- Best regards Josefsen From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 10 10:16:12 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1D6216A439; Tue, 10 Jan 2006 10:16:12 +0000 (GMT) (envelope-from freebsd@skyhawk.ca) Received: from smtp-05.primus.ca (mail.tor.primus.ca [216.254.136.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DF9343D45; Tue, 10 Jan 2006 10:16:09 +0000 (GMT) (envelope-from freebsd@skyhawk.ca) Received: from [216.86.117.32] (helo=mail.skyhawk.ca) by smtp-05.primus.ca with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.50) id 1EwGXw-0004AS-IE; Tue, 10 Jan 2006 05:16:09 -0500 Received: from [192.168.1.20] (seinar.skyhawk.ca [192.168.1.20]) by mail.skyhawk.ca with esmtp; Tue, 10 Jan 2006 03:21:05 +0000 id 00001996.43C32821.00000D1E Message-ID: <43C3896A.7090704@skyhawk.ca> Date: Tue, 10 Jan 2006 02:16:10 -0800 From: Andrew Fremantle User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org, freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Advanced IPFW2 Forward rule problem / bug / misunderstanding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2006 10:16:13 -0000 Hello, I have searched the lists for information pertaining to this problem, but I haven't been able to find anything relevant to my attempted usage of IPFWs "forward" action. If there are any preexisting threads that address my concern, please direct me to them. I have also sent this message to the freebsd-ipfw list, as this seems consistent with some other threads I see in their archive. Here's the situation : I have two ISPs, each providing two IPs. One of these ISPs is providing IPs on totally different subnets, and is MAC sensitive. I have two internal servers (Actually, just one listening on two addresses), and I want this server to be available externally to both ISPs. (We're migrating ISPs, and we don't want any interruption in service). I am using port forwarding in NATd to allow the necessary ports through to the server. My problem comes with the replies - FreeBSD has only one default gateway, and all traffic going out, regardless of which external IP address it is from, goes to that gateway. Since ISP2 doesen't care much for routing traffic from ISP1, and vice-versa, I have a problem. I should note here that I am not trying to load balance - I am perfectly happy with all outbound LAN connections being NATted over one link, I just need the ability to service inbound connections on all four IPs. I am using forward rules in my firewall to match packets belonging to these other interfaces, to forward them to the appropriate gateway. According to the manpage for ipfw, "If /ipaddr/ is not a local address, then the port number (if specified) is ignored, and the packet will be forwarded to the remote address, using the route as found in the local routing table for that IP." I interpret that as "The packet's next hop will be compared to the routing table, and routed out the appropriate interface to reach that next hop". The problem is that doesen't seem to be happening. I have tried fiddling a few knobs to no effect - specifically net.inet.ip.fastforwarding, net.inet.ip.sourceroute and net.inet.ip.accept_sourceroute. Telus is the "legacy" ISP, so when I'm trying these rules all the inbound server requests are from the two Telus interfaces. I have numbered a rule here "42000". This rule will catch all kinds of packets outbound from ${ext1_ip}:80 and ${ext1_ip}:443 to clients on the internet. This tells me my inbound NAT translation is working, the packets are getting to the server, replies are coming back, they're matching my forward rules, but still going out the wrong interface anyways! As attached as I am to the idea of doing this via ipfw, if anyone has any suggestions on alternate methods to achieve the same results, I'd love to hear them!!! On to the technical details - I have obscured IP addresses here, but the networks and subnet masks remain the same ------------------------------------------- bsdbox# uname -a FreeBSD bsdbox 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #1: Mon Jan 9 08:15:08 PST 2006 root@bsdbox:/usr/obj/usr/src/sys/BSDBOX i386 ------------------------------------------- bsdbox# cat /usr/src/sys/i386/conf/BSDBOX . . . ### FIREWALLING options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_FORWARD_EXTENDED ( I just did this to test - it made no difference) options IPDIVERT ------------------------------------------- bsdbox# cat /etc/rc.conf . . . ########## ## Networking ########## gateway_enable="YES" ## Ensure interface configuration and Firewall script remain consistent!! defaultrouter="24.85.92.1" ifconfig_rl0="192.168.1.1" ifconfig_vr0="142.179.109.xxx netmask 255.255.248.0" ifconfig_vr1="216.232.85.xxx netmask 255.255.254.0" ifconfig_rue0="24.85.9x.xxx netmask 255.255.252.0" ifconfig_rue0_alias0="24.85.9x.xxx netmask 255.255.255.255" natd_enable="NO" firewall_enable="YES" firewall_script="/usr/local/etc/firewall.telus+shaw-test" ------------------------------------------------- bsdbox# cat /usr/local/etc/firewall.telus+shaw-test ##### firewall.telus+shaw 0.9.8 # Aquire variables from /etc/rc.conf if [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fwcmd="/sbin/ipfw -q" ########## ## THIS SCRIPT REQUIRES THE FOLLOWING VARIABLES ## TO BE CORRECTLY DEFINED! ########## ########## # PRIMARY external interface (Telus) ext1="vr0" # Device name ext1_ip="142.179.109.xxx" # IP Address ext1_gw="142.179.104.254" # IP Gateway ext1_bc="142.179.111.255" # Broadcast Address ext1_srv="192.168.1.10" # Server IP Address ########## ########## # SECONDARY external interface (Telus) ext2="vr1" # Device name ext2_ip="216.232.85.xxx" # IP Address ext2_nm="255.255.254.0" # Network Mask ext2_bc="216.232.85.255" # Broadcast Address ext2_gw="216.232.84.254" # IP Gateway ext2_srv="192.168.1.11" # IP Address of internal server ########## ########## # Shaw Cable Interface(s) # PRIMARY IP shaw="rue0" # Device Name shaw_ip="24.85.93.xxx" # IP Address shaw_nm="255.255.252.0" # Network Mask shaw_bc="24.85.95.255" # Broadcast Address shaw_gw="24.85.92.1" # IP Gateway