From owner-freebsd-questions Sat Nov 30 2:57:26 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8908A37B401 for ; Sat, 30 Nov 2002 02:57:22 -0800 (PST) Received: from brabys.co.za (postoffice.brabys.co.za [192.96.48.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CCA943EBE for ; Sat, 30 Nov 2002 02:57:19 -0800 (PST) (envelope-from nelis@brabys.co.za) Received: from nelis.brabys.co.za (proxy-inner.brabys.co.za [192.96.48.11]) by brabys.co.za (8.12.0/8.12.0) with ESMTP id gAUAueqJ014674 for ; Sat, 30 Nov 2002 12:56:41 +0200 Message-Id: <5.1.0.14.2.20021130121540.013dbae8@192.96.48.11> X-Sender: nelis@192.96.48.11 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 30 Nov 2002 12:57:11 +0200 To: freebsd-questions@freebsd.org From: Nelis Lamprecht Subject: NAT and Firewall Configuration ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-MailScanner: Found to be clean Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi List I am in the process of configuring NAT and a firewall on FreeBSD 4.7 Stable. I have configured the external interface with 2 class C addresses 192.x.x.1 and 192.x.x.2. and the internal interface with 192.168.x.1 ( gateway ) I have also configured natd_flags="-redirect_address 192.168.x.3 192.x.x.2" which if I'm correct will redirect all traffic destined for 192.x.x.2 to 192.168.x.3 ? My question is have I done everything correct so far and what rule would I use for my firewall so that natd will work the way I want it ? At the moment traffic is not being redirected to 192.168.x.3 and I can't connect to anything external via 192.168.x.3 and not expected too either till I get your help ( proxy excluded ) I hope this information is enough for you to help me.( see below for configurations ) Your time, help and suggestions would be much appreciated. Real ip's have been omitted for obvious reasons. Many thanks and regards, Nelis My firewall rules are as follows: #####ipfw ruleset #allow all outbound and only inbound TCP connections I've created add 00301 check-state #add 00302 deny log tcp from any to any established add 00302 allow tcp from any to any established add 00303 allow tcp from any to any out setup keep-state add 00304 allow tcp from any to 192.x.x.0/24 22,25,53,80,443 setup add 00305 allow tcp from 192.x.x.125 to 192.x.x.0/24 161,162 setup add 00306 allow tcp from any to 192.168.x.0/27 in recv rl1 #allow all outbound and only inbound UDP connections I've created add 00400 allow udp from 192.x.x.0/24 to any 53,123 keep-state out via rl0 add 00401 allow udp from any to 192.x.x.0/24 53,123 keep-state in via rl0 add 00402 allow udp from 192.x.x.0/24 to 192.x.x.125 161,162 keep-state out via rl0 add 00403 allow udp from 192.x.x.125 to 192.x.x.0/24 161,162 keep-state in via rl0 add 00404 allow udp from any to 192.168.x.0/27 in recv rl1 add 00405 allow udp from any to any out #allow some icmp types (codes not supported) ##allow path-mtu in both directions add 00600 allow icmp from any to any icmptypes 3 ##allow source quench in and out add 00601 allow icmp from any to any icmptypes 4 ##allow me to ping out and receive response back add 00602 allow icmp from any to any icmptypes 8 out add 00603 allow icmp from any to any icmptypes 0 in ##allow people to ping me add 00604 allow icmp from any to any icmptypes 8 in add 00605 allow icmp from any to any icmptypes 0 out ##allow me to run traceroute add 00606 allow icmp from any to any icmptypes 11 in #allow ident requests add 00700 allow tcp from any to any 113 keep-state setup #deny syn and fin bits used for OS finger printing using nmap add 00701 deny log tcp from any to any in tcpflags syn,fin #log anything that falls through add 09000 deny log ip from any to any My rc.conf is as follows: defaultrouter="192.x.x.125" hostname="x.x.x" ifconfig_rl0="inet 192.x.x.1 netmask 255.255.255.0" ifconfig_rl0_alias0="inet 192.x.x.2 netmask 255.255.255.255" ifconfig_rl1="inet 192.168.x.1 netmask 255.255.255.0" kern_securelevel_enable="NO" gateway_enable="YES" natd_enable="YES" natd_interface="rl0" natd_flags="-redirect_address 192.168.x.3 192.x.x.x2" inetd_enable="NO" linux_enable="YES" moused_enable="NO" moused_type="NO" nfs_reserved_port_only="YES" ## Setup NFS # portmap_enable="YES" # nfs_server_enable="YES" # mountd_flags="-r" # ntpdate_enable="YES" xntpd_enable="YES" sshd_enable="YES" sshd_program="/usr/local/sbin/sshd" usbd_enable="NO" sendmail_enable="NONE" named_enable="YES" named_program="/usr/local/sbin/named" fsck_y_enable="YES" # enable_quotas=``YES'' # check_quotas=``NO'' ## Required for ipfw support firewall_enable="YES" #firewall_script="/etc/rc.firewall" #firewall_type="OPEN" firewall_type="/etc/ipfw.rules" firewall_quiet="YES" firewall_logging_enable="YES" Kernel Options: machine i386 cpu I586_CPU ident xxxx maxusers 20 options INET options FFS options SOFTUPDATES options MFS options MD_ROOT options NFS options NFS_ROOT options MSDOSFS options CD9660 options CD9660_ROOT options PROCFS options COMPAT_43 options UCONSOLE options USERCONFIG options VISUAL_USERCONFIG options KTRACE options SYSVSHM options SYSVMSG options SYSVSEM options P1003_1B options _KPOSIX_PRIORITY_SCHEDULING options ICMP_BANDLIM options KBD_INSTALL_CDEV options USER_LDT options SC_DISABLE_REBOOT options QUOTA options IPDIVERT options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE_LIMIT=10 options ACCEPT_FILTER_HTTP options ACCEPT_FILTER_DATA options IPSTEALTH Other configurations shouldn't be needed....? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message