Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 20 Sep 2000 18:02:34 -0700
From:      Chip <chip@wiegand.org>
To:        cjclark@alum.mit.edu
Cc:        "seafug@dub.net" <seafug@dub.net>, "freebsd-questions@freebsd.org" <freebsd-questions@FreeBSD.ORG>
Subject:   Re: natd does port forwarding? 
Message-ID:  <39C95E2A.C3962BB8@wiegand.org>
References:  <39C6FCCC.D0103226@wiegand.org> <20000918225104.I367@149.211.6.64.reflexcom.com> <39C70308.EF52766F@wiegand.org> <20000919000233.L367@149.211.6.64.reflexcom.com> <39C84A4B.766B5B24@wiegand.org> <20000919232213.Q367@149.211.6.64.reflexcom.com> <20000920120922.C22272@149.211.6.64.reflexcom.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------F00729E45F120CBC014CFC79
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I believe it works now, I tried at work at it redirected to my
home web server and the page loaded fine, would you be so kind
as to do the same? www.wiegand.org There is a 5 second delay.
The only differance at this time is at the bottom of the page
that
loads on my home server, it has a paragraph that states this is 
loaded on my home server.
I cannot load it from within my home network, though I think I 
understand why. Correct me if I'm wrong -
a packet goes out from 192.168.0.6, is translated to
208.194.173.26
returns to 208.194.173.26 and is translated back to 192.168.0.6
then the web page tries to load from my home server but there is
no
route between the inside and outside nics, so it can't be loaded 
into the inside network pc. Maybe I'm confused.  ;-)
Anyway, there is only one instance of natd running now. It loads
from
/etc/rc.conf (the only line in that file in fact). The other
place
it could load from, /usr/local/etc/rc.d, is strange. I loaded it
in
vi and it is just a whole lot of @^@^ repeated many times. And a 
that says rc.d is not a regular file.
Now I just have to tighten up my firewall rules. I go to grc.com
to 
run the port scan on that sight and get the following results -
ports 21, 23, 79, 80 are open 
ports 110, 113, 139, 143, 443 are closed
My ipfw show shows this -
00100 1499 429850 divert 8668 ip from any to any via ep1
00100    0      0 allow ip from any to any via lo0
00200    0      0 deny ip from any to 127.0.0.0/8
65000 2274 800088 allow ip from any to any
65535    0      0 allow ip from any to any
Now this doesn't seem right to my unknowledgable eyes, even for
an open firewall. My goal is to have a firewall that shows the
above
mentioned ports and all others as either closed or stealth. So my
rc.firewall is attaced for all to see an rip apart for me, so I
can learn from my mistakes and maybe be a better FreeBSD user. 
:)
Thankyou so much for you assistance,

-- 
Chip W.	
www.wiegand.org
Alternative Operating Systems

"Crist J . Clark" wrote:
> 
> On Wed, Sep 20, 2000 at 07:01:16AM -0700, Chip wrote:
> > "Crist J . Clark" wrote:
> > > On Tue, Sep 19, 2000 at 10:25:31PM -0700, Chip wrote:
> > > > According to top natd is running, in fact, after a reboot it
> > > > showed two instances of it running. I have attached my rc.conf,
> > > > rc.firewall, and natd.conf in the hopes that someone can tell
> > > > me where I have gone wrong, because port forwarding is not
> > > > working.
> > >
> > > OK, I made some observations. What version of FreeBSD are you using,
> > > BTW?
> > FreeBSD 4.0
> > the one on the Cheapbytes cd, I don't know if its -release or
> > what.
> 
> I would assume so.
> 
> [snip]
> 
> > > > rc.conf --
> [snip]
> > > > gateway_enable="YES"
> > > > router_enable="YES"
> > >
> > > Remove this. It is not needed.
> > >
> > > > defaultrouter="208.194.173.1"
> > > > natd_enable="YES"
> > > > natd_interface="ep1"
> > >
> > > You forgot,
> > >
> > >   natd_flags="-f /etc/natd.conf"
> > >
> > Okay, I've added that line and commented out the other two. Just
> > out
> > of curiousity, I thought those were necessary, I have a 7 pc
> > network
> > here at home.
> 
> Oops. I guess I was not too clear. One _is_ necessary, one is
> not. Specifically,
> 
>   gateway_enable="YES"
>   #router_enable="YES"
> 
> You don't need routed(8). My comment above was only directed at the
> previous line, not at the two previous lines. Sorry.
> 
> [snip]
> 
> > Once again, the new versions are attached. Could the problem be
> > at
> > the web server? I can connect to via its ip address from anywhere
> > inside the network and it will return the proper web page, so I
> > am
> > assuming that means it will work.
> > It has the outside nic, 208.194.173.26, as a gateway. Anything
> > else
> > need to be specified on the server network settings to get this
> > to
> > work at it's end?
> 
> You can just turn on the IP fowarding on the running system by doing,
> 
>   # sysctl -w net.inet.ip.forwarding=1
> 
> Rather than rebooting to get the effect of the 'gateway_enable'
> change. Now does the NAT work?
> 
> If not, send the output of 'ipfw show' to make sure that there is not
> something weird going on when your rules get loaded.
> 
> Do you still get two natd(8) when you startup? Are you trying to start
> natd from /etc/rc.local or /usr/local/etc/rc.d too?
> --
> Crist J. Clark                           cjclark@alum.mit.edu
--------------F00729E45F120CBC014CFC79
Content-Type: text/plain; charset=us-ascii;
 name="rc.firewall"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="rc.firewall"