srv1_int="192.168.1.10" # Internal IP of server srv1_ext="24.85.93.xxx" # External IP of server (Same as ${shaw_ip}) # SECONDARY IP srv2_int="192.168.1.11" # Internal IP of server srv2_ext="24.85.93.xxx" # External IP of server ########## ########## # INTERNAL interface int="rl0" # Device name int_ip="192.168.1.1" # IP Address int_nm="255.255.255.0" # Network Mask int_bc="192.168.1.255" # Broadcast Address ########## ## I have to handle NATd manually from this script because it's got ## too many connection specific options. nat_in="8667" nat_out="8669" ## Kill any running instance if [ -r /var/run/natd.pid ]; then kill -9 `cat /var/run/natd.pid` sleep 1 fi # And run our new NATd /sbin/natd -log_ipfw_denied -i ${nat_in} -o ${nat_out} -s -m -u -n ${shaw} -punch_fw 36000:100 -redirect_port tcp ${ext1_srv}:22 ${ext1_ip}:xxxx -redirect_port tcp ${ext1_srv}:53 ${ext1_ip}:53 -redirect_port tcp ${ext1_srv}:80 ${ext1_ip}:80 -redirect_port tcp ${ext1_srv}:443 ${ext1_ip}:443 -redirect_port udp ${ext1_srv}:53 ${ext1_ip}:53 -redirect_port tcp ${ext2_srv}:80 ${ext2_ip}:80 -redirect_port tcp ${ext2_srv}:443 ${ext2_ip}:443 -redirect_port tcp ${srv1_int}:22 ${shaw_ip}:xxxx -redirect_port tcp ${srv1_int}:53 ${shaw_ip}:53 -redirect_port udp ${srv1_int}:53 ${shaw_ip}:53 -redirect_port tcp ${srv1_int}:80 ${shaw_ip}:80 -redirect_port tcp ${srv1_int}:443 ${shaw_ip}:443 -redirect_port tcp ${srv2_int}:80 ${srv2_ext}:80 -redirect_port tcp ${srv2_int}:443 ${srv2_ext}:443 # Blow away the existing firewall ruleset ${fwcmd} flush ########## # Now I start defining rules to handle traffic ########## # Divide and Conquer based on interface and direction ## Inbound Internal ${fwcmd} add 0500 skipto 5000 all from any to any in recv ${int} ## Outbound Internal ${fwcmd} add skipto 10000 all from any to any out xmit ${int} # Inbound Primary External (Telus) ${fwcmd} add skipto 15000 all from any to any in recv ${ext1} # Outbound Primary External (Telus) ${fwcmd} add skipto 20000 all from any to any out xmit ${ext1} # Inbound Secondary External (Telus) ${fwcmd} add skipto 25000 all from any to any in recv ${ext2} # Outbound Secondary External (Telus) ${fwcmd} add skipto 30000 all from any to any out xmit ${ext2} # Inbound Shaw ${fwcmd} add skipto 35000 all from any to any in recv ${shaw} # Outbound Shaw ${fwcmd} add skipto 40000 all from any to any out xmit ${shaw} # Local Loopback ${fwcmd} add allow all from any to any via lo0 # If I still haven't matched it, it's a damn weirdo. Drop it. ${fwcmd} add reset all from any to any ### ***************** ### Inbound Internal Traffic ### ***************** # Drop all packets not originating on my network ${fwcmd} add 5000 drop all from not ${int_ip}:${int_nm} to any // Inbound Internal # Skip the next rule for all packets destined to the firewall itself ( & Broadcast ) ${fwcmd} add 5010 skipto 5040 all from any to \( ${int_ip} or ${int_bc} \) # Drop all packets destined to my internal network ${fwcmd} add 5020 drop all from any to ${int_ip}:${int_nm} # Allow existing conversations, and new ICMP and SSH connections ${fwcmd} add 5040 check-state ${fwcmd} add allow icmp from any to \( ${int_ip} or ${int_bc} \) keep-state ${fwcmd} add allow tcp from any to ${int_ip} 22 setup keep-state # Pass packets to NATd for possible translation ${fwcmd} add divert ${nat_out} all from any to any # Redirect to gateway for ext1 if it's an existing connection on ext1 ${fwcmd} add forward ${ext1_gw} all from ${ext1_ip} to any # Redirect to gateway for ext2 if it's an existing connection on ext2 ${fwcmd} add forward ${ext2_gw} all from ${ext2_ip} to any # Allow all packets adjusted by NATd ${fwcmd} add allow ip from \( ${shaw_ip} or ${srv2_ext} \) to any # Reject this packet ${fwcmd} add reset log all from any to any ### ***************** ### Outbound Internal Traffic ### ***************** # Allow Existing Conversations ${fwcmd} add 10000 check-state // Outbound Internal # Allow me to start ICMP, SSH and DNS sessions ${fwcmd} add allow icmp from ${int_ip} to ${int_ip}:${int_nm} keep-state ${fwcmd} add allow tcp from ${int_ip} to ${int_ip}:${int_nm} 22 keep-state ${fwcmd} add allow udp from ${int_ip} to ${srv1_int} 53 keep-state # Allow NATd translated traffic through ${fwcmd} add allow all from not ${int_ip}:${int_nm} to ${int_ip}:${int_nm} # Reject this packet ${fwcmd} add reset log all from any to any ### ***************** ### Inbound External (primary) Traffic ### ***************** # Ensure this packet did not originate from a private network ${fwcmd} add 15000 drop all from 192.168.0.0/16 to any // Inbound Telus Primary ${fwcmd} add 15020 drop all from 172.16.0.0/12 to any ${fwcmd} add 15030 drop all from 10.0.0.0/8 to any ${fwcmd} add 15040 drop all from 127.0.0.0/8 to any ${fwcmd} add 15050 drop all from 0.0.0.0/8 to any ${fwcmd} add 15060 drop all from 169.254.0.0/16 to any ${fwcmd} add 15070 drop all from 192.0.2.0/24 to any ${fwcmd} add 15080 drop all from 204.152.64.0/23 to any ${fwcmd} add 15090 drop all from 224.0.0.0/3 to any # Drop the packet if it's not broadcast or destined to us ${fwcmd} add 15500 skipto 15600 all from any to \( ${ext1_ip} or ${ext1_bc} \) ${fwcmd} add 15520 deny all from any to any # Pass to NATd for possible reverse-translation ${fwcmd} add 15600 divert ${nat_in} all from any to any # Pass anything NATd has translated ${fwcmd} add allow all from any to ${int_ip}:${int_nm} # Drop whatever's left ${fwcmd} add deny all from any to any ### ***************** ### Outbound External (primary) Traffic ### ***************** # Deny all traffic to private nets ${fwcmd} add 20000 drop all from any to 192.168.0.0/16 // Outbound Telus Primary ${fwcmd} add drop all from any to 172.16.0.0/12 ${fwcmd} add drop all from any to 10.0.0.0/8 ${fwcmd} add drop all from any to 127.0.0.0/8 ${fwcmd} add drop all from any to 0.0.0.0/8 ${fwcmd} add drop all from any to 169.254.0.0/16 ${fwcmd} add drop all from any to 192.0.2.0/24 ${fwcmd} add drop all from any to 204.152.64.0/23 ${fwcmd} add drop all from any to 224.0.0.0/3 # Allow outbound traffic from this machine (NATd translated) ${fwcmd} add allow all from ${ext1_ip} to