From owner-freebsd-questions@FreeBSD.ORG Thu Oct 9 20:36:57 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3EBD16A4BF for ; Thu, 9 Oct 2003 20:36:57 -0700 (PDT) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id C805643FE3 for ; Thu, 9 Oct 2003 20:36:56 -0700 (PDT) (envelope-from jshamlet@comcast.net) Received: from [192.168.1.1] (pcp04631424pcs.gambrl01.md.comcast.net[68.49.61.112]) by comcast.net (sccrmhc12) with SMTP id <20031010033656012004i0c2e>; Fri, 10 Oct 2003 03:36:56 +0000 From: "J. Seth Henry" To: freebsd-questions@freebsd.org Content-Type: text/plain Organization: Message-Id: <1065757015.50124.53.camel@alexandria> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2 Date: 09 Oct 2003 23:36:56 -0400 Content-Transfer-Encoding: 7bit Subject: ipfilter/ipnat weirdness X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Oct 2003 03:36:57 -0000 Hello all, I could use a bit of help with a networking problem. I am trying to replace a dying Netgear RT314 with a FreeBSD 4.8-REL system configured as an Internet gateway. My network is as such: ----\ | /----------------------------------/ | | +--- | +--- | +--- | +--- | +--- | +--- | \--- I would like the Cisco ATA to only be able to route packets to Vonage, but I that isn't that big of a deal. More important is that I would like only Vonage to be able to talk to the ATA uninitiated. I haven't even attempted this yet, as I can't get a connection now. I need to forward all incoming FTP and SSH sessions to the server on 192.168.1.1. I have attempted this in the ipnat.rules file - however, it doesn't appear to work. I know this might sound strange, but I need to map inbound port 23 to an ssh daemon on the router itself, while using the normal ssh port, 22, on the internal interface. I imagine this is as simple as simply running two copies of sshd with different arguments - but I haven't gotten it working yet. Everything else can live with just the normal NAT'ed connections. I managed to get MOST services working with this ipf.rules file, but ntpd, and the vonage ATA, both report "no route to host" The Vonage ATA is unable to use tftp or SIP - I don't know if audio is working or not - but I doubt it. Does anyone see the problem with this ruleset? # Interface: all block in log all block out log all # Interface: lo0 pass in quick on lo0 all pass out quick on lo0 all # Interface: xl0 pass in quick on xl0 all pass out quick on xl0 all # Interface: vr0 # Internal initiated connections # [passive ftp client to outside world step 1] pass out quick on vr0 proto tcp from any to any port = 21 flags S keep state keep frags pass out quick on vr0 proto tcp from any to any port > 1023 flags S keep state keep frags # [ssh to outside world step 1] pass out quick on vr0 proto tcp from any to any port = 22 flags S keep state keep frags # [smtp to outside world] pass out quick on vr0 proto tcp from any to any port = 25 flags S keep state keep frags # [whois to outside world] pass out quick on vr0 proto tcp from any to any port = 43 flags S keep state keep frags # [domain to outside world] pass out quick on vr0 proto tcp from any to any port = 53 flags S keep state keep frags pass out quick on vr0 proto udp from any to any port = 53 keep state keep frags # [Vonage tftp] pass out quick on vr0 proto tcp from any to any port = 69 flags S keep state keep frags pass out quick on vr0 proto udp from any to any port = 69 keep state keep frags # [http to outside world] pass out quick on vr0 proto tcp from any to any port = 80 flags S keep state keep frags # [ntpd to outside world] pass out quick on vr0 proto tcp from any to any port = 123 flags S keep state keep frags pass out quick on vr0 proto udp from any to any port = 123 flags S keep state keep frags # [pop3 to outside world] pass out quick on vr0 proto tcp from any to any port = 110 flags S keep state keep frags # [https to outside world] pass out quick on vr0 proto tcp from any to any port = 443 flags S keep state keep frags # [traceroute to outside world 1st stage ] pass out quick on vr0 proto udp from any to any port 33434 >< 33525 keep state keep frags # [Vonage VOIP] pass out quick on vr0 proto udp from any to any port 5060 >< 5061 keep state keep frags pass out quick on vr0 proto udp from any to any port 10000 >< 20000 keep state keep frags # [ping to outside world] pass out quick on vr0 proto icmp from any to any keep state keep frags # External initiated connections # Secure Shell access (ssh) pass in quick on vr0 proto tcp from any to any port = 22 keep state keep frags # [dhclient] pass in quick on vr0 proto udp from any to any port = 68 keep state keep frags # [Vonage VOIP - SIP] pass in quick on vr0 proto udp from any to any port = 5060 >< 5061 keep state keep frags # [traceroute to internal host 2nd stage: receiving error code of icmp-type 3 # (destination unreachable) and icmp-type 11 (time exceeded)] pass in quick on vr0 proto icmp from any to any icmp-type 3 keep state keep frags pass in quick on vr0 proto icmp from any to any icmp-type 11 keep state keep frags Also, here is my ipnat.rules. map vr0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp map vr0 192.168.1.0/24 -> 192.168.1.1 proxy port ftp ftp/tcp map vr0 192.168.1.0/24 -> 192.168.1.1 proxy port ssh ssh/tcp map vr0 192.168.1.0/24 -> 0.0.0.0/32 proxy port 500 ipsec/udp map vr0 192.168.1.0/24 -> 0.0.0.0/32 proxy port 7070 raudio/tcp map vr0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000 map vr0 192.168.1.0/24 -> 0.0.0.0/32 Again, most stuff works (web, ftp, dns, pop3, smtp, etc). In fact, I sent this mail through this gateway. Any help would be greatly appreciated (especially the Vonage stuff - as I miss the cheap LD!) Thanks, Seth Henry