From owner-freebsd-questions@FreeBSD.ORG Thu Jan 22 03:56:03 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CBF116A4CE for ; Thu, 22 Jan 2004 03:56:03 -0800 (PST) Received: from m00.ca.astound.net (m00.ca.astound.net [64.85.239.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id B338543D2F for ; Thu, 22 Jan 2004 03:56:01 -0800 (PST) (envelope-from rchopra@cal.berkeley.edu) Received: from cal.berkeley.edu (astound-64-85-244-72.ca.astound.net [64.85.244.72]) by m00.ca.astound.net (8.12.10/8.12.10) with ESMTP id i0MBssKL032358; Thu, 22 Jan 2004 03:54:54 -0800 Message-ID: <400FBA0B.5010606@cal.berkeley.edu> Date: Thu, 22 Jan 2004 03:54:51 -0800 From: Rishi Chopra User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: James Earl , questions@freebsd.org References: <400C44D8.6010408@cal.berkeley.edu> <1074547363.889.16.camel@work> <400CA94F.2040807@cal.berkeley.edu> <1074618156.8101.21.camel@work> In-Reply-To: <1074618156.8101.21.camel@work> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new Subject: Re: Port Forwarding X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jan 2004 11:56:03 -0000 James, I've configured my Win2k box to contact DNS directly, and both Direct Connect and VNC Server are running smoothly (port forwarding is being accomplished (per your suggestion) by natd.conf). I've set the firewall type to 'OPEN' (the Win2k client has ZoneAlarm protection of its own); this is truly the only sticking point. I'm under the impression that selecting 'SIMPLE' rather than 'OPEN' provides an additional layer of protection to the gateway by preventing certain spoofing attacks. Unfortunately, I seem unable to switch the firewall type without crippling my Win2k box's functionality. Perhaps I'll give it a go again sometime in the future. Here's a copy of the relevant files: //natd.conf unregistered_only interface rl0 use_sockets dynamic redirect_port tcp 192.168.0.2:5800 5800 redirect_port tcp 192.168.0.2:5900 5900 redirect_port tcp 192.168.0.2:412 412 redirect_port tcp 192.168.0.2:1412 1412 punch_fw 2000:50 //rc.conf gateway_enable="YES" hostname="usha.dyndns.org" ifconfig_rl0="DHCP" ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0" kern_securelevel_enable="NO" firewall_enable="YES" firewall_type="OPEN" # firewall_type="SIMPLE" firewall_quiet="NO" natd_enable="YES" natd_interface="rl0" natd_flags="-f /etc/natd.conf" linux_enable="YES" sendmail_enable="NO" sshd_enable="YES" -R James Earl wrote: > If you want your gateway to forward DNS queries from your private > network, you will probably have to run named to answer the DNS queries > and forward them out to your ISP's name servers. > > You may also want to run a DHCP server. > > I don't believe ipfw has the forwarding capability your looking for in > this case. > > You may want to get the DNS setup first, and then enable ipfw once you > know that named is setup properly. > > As for the firewall rules, you'd probably just have to modify slightly > the DNS related ones that already exist under "SIMPLE." Instead of > letting DNS queries in from the outside, you want to let DNS queries in > from the "inside." > > Let me know if you have any other questions, and I'll try to help. > > James > > On Mon, 2004-01-19 at 21:06, Rishi Chopra wrote: > >>If I want the gateway to forward DNS queries (e.g. have the win2k box >>query the gateway for DNS requests) what do I need to do? What would >>the rule look like? >> >>James Earl wrote: >> >> >>>On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: >>> >>> >>>>What I want to do: (1) Change firewall type from 'OPEN' to 'SIMPLE' and >>>>(2) Forward ports 412 and 5800 to my Win2k box. >>>> >>>>What I have: The setup is pictured below. >>>>IPFIREWALL_DEFAULT_TO_ACCEPT, IPDIVERT and IPFILTER are all enabled in >>>>my kernel config file, are also enabled. Rule-of-thumb advice about >>>>"how best to secure a network" is not necessary in this case (the Win2k >>>>box has its own firewall installed (ZoneAlarm) and I already know too >>>>much about security). >>>> >>>>ISP FreeBSD Gateway Win2k Box >>>> >>>> >>>> >>>>>----------rl0--------------rl1-------------------< >>>> >>>>ALL DHCP 192.168.0.1 192.168.0.2 >>>> >>>>The problem: When I chenge the firewall type to SIMPLE from OPEN, the >>>>Win2k box can no longer query DNS and pings to the 192.168.0.1 address >>>>do not work. With the firewall type set to OPEN, there are no problems >>>>whatsoever. I am also new to the IPFW syntax. >>>> >>>>What I would like to know is: (1) the syntax for forwarding incomming >>>>connections from rl0 to rl1 (and ultimately to 192.168.0.2) and (2) >>>>whether the syntax for allowing connections to the outside network (such >>>>as DNS) is correct and if some other problem is preventing the win2k box >>> >>>>from querying DNS when SIMPLE is enabled. >>> >>> >>>The FreeBSD Handbook can describe port redirection using NAT better than >>>I can: >>> >>>http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html >>> >>>With the SIMPLE firewall rules, all your machines on your LAN should be >>>able to establish connections. Make sure that you have your ISP's DNS >>>servers IP's specified on the win2k machine, and also that your FreeBSD >>>machines IP is setup as the default gateway in win2k. >>> >>>You shouldn't be able to ping the FreeBSD gateway from the win2k machine >>>because of the FreeBSD gateway's firewall. >>> >>>Anther test... try accessing a machine out on the Internet using it's ip >>>address and see if you get out. >>> >>>James >>> >>> >>> > > >