any # Drop whatever's left ${fwcmd} add deny all from any to any ### ***************** ### Inbound External (secondary) Traffic ### ***************** # Ensure this packet did not originate from a private network ${fwcmd} add 25000 drop all from 192.168.0.0/16 to any // Inbound Telus Secondary ${fwcmd} add 25020 drop all from 172.16.0.0/12 to any ${fwcmd} add 25030 drop all from 10.0.0.0/8 to any ${fwcmd} add 25040 drop all from 127.0.0.0/8 to any ${fwcmd} add 25050 drop all from 0.0.0.0/8 to any ${fwcmd} add 25060 drop all from 169.254.0.0/16 to any ${fwcmd} add 25070 drop all from 192.0.2.0/24 to any ${fwcmd} add 25080 drop all from 204.152.64.0/23 to any ${fwcmd} add 25090 drop all from 224.0.0.0/3 to any # Drop the packet if it's not broadcast or destined to us ${fwcmd} add 25100 skipto 25500 all from any to \( ${ext2_ip} or ${ext2_bc} \) ${fwcmd} add 25120 deny all from any to any # Pass to NATd for possible reverse-translation ${fwcmd} add 25500 divert ${nat_in} all from any to any # Allow all packets translated by NATd ${fwcmd} add allow all from any to ${int_ip}:${int_nm} # Drop whatever's left ${fwcmd} add reject all from any to any ### ***************** ### outbound External (secondary) Traffic ### ***************** # Deny all traffic to private nets ${fwcmd} add 30000 drop all from any to 192.168.0.0/16 // Outbound Telus Secondary ${fwcmd} add drop all from any to 172.16.0.0/12 ${fwcmd} add drop all from any to 10.0.0.0/8 ${fwcmd} add drop all from any to 127.0.0.0/8 ${fwcmd} add drop all from any to 0.0.0.0/8 ${fwcmd} add drop all from any to 169.254.0.0/16 ${fwcmd} add drop all from any to 192.0.2.0/24 ${fwcmd} add drop all from any to 204.152.64.0/23 ${fwcmd} add drop all from any to 224.0.0.0/3 # Pass all packets from ext2_ip ${fwcmd} add pass all from ${ext2_ip} to any # Drop whatever's left ${fwcmd} add deny all from any to any ### ***************** ### Inbound Shaw Traffic ### ***************** # Ensure this packet did not originate on a private network ${fwcmd} add 35000 drop all from 192.168.0.0/16 to any // Inbound Shaw ${fwcmd} add 35010 drop all from 172.16.0.0/12 to any ${fwcmd} add 35020 drop all from 10.0.0.0/8 to any ${fwcmd} add 35030 drop all from 127.0.0.0/8 to any ${fwcmd} add 35040 drop all from 0.0.0.0/8 to any ${fwcmd} add 35050 drop all from 169.254.0.0/16 to any ${fwcmd} add 35060 drop all from 192.0.2.0/24 to any ${fwcmd} add 35070 drop all from 204.152.64.0/23 to any ${fwcmd} add 35080 drop all from 224.0.0.0/3 to any # Drop the packet if it's not broadcast or destined to us ${fwcmd} add 35100 skipto 35500 all from any to \( ${shaw_ip} or ${srv2_ext} or ${shaw_bc} \) ${fwcmd} add 35200 deny all from any to any # Allow Inbound ICMP and SSH (To me) ${fwcmd} add 35510 allow icmp from any to me ${fwcmd} add 35520 allow tcp from any to me 22 # Pass to NATd for possible reverse translation ${fwcmd} add 35550 divert ${nat_in} all from any to any # NATd punches holes from 36000 - 36100 # Pass anything NATd has translated ${fwcmd} add 36200 allow all from any to ${int_ip}:${int_nm} # Deny whatever's left ${fwcmd} add deny all from any to any ### ***************** ### Outbound Shaw Traffic ### ***************** # Deny all traffic to private nets ${fwcmd} add 40000 drop all from any to 192.168.0.0/16 // Outbound Shaw ${fwcmd} add drop all from any to 172.16.0.0/12 ${fwcmd} add drop all from any to 10.0.0.0/8 ${fwcmd} add drop all from any to 127.0.0.0/8 ${fwcmd} add drop all from any to 0.0.0.0/8 ${fwcmd} add drop all from any to 169.254.0.0/16 ${fwcmd} add drop all from any to 192.0.2.0/24 ${fwcmd} add drop all from any to 204.152.64.0/23 ${fwcmd} add drop all from any to 224.0.0.0/3 # Allow all outbound traffic from me (includes NATted stuff) ${fwcmd} add allow all from \( ${shaw_ip} or ${srv2_ext} or ${shaw_bc} \) to any # Drop whatever's left ${fwcmd} add 42000 deny log all from any to any ###### ###### # Log all packets falling through the firewall ${fwcmd} add 65534 deny log all from any to any ------------------------------------------ Excerpts from /var/log/security Jan 9 09:11:55 bsdbox kernel: ipfw: 40900 Deny TCP 142.179.109.xxx:443 207.216.1 81.74:1111 out via rue0 Jan 9 09:12:07 bsdbox kernel: ipfw: 40900 Deny TCP 142.179.109.xxx:443 154.20.34 .158:61974 out via rue0 Jan 9 09:14:40 bsdbox kernel: ipfw: 40900 Deny TCP 142.179.109.xxx:443 64.180.16 4.232:44707 out via rue0 ------------------------------------------ All questions, comments, suggestions and flames (Well, okay maybe not the flames) are welcome! My apologies for the extremely long post. - Andrew From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 10 16:54:22 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0A5416A41F for ; Tue, 10 Jan 2006 16:54:22 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7942A43D4C for ; Tue, 10 Jan 2006 16:54:21 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: by wproxy.gmail.com with SMTP id i20so3818944wra for ; Tue, 10 Jan 2006 08:54:20 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=qSDgrK1k+ooc24TFIGTxqycxkRsiaMq06ex1yeSkM98+awTBJW69TkUdRZHFwfKKOKC2hyPl7UyWZp/ySoZHlPB39YhLkW82B1Ep8O47mCaYZumTzNx7YvqoKePRvzK1BiF/IYG8GBu/DtJ9wXMTNYyezYSDWNaWMZr4sw4U9uQ= Received: by 10.54.110.19 with SMTP id i19mr9690390wrc; Tue, 10 Jan 2006 08:54:20 -0800 (PST) Received: from ?192.168.10.2? ( [67.102.60.210]) by mx.gmail.com with ESMTP id 27sm11821639wrl.2006.01.10.08.54.19; Tue, 10 Jan 2006 08:54:20 -0800 (PST) Message-ID: <43C3E684.5040204@gmail.com> Date: Tue, 10 Jan 2006 10:53:24 -0600 From: Dennis Olvany User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051129) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andrew Fremantle References: <43C3896A.7090704@skyhawk.ca> In-Reply-To: <43C3896A.7090704@skyhawk.ca> X-Enigmail-Version: 0.93.0.0 OpenPGP: id=D71A85AB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Advanced IPFW2 Forward rule problem / bug / misunderstanding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2006 16:54:22 -0000 This should get you most of the way there or at least give you a good idea of what's required. > options