From owner-freebsd-security Sat Jul 7 22: 9:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from a.mx.clublinux.org (h216-170-019-162.adsl.navix.net [216.170.19.162]) by hub.freebsd.org (Postfix) with SMTP id 20D4837B403 for ; Sat, 7 Jul 2001 22:09:32 -0700 (PDT) (envelope-from steve@clublinux.org) Received: (qmail 6194 invoked from network); 8 Jul 2001 04:08:03 -0000 Received: from unknown (HELO clublinux.org) (192.168.33.33) by mail.internal with SMTP; 8 Jul 2001 04:08:03 -0000 Message-ID: <3B47EC3A.2734754F@clublinux.org> Date: Sun, 08 Jul 2001 00:14:34 -0500 From: steve X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.6 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: IPFilter/IPNat and rdr Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, First off, I'm quite new to FreeBSD and I hope I chose the correct list to mail to. In order to help teach myself FreeBSD, I'm recreating my home firewall using FreeBSD(ipfilter/ipnat) instead of Linux (ipchains). I'm using the 4.3 RELEASE of FreeBSD. I have a web server behind the firewall that I want to allow people to access from the outside. After reading the IPFilter How-To, this seems fairly easy: ipnat.rules ----------- rdr ep0 216.170.19.162/32 port 80 -> 192.168.1.100 port 80 ipfilter.rules -------------- pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80 flags S keep state keep frags However, because NAT occurs before the filtering, I can no longer have a rule to prevent packets from the outside that contain a destination IP on my internal network from passing through my firewall and entering my internal network like this: block in quick on ep0 from any to 192.168.0.0/16 I realize that packets with a source or destination of 192.168.0.0/16 should be dropped by routers on the internet, but I know this doesn't always happen as our firewall at work has recorded such packets in the past. Am I mis-understanding how IPFilter/IPNat work together correctly? If so, is there a way around this problem? If not, would the following provide the protection I'm looking for while still allowing people to access my web server from the outside? pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80 flags S keep state keep frags block in quick on ep0 from any to 192.168.0.0/16 This would prevent any packet from the outside with a destination address of my internal network from passing through the firewall unless it was specifically going to port 80 on my web server right? Please CC me on any replies as I'm not currently subscribed to the list. Thanks in advance, Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message