Date: 09 Oct 2003 23:36:56 -0400 From: "J. Seth Henry" <jshamlet@comcast.net> To: freebsd-questions@freebsd.org Subject: ipfilter/ipnat weirdness Message-ID: <1065757015.50124.53.camel@alexandria>
next in thread | raw e-mail | index | archive | help
Hello all,
I could use a bit of help with a networking problem. I am trying to
replace a dying Netgear RT314 with a FreeBSD 4.8-REL system configured
as an Internet gateway.
My network is as such:
<COMCAST>--<vr0/dhcp router xl0/192.168.1.254>--\
|
/----------------------------------/
|
<Dlink Switch / 192.168.1.251>
|
+---<Vonage/Cisco ATA - tftp, SIP, VoIP audio>
|
+---<fxp0/192.168.1.1 FreeBSD 4.8-REL server - FTP, SSH>
|
+---<xl0/192.168.1.249 FreeBSD 4.8-REL workstation>
|
+---<xl0/192.168.1.250 WindowsXP workstation>
|
+---<AP9617 SmartUPS web IF>
|
+---<AP9606 SmartUPS web IF>
|
\---<NCD Explora 451 terminal>
I would like the Cisco ATA to only be able to route packets to Vonage,
but I that isn't that big of a deal. More important is that I would like
only Vonage to be able to talk to the ATA uninitiated. I haven't even
attempted this yet, as I can't get a connection now.
I need to forward all incoming FTP and SSH sessions to the server on
192.168.1.1. I have attempted this in the ipnat.rules file - however, it
doesn't appear to work.
I know this might sound strange, but I need to map inbound port 23 to an
ssh daemon on the router itself, while using the normal ssh port, 22, on
the internal interface. I imagine this is as simple as simply running
two copies of sshd with different arguments - but I haven't gotten it
working yet.
Everything else can live with just the normal NAT'ed connections.
I managed to get MOST services working with this ipf.rules file, but
ntpd, and the vonage ATA, both report "no route to host" The Vonage ATA
is unable to use tftp or SIP - I don't know if audio is working or not -
but I doubt it.
Does anyone see the problem with this ruleset?
# Interface: all
block in log all
block out log all
# Interface: lo0
pass in quick on lo0 all
pass out quick on lo0 all
# Interface: xl0
pass in quick on xl0 all
pass out quick on xl0 all
# Interface: vr0
# Internal initiated connections
# [passive ftp client to outside world step 1]
pass out quick on vr0 proto tcp from any to any port = 21 flags S keep
state keep frags
pass out quick on vr0 proto tcp from any to any port > 1023 flags S keep
state keep frags
# [ssh to outside world step 1]
pass out quick on vr0 proto tcp from any to any port = 22 flags S keep
state keep frags
# [smtp to outside world]
pass out quick on vr0 proto tcp from any to any port = 25 flags S keep
state keep frags
# [whois to outside world]
pass out quick on vr0 proto tcp from any to any port = 43 flags S keep
state keep frags
# [domain to outside world]
pass out quick on vr0 proto tcp from any to any port = 53 flags S keep
state keep frags
pass out quick on vr0 proto udp from any to any port = 53 keep state
keep frags
# [Vonage tftp]
pass out quick on vr0 proto tcp from any to any port = 69 flags S keep
state keep frags
pass out quick on vr0 proto udp from any to any port = 69 keep state
keep frags
# [http to outside world]
pass out quick on vr0 proto tcp from any to any port = 80 flags S keep
state keep frags
# [ntpd to outside world]
pass out quick on vr0 proto tcp from any to any port = 123 flags S keep
state keep frags
pass out quick on vr0 proto udp from any to any port = 123 flags S keep
state keep frags
# [pop3 to outside world]
pass out quick on vr0 proto tcp from any to any port = 110 flags S keep
state keep frags
# [https to outside world]
pass out quick on vr0 proto tcp from any to any port = 443 flags S keep
state keep frags
# [traceroute to outside world 1st stage ]
pass out quick on vr0 proto udp from any to any port 33434 >< 33525 keep
state keep frags
# [Vonage VOIP]
pass out quick on vr0 proto udp from any to any port 5060 >< 5061 keep
state keep frags
pass out quick on vr0 proto udp from any to any port 10000 >< 20000 keep
state keep frags
# [ping to outside world]
pass out quick on vr0 proto icmp from any to any keep state keep frags
# External initiated connections
# Secure Shell access (ssh)
pass in quick on vr0 proto tcp from any to any port = 22 keep state keep
frags
# [dhclient]
pass in quick on vr0 proto udp from any to any port = 68 keep state keep
frags
# [Vonage VOIP - SIP]
pass in quick on vr0 proto udp from any to any port = 5060 >< 5061 keep
state keep frags
# [traceroute to internal host 2nd stage: receiving error code of
icmp-type 3
# (destination unreachable) and icmp-type 11 (time exceeded)]
pass in quick on vr0 proto icmp from any to any icmp-type 3 keep state
keep frags
pass in quick on vr0 proto icmp from any to any icmp-type 11 keep state
keep frags
Also, here is my ipnat.rules.
map vr0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map vr0 192.168.1.0/24 -> 192.168.1.1 proxy port ftp ftp/tcp
map vr0 192.168.1.0/24 -> 192.168.1.1 proxy port ssh ssh/tcp
map vr0 192.168.1.0/24 -> 0.0.0.0/32 proxy port 500 ipsec/udp
map vr0 192.168.1.0/24 -> 0.0.0.0/32 proxy port 7070 raudio/tcp
map vr0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000
map vr0 192.168.1.0/24 -> 0.0.0.0/32
Again, most stuff works (web, ftp, dns, pop3, smtp, etc). In fact, I
sent this mail through this gateway.
Any help would be greatly appreciated (especially the Vonage stuff - as
I miss the cheap LD!)
Thanks,
Seth Henry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1065757015.50124.53.camel>