IPFIREWALL_FORWARD_EXTENDED I'm pretty sure this will be required. > defaultrouter="24.85.92.1" > ifconfig_rl0="192.168.1.1" > ifconfig_vr0="142.179.109.xxx netmask 255.255.248.0" > ifconfig_vr1="216.232.85.xxx netmask 255.255.254.0" > ifconfig_rue0="24.85.9x.xxx netmask 255.255.252.0" > ifconfig_rue0_alias0="24.85.9x.xxx netmask 255.255.255.255" > Telus > ext1_ip="142.179.109.xxx" # IP Address > ext1_gw="142.179.104.254" # IP Gateway > ext2_ip="216.232.85.xxx" # IP Address > ext2_gw="216.232.84.254" # IP Gateway > Shaw Cable > shaw_ip="24.85.93.xxx" # IP Address > shaw_gw="24.85.92.1" # IP Gateway > srv2_ext="24.85.93.xxx" # External IP of server > INTERNAL > int_ip="192.168.1.1" # IP Address > # And run our new NATd > /sbin/natd -log_ipfw_denied -i ${nat_in} -o ${nat_out} -s -m -u -n > ${shaw} -punch_fw 36000:100 -redirect_port tcp ${ext1_srv}:22 > ${ext1_ip}:xxxx -redirect_port tcp ${ext1_srv}:53 ${ext1_ip}:53 > -redirect_port tcp ${ext1_srv}:80 ${ext1_ip}:80 -redirect_port tcp > ${ext1_srv}:443 ${ext1_ip}:443 -redirect_port udp ${ext1_srv}:53 > ${ext1_ip}:53 -redirect_port tcp ${ext2_srv}:80 ${ext2_ip}:80 > -redirect_port tcp ${ext2_srv}:443 ${ext2_ip}:443 -redirect_port tcp > ${srv1_int}:22 ${shaw_ip}:xxxx -redirect_port tcp ${srv1_int}:53 > ${shaw_ip}:53 -redirect_port udp ${srv1_int}:53 ${shaw_ip}:53 > -redirect_port tcp ${srv1_int}:80 ${shaw_ip}:80 -redirect_port tcp > ${srv1_int}:443 ${shaw_ip}:443 -redirect_port tcp ${srv2_int}:80 > ${srv2_ext}:80 -redirect_port tcp ${srv2_int}:443 ${srv2_ext}:443 That's a hefty nat command. Let's simplfy by putting it in a file. I leave the port forwarding to you. /etc/rc.conf natd_enable="yes" natd_flags="-f /etc/natd.conf" /etc/natd.conf instance default interface vr0 port 8668 instance telus2 interface vr1 port 8669 instance shaw1 alias_address 24.85.93.xxx port 8670 instance shaw2 alias_address 24.85.93.xxx port 8671 globalport 8672 I see that your firewall is based on rc.firewall. Forget rc.firewall, it is junk. Base your firewall on this structure. 1. Public Interface NAT Diversion 2. check-state 3. Public Interface Leak Prevention 3.1 deny egress from internal hosts 3.2 deny ingress to internal hosts 4. Antispoof 4.1 allow via loopback interface 4.2 deny ingress from router 4.3 deny ingress from internal hosts via public interface 5. Router 5.1 allow egress 5.2 deny egress 5.3 allow ingress 5.4 deny ingress 6. Internal Hosts 6.1 allow egress 6.2 deny egress 6.3 allow ingress 6.4 deny ingress 7. Default Deny /etc/rc.conf firewall_enable="yes" firewall_type="/etc/ipfw.rules" /etc/ipfw.rules -f flush add divert 8668 ip from any to any in via vr0 add divert 8669 ip from any to any in via vr1 add divert 8670 ip from any to 24.85.93.xxx in via rue0 add divert 8671 ip from any to 24.85.93.xxx in via rue0 #have never known the globalport to work on inbound add divert 8672 ip from any to any out via { vr0 or vr1 or rue0 } #not sure if that 'or' will work... may need to split it up check-state add deny ip from 192.168.1.1/24 to any via { vr0 or vr1 or rue0 } add allow ip from me to me via lo0 keep-state add deny ip from me to any in add allow ip from me to { me or 192.168.1.1/24 or 142.179.109.xxx/21 or 216.232.85.xxx/23 or 24.85.9x.xxx/22 } keep-state add forward 142.179.104.254 ip from 142.179.109.xxx to any keep-state add forward 216.232.84.254 ip from 216.232.85.xxx to any keep-state add forward 24.85.92.1 ip from 24.85.9x.xxx to any keep-state add forward 24.85.92.1 ip from 24.85.9x.xxx to any keep-state add allow ip from me to any keep-state add deny ip from me to any add allow icmp from any to me icmptypes 3,4,8,11 keep-state add deny ip from any to me add allow ip from 192.168.1.1/24 to any keep-state add deny ip from 192.168.1.1/24 to any add allow icmp from any to 192.168.1.1/24 icmptypes 3,4,11 keep-state add deny ip from any to 192.168.1.1/24 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 10 20:50:16 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C48116A41F; Tue, 10 Jan 2006 20:50:16 +0000 (GMT) (envelope-from freebsd@skyhawk.ca) Received: from priv-edtnes51.telusplanet.net (outbound04.telus.net [199.185.220.223]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8FE643D46; Tue, 10 Jan 2006 20:50:15 +0000 (GMT) (envelope-from freebsd@skyhawk.ca) Received: from internal.zenathletics.com ([216.232.62.60]) by priv-edtnes51.telusplanet.net (InterMail vM.6.01.05.04 201-2131-123-105-20051025) with ESMTP id <20060110205012.VKFT10129.priv-edtnes51.telusplanet.net@internal.zenathletics.com>; Tue, 10 Jan 2006 13:50:12 -0700 Received: from [192.168.2.108] (helo=[192.168.2.108]) by internal.zenathletics.com with esmtp (Exim 4.52 (FreeBSD)) id 1EwQUZ-000H1r-PQ; Tue, 10 Jan 2006 12:53:19 -0800 Message-ID: <43C41DF1.3070305@skyhawk.ca> Date: Tue, 10 Jan 2006 12:49:53 -0800 From: Andrew Fremantle User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Dennis Olvany References: <43C3896A.7090704@skyhawk.ca> <43C3E684.5040204@gmail.com> In-Reply-To: <43C3E684.5040204@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Advanced IPFW2 Forward rule problem / bug / misunderstanding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2006 20:50:16 -0000 Dennis Olvany wrote: >This should get you most of the way there or at least give you a good >idea of what's required. > > > > >>options IPFIREWALL_FORWARD_EXTENDED >> >> > >I'm pretty sure this will be required. > > > > >>defaultrouter="24.85.92.1" >>ifconfig_rl0="192.168.1.1" >>ifconfig_vr0="142.179.109.xxx netmask 255.255.248.0" >>ifconfig_vr1="216.232.85.xxx netmask 255.255.254.0" >>ifconfig_rue0="24.85.9x.xxx netmask 255.255.252.0" >>ifconfig_rue0_alias0="24.85.9x.xxx netmask 255.255.255.255" >> >> > > > > >>Telus >>ext1_ip="142.179.109.xxx" # IP Address >>ext1_gw="142.179.104.254" # IP Gateway >>ext2_ip="216.232.85.xxx" # IP Address >>ext2_gw="216.232.84.254" # IP Gateway >> >> > > > >>Shaw Cable >>shaw_ip="24.85.93.xxx" # IP Address >>shaw_gw="24.85.92.1" # IP Gateway >>srv2_ext="24.85.93.xxx" # External IP of server >> >> > > > >>INTERNAL >>int_ip="192.168.1.1" # IP Address >> >> > > > > >># And run our new NATd >>/sbin/natd -log_ipfw_denied -i ${nat_in} -o ${nat_out} -s -m -u -n >>${shaw} -punch_fw 36000:100 -redirect_port tcp ${ext1_srv}:22 >>${ext1_ip}:xxxx -redirect_port tcp ${ext1_srv}:53 ${ext1_ip}:53 >>-redirect_port tcp ${ext1_srv}:80 ${ext1_ip}:80 -redirect_port tcp >>${ext1_srv}:443 ${ext1_ip}:443 -redirect_port udp ${ext1_srv}:53 >>${ext1_ip}:53 -redirect_port tcp ${ext2_srv}:80 ${ext2_ip}:80 >>-redirect_port tcp ${ext2_srv}:443 ${ext2_ip}:443 -redirect_port tcp >>${srv1_int}:22 ${shaw_ip}:xxxx -redirect_port tcp ${srv1_int}:53 >>${shaw_ip}:53 -redirect_port udp ${srv1_int}:53 ${shaw_ip}:53 >>-redirect_port tcp ${srv1_int}:80 ${shaw_ip}:80 -redirect_port tcp >>${srv1_int}:443 ${shaw_ip}:443 -redirect_port tcp ${srv2_int}:80 >>${srv2_ext}:80 -redirect_port tcp ${srv2_int}:443 ${srv2_ext}:443 >> >> > >That's a hefty nat command. Let's simplfy by putting it in a file. I >leave the port forwarding to you. > >/etc/rc.conf > >natd_enable="yes" >natd_flags="-f /etc/natd.conf" > >/etc/natd.conf > >instance default >interface vr0 >port 8668 > >instance telus2 >interface vr1 >port 8669 > >instance shaw1 >alias_address 24.85.93.xxx >port 8670 > >instance shaw2 >alias_address 24.85.93.xxx >port 8671 > >globalport 8672 > > >I see that your firewall is based on rc.firewall. Forget rc.firewall, it >is junk. Base your firewall on this structure. > >1. Public Interface NAT Diversion > >2. check-state > >3. Public Interface Leak Prevention > 3.1 deny egress from internal hosts > 3.2 deny ingress to internal hosts > >4. Antispoof > 4.1 allow via loopback interface > 4.2 deny ingress from router > 4.3 deny ingress from internal hosts via public interface > >5. Router > 5.1 allow egress > 5.2 deny egress > 5.3 allow ingress > 5.4 deny ingress > >6. Internal Hosts > 6.1 allow egress > 6.2 deny egress > 6.3 allow ingress > 6.4 deny ingress > >7. Default Deny > > >/etc/rc.conf > >firewall_enable="yes" >firewall_type="/etc/ipfw.rules" > >/etc/ipfw.rules > >-f flush > >add divert 8668 ip from any to any in via vr0 >add divert 8669 ip from any to any in via vr1 >add divert 8670 ip from any to 24.85.93.xxx in via rue0 >add divert 8671 ip from any to 24.85.93.xxx in via rue0 >#have never known the globalport to work on inbound >add divert 8672 ip from any to any out via { vr0 or vr1 or rue0 } >#not sure if that 'or' will work... may need to split it up > >check-state > >add deny ip from 192.168.1.1/24 to any via { vr0 or vr1 or rue0 } > >add allow ip from me to me via lo0 keep-state >add deny ip from me to any in > >add allow ip from me to { me or 192.168.1.1/24 or 142.179.109.xxx/21 or >216.232.85.xxx/23 or 24.85.9x.xxx/22 } keep-state >add forward 142.179.104.254 ip from 142.179.109.xxx to any keep-state >add forward 216.232.84.254 ip from 216.232.85.xxx to any keep-state >add forward 24.85.92.1 ip from 24.85.9x.xxx to any keep-state >add forward 24.85.92.1 ip from 24.85.9x.xxx to any keep-state >add allow ip from me to any keep-state >add deny ip from me to any >add allow icmp from any to me icmptypes 3,4,8,11 keep-state >add deny ip from any to me > >add allow ip from 192.168.1.1/24 to any keep-state >add deny ip from 192.168.1.1/24 to any >add allow icmp from any to 192.168.1.1/24 icmptypes 3,4,11 keep-state >add deny ip from any to 192.168.1.1/24 > > Thank for the quick reply. I just want to clarify a few things here.... Given that I only want outbound NAT on one interface, is it really necessary to run four instances of NATd? Can't one instance handle outbound NAT + inbound sessions on all interfaces, as I have it setup? Also, you're using a whole bunch of options and features here that are not documented on the natd man page. I found a writeup by the author of these features, but I'm not certain if that's in the -STABLE branch or not. (IE, will these options work with a 6.0-RELEASE natd?) Also, I'm not certain how your forward rules would work when mine do not, as you're doing the same thing I did - NAT Translation, then forward to the appropriate gateway. My experience is that forwarding packets to the appropriate gateway *does* *not* *work*, as they all leave via the default route's interface anyways. I see your ipfw rules keeping state on NATd sessions, which I have learned is not a good idea. Isn't it far better to let NATd handle state on all NATd traffic, and just use ipfw to keep-state on locally-generated sessions? Still, a quick glance doesen't show me any reasons why your rules *wouldn't* work, ( At least, no more reasons than my own rules don't work) and it is drastically more compact than my own (Though I have an easier time visualizing packet flow with my layout). I might give these a shot in a couple of days (I don't have physical access to the machine right now). - Andrew From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 11 05:32:36 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5ED3B16A41F for ; Wed, 11 Jan 2006 05:32:36 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C41343D45 for ; Wed, 11 Jan 2006 05:32:34 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: by wproxy.gmail.com with SMTP id i20so75274wra for ; Tue, 10 Jan 2006 21:32:34 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=oTTC7y6MWPLS6LlwXdsTz2N9JvPfHBhaZecUNm5mJEOMqeWISNKjrEgsaT9Zc0CoCoEuRVIxoyYHh2h5DuxZ3XfOc6sq1Y7IyffVCy7GYcb8NKbXr//S8ZKwSgfMYG8rE6QhYfKOwvDuiOtRH1KpLeSV4LcLNsqkeKblKHqtPSY= Received: by 10.54.83.7 with SMTP id g7mr460326wrb; Tue, 10 Jan 2006 21:32:33 -0800 (PST) Received: from ?192.168.10.2? ( [67.102.60.210]) by mx.gmail.com with ESMTP id 8sm190020wrl.2006.01.10.21.32.32; Tue, 10 Jan 2006 21:32:33 -0800 (PST) Message-ID: <43C49836.9090405@gmail.com> Date: Tue, 10 Jan 2006 23:31:34 -0600 From: Dennis Olvany User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051129) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andrew Fremantle References: <43C3896A.7090704@skyhawk.ca> <43C3E684.5040204@gmail.com> <43C41DF1.3070305@skyhawk.ca> In-Reply-To: <43C41DF1.3070305@skyhawk.ca> X-Enigmail-Version: 0.93.0.0 OpenPGP: id=D71A85AB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Advanced IPFW2 Forward