############
# Setup system for firewall service.
# $FreeBSD: src/etc/rc.firewall,v 1.30 2000/02/06 19:24:37 paul Exp $

# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
	. /etc/defaults/rc.conf
if [ -r /etc/rc.conf ]; then
	. /etc/rc.conf
fi

############
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open     - will allow anyone in
#   client   - will try to protect just this machine
#   simple   - will try to protect a whole network
#   closed   - totally disables IP services except via lo0 interface
#   UNKNOWN  - disables the loading of firewall rules.
#   filename - will load the rules in the given filename (full path required)
#
# For ``client'' and ``simple'' the entries below should be customized
# appropriately.

############
#
# If you don't know enough about packet filtering, we suggest that you
# take time to read this book:
#
#	Building Internet Firewalls
#	Brent Chapman and Elizabeth Zwicky
#
#	O'Reilly & Associates, Inc
#	ISBN 1-56592-124-0
#	http://www.ora.com/
#
# For a more advanced treatment of Internet Security read:
#
#	Firewalls & Internet Security
#	Repelling the wily hacker
#	William R. Cheswick, Steven M. Bellowin
#
#	Addison-Wesley
#	ISBN 0-201-6337-4
#	http://www.awl.com/
#

if [ -n "${1}" ]; then
	ifirewall_type="${1}"
fi

############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
	fwcmd="/sbin/ipfw -q"
	;;
*)
	ifwcmd="/sbin/ipfw"
	;;
esac

############
# Flush out the list before we begin.
#
/sbin/ipfw -f flush

############
# These rules are required for using natd.  All packets are passed to
# natd before they encounter your remaining rules.  The firewall rules
# will then be run again on each packet after translation by natd,
# minus any divert rules (see natd(8)).
#
case ${natd_enable} in
[Yy][Ee][Ss])
	if [ -n "ep1" ]; then
        /sbin/ipfw add divert 8668 all from any to any via ep1		
fi
	;;
esac

############
# If you just configured ipfw in the kernel as a tool to solve network
# problems or you just want to disallow some particular kinds of traffic
# then you will want to change the default policy to open.  You can also
# do this as your only action by setting the firewall_type to ``open''.
#
#     /sbin/ipfw add 65000 pass all from any to any

############
# Only in rare cases do you want to change these rules
#
/sbin/ipfw add 100 pass all from any to any via lo0
/sbin/ipfw add 200 deny all from any to 127.0.0.0/8
# If you're using 'options BRIDGE', uncomment the following line to pass ARP
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0


# Prototype setups.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
#if [ "${firewall}" = "open" ]; then
	/sbin/ipfw add 65000 pass all from any to any
;;	

[Cc][Ll][Ii][Ee][Nn][Tt])
	############
	# This is a prototype setup that will protect your system somewhat
	# against people from outside your own network.
	############
#elif [ "${firewall}" = "client" ]; then
	# set these to your network and netmask and ip
	net="192.168.0.0"
	mask="255.255.255.0"
	ip="192.168.0.1"

	# Allow any traffic to or from my own net.
	/sbin/ipfw add pass all from ${ip} to ${net}:${mask}
	/sbin/ipfw add pass all from ${net}:${mask} to ${ip}

