From owner-freebsd-security Thu Jun 29 13:34:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.everyday.cx (cr308584-a.wlfdle1.on.wave.home.com [24.114.52.208]) by hub.freebsd.org (Postfix) with ESMTP id CF39D37B8E9 for ; Thu, 29 Jun 2000 13:34:29 -0700 (PDT) (envelope-from pccb@yahoo.com) Received: from apollo (apollo.objtech.com [192.168.111.5]) by mail.everyday.cx (Postfix) with ESMTP id 36A5E49A0; Thu, 29 Jun 2000 16:34:19 -0400 (EDT) Date: Thu, 29 Jun 2000 16:34:43 -0700 From: Pierre Chiu X-Mailer: The Bat! (v1.44) Personal Reply-To: Webbie X-Priority: 3 (Normal) Message-ID: <14149621401.20000629163443@everyday.cx> To: Michael Lucas Cc: freebsd-security@freebsd.org Subject: Re: ipfilter & pptp & freebsd In-reply-To: <200006291740.NAA16472@blackhelicopters.org> References: <200006291740.NAA16472@blackhelicopters.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For debugging purpose, how about keeping the nat rules but dropping all the firewall rules. And also, you might want to check out the NIC stats (netstat -i) while frontpage is uploading. The problem could be packet loss. Thursday, June 29, 2000, 10:40:21 AM, you wrote: ML> Well, I got a FreeBSD firewall at work, after explaining how the ML> commercial ones weren't any better and cost far more for not much ML> gain. And it makes the enterprise-critical application fail. ML> Sometimes life is just not fair. ML> Anyway, I have a FreeBSD 4.-stable machine as our gateway box. I'm ML> using ipfilter for NAT and connection control. Inside the network, I ML> have a Windows machine, running FrontPage, that needs to publish data ML> to the outside world via pptp tunnels. This machine pumps hundreds of ML> meg a day. ML> If we take this system and put it outside the firewall, it shoves data ML> quickly. Inside the firewall, it runs painfully slowly. In the last ML> 50 minutes, it's sent 1,181,971 bytes. ML> Below, I replace the class C with a.b.c to protect the guilty. ML> 192.168.1.105 is my pptp host. ML> I'd appreciate any help anyone has to offer, or any tips on what to check. ML> Thanks, ML> Michael ML> My ipnat.conf looks like: ML> #then the general NAT for the office ML> #first, pptp ML> rdr fxp1 a.b.c.2/32 port 0 -> 192.168.1.105 port 0 gre ML> rdr fxp1 a.b.c.2/32 port 1723 -> 192.168.1.105 port 1723 tcpudp ML> #then regular networking ML> map fxp1 192.168.1.1/24 -> a.b.c.2/32 proxy port ftp ftp/tcp ML> map fxp1 192.168.1.1/24 -> a.b.c.2/32 portmap tcp/udp 10000:40000 ML> #finally, allow any any outgoing protocol ML> map fxp1 192.168.1.0/24 -> a.b.c.2/32 ML> rdr fxp1 a.b.c.2/32 port 21 -> 192.168.1.254 port 21 ML> ... plus a bunch more "redirect this for incoming services"... ML> My ipf.conf looks like: ML> #universal rules ML> block in log quick from any to any with ipopts ML> block in log quick proto tcp from any to any with short ML> #the outside interface ML> #outgoing on outside ML> pass out on fxp1 all head 350 ML> block out from 127.0.0.0/8 to any group 350 ML> block out from any to 127.0.0.0/8 group 350 ML> block out from any to 192.168.1.1/24 group 350 ML> pass out log quick proto tcp from a.b.c.2 to any keep state group 350 ML> pass out log quick proto udp from a.b.c.2 to any keep state group 350 ML> #incoming on outside ML> #first, the rules for all traffic ML> pass in on fxp1 all head 300 ML> block in log quick from 127.0.0.0/8 to any group 300 ML> block in log quick from 192.168.1.1/32 to any group 300 ML> block in log quick from 10.0.0.1/0xff000000 to any group 300 ML> #for DNS queries to firewall exterior ML> pass in quick proto udp from any to a.b.c.2 port = 53 keep state group 300 ML> #for pptp tunnel ML> pass in log quick proto gre from 135.145.11.128 to a.b.c.2 group 300 ML> pass in log quick proto gre from 135.145.11.129 to a.b.c.2 group 300 ML> pass in log quick proto gre from 135.145.11.128 to 192.168.1.105 group 300 ML> pass in log quick proto gre from 135.145.11.129 to 192.168.1.105 group 300 ML> #establish 3way handshake on a.b.c.2 ML> block in log proto tcp from any to a.b.c.2/32 flags S/SA head 302 group 300 ML> #allow DNS zone transfers ML> pass in quick proto tcp from 209.69.70.3 to a.b.c.2 port = 53 keep state group 302 ML> #incoming connections proxied through the firewall on .2, in port order ML> pass in log quick proto tcp from any to 192.168.1.254/32 port = 21 keep state group 302 ML> ...more of the same... ML> pass in log quick proto tcp from 135.145.11.128 port = 1723 to 192.168.1.105/32 keep state group 302 ML> ...more of same... ML> #finally, after everything else is processed, we bounce bad connections ML> #this gives a proper response to UDP probes ML> block return-icmp(port-unr) in log on fxp1 proto udp from any to any group 302 ML> block return-rst in log proto tcp from any to any group 302 ML> ############################################################################ ML> #the inside interface ML> #outgoing on inside interface ML> pass out log on fxp0 all head 450 ML> block out log quick from 127.0.0.0/8 to any group 450 ML> block out log quick from any to 127.0.0.0/8 group 450 ML> block out log quick from any to a.b.c.2/25 group 450 ML> #do not block syslogd ML> pass out quick from any to 192.168.1.251 port = 514 group 450 ML> #incoming on inside interface ML> pass in on fxp0 all head 400 ML> block in log quick from 127.0.0.0/8 to any group 400 ML> block in log quick from a.b.c.2/25 to any group 400 ML> block in log quick from 10.0.0.1/0xff000000 to any group 400 ML> pass in on fxp0 all head 400 ML> block in log quick from 127.0.0.0/8 to any group 400 ML> block in log quick from a.b.c.2/25 to any group 400 ML> block in log quick from 10.0.0.1/0xff000000 to any group 400 ML> block in quick from any to 206.154.102.240/24 group 400 ML> pass in log quick on fxp0 proto tcp from any to 192.168.1.1 port = 22 keep state group 400 ML> pass in quick on fxp0 proto udp from 192.168.1.251/32 to 192.168.1.1 port = 161 keep state group 400 ML> pass in log quick on fxp0 proto tcp from any to any keep state group 400 ML> pass in log quick on fxp0 proto udp from any to any keep state group 400 ML> pass in log quick on fxp0 proto gre from any to any group 400 -- Pierre \\|// (o o) +-------------------------oOOo-(_)-oOOo-----------------------------+ EMail : mailto:webbie(at)everyday(dot)cx PGP Key : http://www.everyday.cx/pgpkey.txt PGP Fingerprint: 0B9F E081 35CD B9AF 58EA 7E43 38EC C84F 4AB4 792C +-------------------------------------------------------------------+ network packets travelling uphill (use a carrier pigeon) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message