rule problem / bug / misunderstanding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2006 05:32:36 -0000 Andrew Fremantle wrote: > Dennis Olvany wrote: > >> This should get you most of the way there or at least give you a >> good idea of what's required. >> >> >> >> >>> options IPFIREWALL_FORWARD_EXTENDED >>> >> >> >> I'm pretty sure this will be required. >> >> >> >> >>> defaultrouter="24.85.92.1" ifconfig_rl0="192.168.1.1" >>> ifconfig_vr0="142.179.109.xxx netmask 255.255.248.0" >>> ifconfig_vr1="216.232.85.xxx netmask 255.255.254.0" >>> ifconfig_rue0="24.85.9x.xxx netmask 255.255.252.0" >>> ifconfig_rue0_alias0="24.85.9x.xxx netmask 255.255.255.255" >>> >> >> >> >> >> >>> Telus ext1_ip="142.179.109.xxx" # IP Address >>> ext1_gw="142.179.104.254" # IP Gateway ext2_ip="216.232.85.xxx" >>> # IP Address ext2_gw="216.232.84.254" # IP Gateway >>> >> >> >> >> >>> Shaw Cable shaw_ip="24.85.93.xxx" # IP Address >>> shaw_gw="24.85.92.1" # IP Gateway srv2_ext="24.85.93.xxx" # >>> External IP of server >>> >> >> >> >> >>> INTERNAL int_ip="192.168.1.1" # IP Address >>> >> >> >> >> >> >>> # And run our new NATd /sbin/natd -log_ipfw_denied -i ${nat_in} >>> -o ${nat_out} -s -m -u -n ${shaw} -punch_fw 36000:100 >>> -redirect_port tcp ${ext1_srv}:22 ${ext1_ip}:xxxx -redirect_port >>> tcp ${ext1_srv}:53 ${ext1_ip}:53 -redirect_port tcp >>> ${ext1_srv}:80 ${ext1_ip}:80 -redirect_port tcp ${ext1_srv}:443 >>> ${ext1_ip}:443 -redirect_port udp ${ext1_srv}:53 ${ext1_ip}:53 >>> -redirect_port tcp ${ext2_srv}:80 ${ext2_ip}:80 -redirect_port >>> tcp ${ext2_srv}:443 ${ext2_ip}:443 -redirect_port tcp >>> ${srv1_int}:22 ${shaw_ip}:xxxx -redirect_port tcp ${srv1_int}:53 >>> ${shaw_ip}:53 -redirect_port udp ${srv1_int}:53 ${shaw_ip}:53 >>> -redirect_port tcp ${srv1_int}:80 ${shaw_ip}:80 -redirect_port >>> tcp ${srv1_int}:443 ${shaw_ip}:443 -redirect_port tcp >>> ${srv2_int}:80 ${srv2_ext}:80 -redirect_port tcp ${srv2_int}:443 >>> ${srv2_ext}:443 >>> >> >> >> That's a hefty nat command. Let's simplfy by putting it in a file. >> I leave the port forwarding to you. >> >> /etc/rc.conf >> >> natd_enable="yes" natd_flags="-f /etc/natd.conf" >> >> /etc/natd.conf >> >> instance default interface vr0 port 8668 >> >> instance telus2 interface vr1 port 8669 >> >> instance shaw1 alias_address 24.85.93.xxx port 8670 >> >> instance shaw2 alias_address 24.85.93.xxx port 8671 >> >> globalport 8672 >> >> >> I see that your firewall is based on rc.firewall. Forget >> rc.firewall, it is junk. Base your firewall on this structure. >> >> 1. Public Interface NAT Diversion >> >> 2. check-state >> >> 3. Public Interface Leak Prevention 3.1 deny egress from internal >> hosts 3.2 deny ingress to internal hosts >> >> 4. Antispoof 4.1 allow via loopback interface 4.2 deny ingress from >> router 4.3 deny ingress from internal hosts via public interface >> >> 5. Router 5.1 allow egress 5.2 deny egress 5.3 allow ingress 5.4 >> deny ingress >> >> 6. Internal Hosts 6.1 allow egress 6.2 deny egress 6.3 allow >> ingress 6.4 deny ingress >> >> 7. Default Deny >> >> >> /etc/rc.conf >> >> firewall_enable="yes" firewall_type="/etc/ipfw.rules" >> >> /etc/ipfw.rules >> >> -f flush >> >> add divert 8668 ip from any to any in via vr0 add divert 8669 ip >> from any to any in via vr1 add divert 8670 ip from any to >> 24.85.93.xxx in via rue0 add divert 8671 ip from any to >> 24.85.93.xxx in via rue0 #have never known the globalport to work >> on inbound add divert 8672 ip from any to any out via { vr0 or vr1 >> or rue0 } #not sure if that 'or' will work... may need to split it >> up >> >> check-state >> >> add deny ip from 192.168.1.1/24 to any via { vr0 or vr1 or rue0 } >> >> add allow ip from me to me via lo0 keep-state add deny ip from me >> to any in >> >> add allow ip from me to { me or 192.168.1.1/24 or >> 142.179.109.xxx/21 or 216.232.85.xxx/23 or 24.85.9x.xxx/22 } >> keep-state add forward 142.179.104.254 ip from 142.179.109.xxx to >> any keep-state add forward 216.232.84.254 ip from 216.232.85.xxx to >> any keep-state add forward 24.85.92.1 ip from 24.85.9x.xxx to any >> keep-state add forward 24.85.92.1 ip from 24.85.9x.xxx to any >> keep-state add allow ip from me to any keep-state add deny ip from >> me to any add allow icmp from any to me icmptypes 3,4,8,11 >> keep-state add deny ip from any to me >> >> add allow ip from 192.168.1.1/24 to any keep-state add deny ip from >> 192.168.1.1/24 to any add allow icmp from any to 192.168.1.1/24 >> icmptypes 3,4,11 keep-state add deny ip from any to 192.168.1.1/24 >> >> > Thank for the quick reply. > > I just want to clarify a few things here.... Given that I only want > outbound NAT on one interface, is it really necessary to run four > instances of NATd? Can't one instance handle outbound NAT + inbound > sessions on all interfaces, as I have it setup? I'm sure you'll need one instance for each public IP from which you wish to originate traffic. > Also, you're using a whole bunch of options and features here that > are not documented on the natd man page. I found a writeup by the > author of these features, but I'm not certain if that's in the > -STABLE branch or not. (IE, will these options work with a > 6.0-RELEASE natd?) Yes. I use these features with 6.0-release. > Also, I'm not certain how your forward rules would work when mine do > not, as you're doing the same thing I did - NAT Translation, then > forward to the appropriate gateway. My experience is that forwarding > packets to the appropriate gateway *does* *not* *work*, as they all > leave via the default route's interface anyways. Have a look at the routing table and examine the route to the forwarding destination. Traffic should follow the most specific route to the destination and transmit via the specified interface. You can always use static routes to achieve this. > I see your ipfw rules keeping state on NATd sessions, which I have > learned is not a good idea. Isn't it far better to let NATd handle > state on all NATd traffic, and just use ipfw to keep-state on > locally-generated sessions? Dynamic rules are perfectly acceptable with natd, with the