	# Allow TCP through if setup succeeded
	/sbin/ipfw add pass tcp from any to any established

	# Allow IP fragments to pass through
	/sbin/ipfw add pass all from any to any frag

	# Allow setup of incoming email
	/sbin/ipfw add pass tcp from any to ${ip} 25 setup

	# Allow setup of outgoing TCP connections only
	/sbin/ipfw add pass tcp from ${ip} to any setup

	# Disallow setup of all other TCP connections
	/sbin/ipfw add deny tcp from any to any setup

	# Allow DNS queries out in the world
	/sbin/ipfw add pass udp from any 53 to ${ip}
	/sbin/ipfw add pass udp from ${ip} to any 53

	# Allow NTP queries out in the world
        /sbin/ipfw add pass udp from any 123 to ${ip}
	/sbin/ipfw add pass udp from ${ip} to any 123

	# Everything else is denied by default, unless the
	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
	# config file.
	;;

[Ss][Ii][Mm][Pp][Ll][Ee])
	############
	# This is a prototype setup for a simple firewall.  Configure this
	# machine as a named server and ntp server, and point all the machines
	# on the inside at this machine for those services.
	############
#elif [ "${firewall}" = "simple" ]; then
	# set these to your outside interface network and netmask and ip
	oif="ep1"
	onet="208.194.173.0"
	omask="255.255.255.128"
	oip="208.194.173.26"

	# set these to your inside interface network and netmask and ip
	iif="xl0"
	inet="192.168.0.0"
	imask="255.255.255.0"
	iip="192.168.0.1"

	# Stop spoofing
	/sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
	/sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}

	# Stop RFC1918 nets on the outside interface
	/sbin/ipfw add deny all from 10.0.0.0/8 to any via ${oif}
	/sbin/ipfw add deny all from any to 10.0.0.0/8 via ${oif}
	/sbin/ipfw add deny all from 172.16.0.0/12 to any via ${oif}
	/sbin/ipfw add deny all from any to 172.16.0.0/12 via ${oif}
	/sbin/ipfw add deny all from 192.168.0.0/16 to any via ${oif}
	/sbin/ipfw add deny all from any to 192.168.0.0/16 via ${oif}

	# Stop draft-manning-dsua-01.txt nets on the outside interface
	/sbin/ipfw add deny all from 0.0.0.0/8 to any via ${oif}
	/sbin/ipfw add deny all from any to 0.0.0.0/8 via ${oif}
	/sbin/ipfw add deny all from 169.254.0.0/16 to any via ${oif}
	/sbin/ipfw add deny all from any to 169.254.0.0/16 via ${oif}
	/sbin/ipfw add deny all from 192.0.2.0/24 to any via ${oif}
	/sbin/ipfw add deny all from any to 192.0.2.0/24 via ${oif}
	/sbin/ipfw add deny all from 224.0.0.0/4 to any via ${oif}
	/sbin/ipfw add deny all from any to 224.0.0.0/4 via ${oif}
	/sbin/ipfw add deny all from 240.0.0.0/4 to any via ${oif}
	/sbin/ipfw add deny all from any to 240.0.0.0/4 via ${oif}

        # Allow TCP through if setup succeeded
	/sbin/ipfw add pass tcp from any to any established

	# Allow IP fragments to pass through
	/sbin/ipfw add pass all from any to any frag

	# Allow setup of incoming email
	/sbin/ipfw add pass tcp from any to ${oip} 25 setup

	# Allow access to our DNS
	/sbin/ipfw add pass tcp from any to ${oip} 53 setup
	/sbin/ipfw add pass udp from any to ${oip} 53
	/sbin/ipfw add pass udp from ${oip} 53 to any

	# Allow access to our WWW
	/sbin/ipfw add pass tcp from any to ${oip} 80 setup

	# Reject&Log all setup of incoming connections from the outside
	/sbin/ipfw add deny log tcp from any to any in via ${oif} setup

	# Allow setup of any other TCP connection
	/sbin/ipfw add pass tcp from any to any setup

	# Allow DNS queries out in the world
	/sbin/ipfw add pass udp from any 53 to ${oip}
	/sbin/ipfw add pass udp from ${oip} to any 53

	# Allow NTP queries out in the world
	/sbin/ipfw add pass udp from any 123 to ${oip}
	/sbin/ipfw add pass udp from ${oip} to any 123

	# Everything else is denied by default, unless the
	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
	# config file.
	;;
        fi
)
#[Uu][Nn][Kk][Nn][Oo][Ww][Nn])

	;;
)
)
#	if [ -r "${firewall_type}" ]; then
	/sbin/ipfw ${firewall_flags} ${firewall_type}
#        fi
	;;
esac
fi

--------------F00729E45F120CBC014CFC79--



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39C95E2A.C3962BB8>