exception of incoming connections. Do not keep-state on those. > Still, a quick glance doesen't show me any reasons why your rules > *wouldn't* work, ( At least, no more reasons than my own rules don't > work) and it is drastically more compact than my own (Though I have > an easier time visualizing packet flow with my layout). I might give > these a shot in a couple of days (I don't have physical access to the > machine right now). It's all about the nat configuration and I think using globalport is the only way you're going to get those outbound translations right. I recently created a client load-sharing nat using a very similar configuration. Concerning the shortcomings of your rules, I have no idea. I didn't even attempt to decipher them. /sbin/natd -i 8667 -o 8669 -n rue0 Let's have a look at your nat configuration. I don't know what you're trying to achieve by using different in/out ports. You've set the interface as rue0, so the nat is going to alias packets using an IP associated with that interface. If you want to alias different addresses on the same interface, you'll need to use alias_address instead of interface and run multiple instances. From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 12 00:13:10 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D422016A41F for ; Thu, 12 Jan 2006 00:13:10 +0000 (GMT) (envelope-from barry@unix.co.nz) Received: from smtp2.clear.net.nz (smtp2.clear.net.nz [203.97.37.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6868743D64 for ; Thu, 12 Jan 2006 00:13:10 +0000 (GMT) (envelope-from barry@unix.co.nz) Received: from tcl02991 ([10.200.56.80]) by smtp2.clear.net.nz (CLEAR Net Mail) with SMTP id <0ISY00CVODXUN1@smtp2.clear.net.nz> for freebsd-ipfw@freebsd.org; Thu, 12 Jan 2006 13:13:06 +1300 (NZDT) Date: Thu, 12 Jan 2006 13:13:06 +1300 From: Barry Murphy To: freebsd-ipfw@freebsd.org Message-id: <049101c6170c$f634a710$5038c80a@clear.co.nz> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Mailer: Microsoft Outlook Express 6.00.2800.1106 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Subject: Problem with count, fwd with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2006 00:13:10 -0000 Hi, I've got a rule either counting traffic for subnet ranges to work out how much traffic they using, obviously I'm using internal IP's in this example: # SMTP mail servers ipfw add 00076 count ip from any to 192.168.0.128/29 in ipfw add 00076 count ip from 192.168.0.128/29 to any out or in some cases pipes # Robs usage ipfw pipe 1 config bw 64KB ipfw pipe 2 config bw 64KB ipfw add 00086 pipe 1 ip from any to 192.168.0.33/28 in ipfw add 00086 pipe 2 ip from 192.168.0.33/28 to any out I'm wanting to add transparent proxy for all users subnets but still have the above rule tally the traffic so I added: # Trans-proxy ipfw add 31500 fwd 10.0.0.1,3128 tcp from 192.168.0.0/24 to any 80 Download tests have proven that the trans-proxy takes preference and allows the user to download above their pipe rate and also shows that the pipes 76 & 86 dont count port 80 traffic so I cant see how much they downloading. I've tried using /sbin/sysctl net.inet.ip.fw.one_pass=0 but this didn't help. I've also tried setting the rules 76 & 86 to "in via em1" which didnt count any traffic, so i tried the dummy "in via vlanX" which didnt count any traffic either. em0 is the interface connecting to my ISP and em1 is connected to a cisco 3500XL running vlans. em0: flags=8843 mtu 1500 options=b inet6 fe80::206:5bff:fe0f:37ff%em0 prefixlen 64 scopeid 0x1 inet 60.234.x.x netmask 0xfffffffc broadcast 60.234.x.x inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 ether 00:06:5b:0f:37:ff media: Ethernet 100baseTX status: active em1: flags=8843 mtu 1500 options=b inet6 fe80::206:5bff:fe0f:3800%em1 prefixlen 64 scopeid 0x2 inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 ether 00:06:5b:0f:38:00 media: Ethernet 1000baseTX status: active vlan1: flags=8843 mtu 1500 inet 192.168.0.34 netmask 0xfffffff0 inet6 fe80::206:5bff:fe0f:37ff%vlan1 prefixlen 64 scopeid 0x5 ether 00:06:5b:0f:38:00 media: Ethernet 1000baseTX status: active vlan: 11 parent interface: em1 vlan2: flags=8843 mtu 1500 inet 192.168.0.129 netmask 0xfffffff0 inet6 fe80::206:5bff:fe0f:37ff%vlan1 prefixlen 64 scopeid 0x5 ether 00:06:5b:0f:38:00 media: Ethernet 1000baseTX status: active vlan: 12 parent interface: em1 Any idea's would be much appreictated. Cheers Barry From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 12 04:59:16 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97D1816A41F for ; Thu, 12 Jan 2006 04:59:16 +0000 (GMT) (envelope-from barry@unix.co.nz) Received: from sophia.directadmin.co.nz (sophia.directadmin.co.nz [60.234.68.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2322243D49 for ; Thu, 12 Jan 2006 04:59:16 +0000 (GMT) (envelope-from barry@unix.co.nz) Received: from localhost ([127.0.0.1] helo=www.unix.co.nz) by sophia.directadmin.co.nz with esmtp (Exim 4.50) id 1EwubV-0003MV-SB; Thu, 12 Jan 2006 18:02:29 +1300 Received: from 222.154.96.238 (SquirrelMail authenticated user barry) by www.unix.co.nz with HTTP; Thu, 12 Jan 2006 18:02:29 +1300 (NZDT) Message-ID: <50069.222.154.96.238.1137042149.squirrel@www.unix.co.nz> In-Reply-To: <049101c6170c$f634a710$5038c80a@clear.co.nz> References: <049101c6170c$f634a710$5038c80a@clear.co.nz> Date: Thu, 12 Jan 2006 18:02:29 +1300 (NZDT) From: barry@unix.co.nz To: "Barry Murphy" User-Agent: SquirrelMail/1.4.5 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-unixco-MailScanner-Information: Please contact the ISP for more information X-unixco-MailScanner: Found to be clean X-unixco-MailScanner-From: barry@unix.co.nz Cc: freebsd-ipfw@freebsd.org Subject: Re: Problem with count, fwd with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: barry@unix.co.nz List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2006 04:59:16 -0000 Further to my previous email i've run iftop on the vlan and noticed the source address being correct and the remote address being correct (not the trans-proxy IP) so traffic should be counting. I believe in my count or pipe rules I probably require the 'in via vlan1' however it appears ipfw doesnt like vlan's as devices as it stops counting traffic all together at this point. I've tried adding: ipfw add 1 count ip from 192.168.0.32/29 to any out via vlan1 ipfw add 1 count ip from any to 192.168.0.32/29 in via vlan1 I've also tried reversing the statements incase I had the in/out on the wrong lines, also tried xmit and recv instead but it would appear nothing counts when specifying vlans as devices. FreeBSD firewall.unix.co.nz 6.0-STABLE FreeBSD 6.0-STABLE #3: Thu Dec 8 20:24:30 NZDT 2005 icepick@firewall.unix.co.nz:/usr/obj/usr/src/sys/FIREWALL i386 Cheers Barry > Hi, > > I've got a rule either counting traffic for subnet ranges to work out how > much traffic they using, obviously I'm using internal IP's in this > example: > > # SMTP mail servers > ipfw add 00076 count ip from any to 192.168.0.128/29 in > ipfw add 00076 count ip from 192.168.0.128/29 to any out > > or in some cases pipes > > # Robs usage > ipfw pipe 1 config bw 64KB > ipfw pipe 2 config bw 64KB > ipfw add 00086 pipe 1 ip from any to 192.168.0.33/28 in > ipfw add 00086 pipe 2 ip from 192.168.0.33/28 to any out > > I'm wanting to add transparent proxy for all users subnets but still have > the above rule tally the traffic so I added: > > # Trans-proxy > ipfw add 31500 fwd 10.0.0.1,3128 tcp from 192.168.0.0/24 to any 80 > > Download tests have proven that the trans-proxy takes preference and > allows > the user to download above their pipe rate and also shows that the pipes > 76 > & 86 dont count port 80 traffic so I cant see how much they downloading. > I've tried using /sbin/sysctl net.inet.ip.fw.one_pass=0 but this didn't > help. I've also tried setting the rules 76 & 86 to "in via em1" which > didnt > count any traffic, so i tried the dummy "in via vlanX" which didnt count > any > traffic either. > > em0 is the interface connecting to my ISP and em1 is connected to a cisco > 3500XL running vlans. > > em0: flags=8843 mtu 1500 > options=b > inet6 fe80::206:5bff:fe0f:37ff%em0 prefixlen 64 scopeid 0x1 > inet 60.234.x.x netmask 0xfffffffc broadcast 60.234.x.x > inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 > ether 00:06:5b:0f:37:ff > media: Ethernet 100baseTX > status: active > > em1: flags=8843 mtu 1500 > options=b > inet6 fe80::206:5bff:fe0f:3800%em1 prefixlen 64 scopeid 0x2 > inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 > ether 00:06:5b:0f:38:00 > media: Ethernet 1000baseTX > status: active > > vlan1: flags=8843 mtu 1500 > inet 192.168.0.34 netmask 0xfffffff0 > inet6 fe80::206:5bff:fe0f:37ff%vlan1 prefixlen 64 scopeid 0x5 > ether 00:06:5b:0f:38:00 > media: Ethernet 1000baseTX > status: active > vlan: 11 parent interface: em1 > > > vlan2: flags=8843 mtu 1500 > inet 192.168.0.129 netmask 0xfffffff0 > inet6 fe80::206:5bff:fe0f:37ff%vlan1 prefixlen 64 scopeid 0x5 > ether 00:06:5b:0f:38:00 > media: Ethernet 1000baseTX > status: active > vlan: 12 parent interface: em1 > > Any idea's would be much appreictated. > > Cheers > Barry > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 12 13:17:24 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2ED4B16A41F for ; Thu, 12 Jan 2006 13:17:24 +0000 (GMT) (envelope-from litgle@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1BC743D46 for ; Thu, 12 Jan 2006 13:17:23 +0000 (GMT) (envelope-from litgle@gmail.com) Received: by zproxy.gmail.com with SMTP id 9so389804nzo for ; Thu, 12 Jan 2006 05:17:23 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:content-type:content-transfer-encoding; b=my74EjdeD1NlAYUHgPcZjd2QhZQHY9JTYZBIq5Jw/WTnz9OP9b3QWEZuZ7Y7vhIxFxq71xX5ZXCCIiAHvp3WmZeX+iLxTSvBnYTVW1GWF/xZCZtOxhPDJTOBGdJB4TrJGqIyNJ+vIwaVvN3bIOYJhzJPoL059IZ8BKUfm8/1ZJk= Received: by 10.36.135.18 with SMTP id i18mr1782478nzd; Thu, 12 Jan 2006 05:17:23 -0800 (PST) Received: from ?192.168.1.80? ( [219.136.5.115]) by mx.gmail.com with ESMTP id 19sm889797nzp.2006.01.12.05.17.21; Thu, 12 Jan 2006 05:17:23 -0800 (PST) Message-ID: <43C656D8.5040304@gmail.com> Date: Thu, 12 Jan 2006 21:17:12 +0800 From: litgle User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=GB2312 Content-Transfer-Encoding: 7bit Subject: (no subject) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2006 13:17:24 -0000 From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 13 14:05:33 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EABA16A41F for ; Fri, 13 Jan 2006 14:05:33 +0000 (GMT) (envelope-from mark@frasa.net) Received: from smtp-out3.tiscali.nl (smtp-out3.tiscali.nl [195.241.79.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1983E43D49 for ; Fri, 13 Jan 2006 14:05:32 +0000 (GMT) (envelope-from mark@frasa.net) Received: from [195.241.5.2] (helo=[10.31.11.180]) by smtp-out3.tiscali.nl with esmtp (Tiscali http://www.tiscali.nl) id 1ExPYZ-0006Dm-SF; Fri, 13 Jan 2006 15:05:31 +0100 Message-ID: <43C7B3AB.5080204@frasa.net> Date: Fri, 13 Jan 2006 15:05:31 +0100 From: Mark Frasa User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: nl-NL, nl, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: nfsd and ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jan 2006 14:05:33 -0000 Hello, I am currently running 1 HTTP server on FreeBSD 6.0 Offcourse, like anyone that likes security, i am running IPFW and set the kernel to block by default. Behind that HTTP server i am running 2 Linux boxes. The problem is that when i enable the firewall and openup ports from rpcinfo -p: program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100000 4 local 111 rpcbind 100000 3 local 111 rpcbind 100000 2 local 111 rpcbind 100005 1 udp 668 mountd 100005 3 udp 668 mountd 100005 1 tcp 984 mountd 100005 3 tcp 984 mountd 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs I opened up all these ports but i cant do an ls or write to nfs or whatever. Then i thought maybe it's trying something local so i added: $cmd add 00225 allow ip from 1.2.3.4/24 to any keep-state Even this does not work. Tcpdump shows me that when i have ipfw open, it only communicates with port 2049 and i don't see anything more. Can anybody help me out here? Mark.