Date: Mon, 10 Feb 2003 18:22:56 -0600 From: Redmond Militante <r-militante@northwestern.edu> To: freebsd-security@freebsd.org Subject: n00b ipf/ipnat questions Message-ID: <20030211002256.GA824@darkpossum>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] hi all i've been trying to set up an ipf/ipnat gateway machine, to protect an internal network of two machines: webserver and a mysql server. i've been having some problems. my gateway machine has two nics - an external and internal nic. the internal nic is hooked up to a switch. the switch is hooked up to client machines on the internal network /etc/rc.conf on the gateway ------- ifconfig_lo0="inet 127.0.0.1" ifconfig_xl0="inet 129.x.x.35 netmask 255.255.255.0" network_interfaces="xl0 xl1 lo0" #aliasing herald's ip to the outside nic of gateway box ifconfig_xl0_alias0="inet 129.x.x.6 netmask 255.255.255.255" #inside nic of gateway box ifconfig_xl1="inet 192.168.1.1 netmask 255.255.255.0" ipfilter_enable="YES" ipfilter_flags="" ipfilter_rules="/etc/ipf.rules" ipmon_enable="YES" ipmon_flags="-Dsvn" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" icmp_drop_redirects="YES" gateway_enable="YES" ------- kernel on gateway compiled with ------- options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK ------- /etc/ipf.rules on gateway -------################################################################# # Outside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state on it # so that it's allowed back in. # # If you wanted to do egress filtering...here's where you'd do it. # You'd change the lines below so that rather than allowing out any # arbitrary TCP connection, it would only allow out mail, pop3, and http # connections (for example). So, the first line, below, would be # replaced with: # pass out quick on xl0 proto tcp from any to any port = 25 keep state # pass out quick on xl0 proto tcp from any to any port = 110 keep state # pass out quick on xl0 proto tcp from any to any port = 80 keep state # ...and then do the same for the remaining lines so that you allow # only specified protocols/ports 'out' of your network #---------------------------------------------------------------- pass out quick on xl0 proto tcp from any to any keep state pass out quick on xl0 proto udp from any to any keep state pass out quick on xl0 proto icmp from any to any keep state block out quick on xl0 all #----------------------------------------------------------------------- # Block all inbound traffic from non-routable or reserved address spaces #----------------------------------------------------------------------- block in log quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP block in log quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP block in log quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP block in log quick on xl0 from 127.0.0.0/8 to any #loopback block in log quick on xl0 from 0.0.0.0/8 to any #loopback block in log quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config block in log quick on xl0 from 192.0.2.0/24 to any #reserved for doc's block in log quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast #---------------------------------------------------------------- # Allow bootp traffic in from your ISP's DHCP server only. #---------------------------------------------------------------- pass in quick on xl0 proto udp from 129.105.49.1/32 to any port = 53 keep state pass in quick on xl0 proto udp from 129.105.49.10/32 to any port = 68 keep state #---------------------------------------------------------------- # If you wanted to set up a web server or mail server on your box # (which is outside the scope of this howto), or allow another system # on the Internet to externally SSH into your firewall, you'd want to # uncomment the following lines and modify as appropriate. If you # have other services running that you need to allow external access # to, just add more lines using these as examples. # # If the services are on a box on your internal network (rather than # the firewall itself), you'll have to add both the filter listed below, # plus a redirect rule in your /etc/ipnat.rules file. # plus a redirect rule in your /etc/ipnat.rules file. #---------------------------------------------------------------- #the following allows httpd traffic, smtp, sendmail, ftp and webmin traffic pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port = 80 flags S kee p state keep frags pass in quick on xl0 proto tcp from any to any port = 25 flags S keep state kee p frags pass in quick on xl0 proto tcp from any to any port = 22 flags S keep state kee p frags pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port = 21 flags S ke ep state keep frags pass in quick on xl0 proto tcp from any to any port = 443 flags S keep state pass in quick on xl0 proto tcp from any to any port = 3306 flags S keep state pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port = 10000 flags S keep state keep frags pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port > 1023 flags S keep state pass in quick on xl0 proto tcp from 129.x.x.32/24 to any keep state pass in quick on xl0 proto udp from 129.x.x.32/24 to any keep state #---------------------------------------------------------------- # Block and log all remaining traffic coming into the firewall # - Block TCP with a RST (to make it appear as if the service # isn't listening) # - Block UDP with an ICMP Port Unreachable (to make it appear # as if the service isn't listening) # - Block all remaining traffic the good 'ol fashioned way #----------X.X.X.X------------------------------------------------------ block return-rst in log quick on xl0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any to any block in log quick on xl0 all ################################################################# # Inside Interface ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass out quick on xl1 proto tcp from any to any keep state pass out quick on xl1 proto udp from any to any keep state pass out quick on xl1 proto icmp from any to any keep state block out quick on xl1 all #---------------------------------------------------------------- # Allow in all TCP, UDP, and ICMP traffic & keep state #---------------------------------------------------------------- pass in quick on xl1 proto tcp from any to any keep state pass in quick on xl1 proto udp from any to any keep state pass in quick on xl1 proto icmp from any to any keep state block in quick on xl1 all ################################################################# # Loopback Interface ################################################################# #---------------------------------------------------------------- # Allow everything to/from your loopback interface so you # can ping yourself (e.g. ping localhost) #---------------------------------------------------------------- pass in quick on lo0 all pass out quick on lo0 all /etc/ipnat.rules on gateway ------- #-------------------------------------------------------------------- # Do 'normal' IP address translation. This line will take all packets # going out on your external NIC (ed0) that have a source address coming # from your internal network (192.168.1.0), and translate it to whatever # IP address your external NIC happens to have at that time #-------------------------------------------------------------------- map xl0 192.168.1.0/24 -> 0/32 map xl0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp #-------------------------------------------------------------------- # If you have a system on your internal network that needs to be # 'reachable' by external systems on the internet, you'll nexl a rule # similar to the one below. This one takes all inbound http traffic # (TCP port 80) that hits the firewall's external interface (xl0) and # rxlirects it to port 80 on the 192.168.1.50 system on the internal network. # Simply uncomment the rule, change the IP address and port number so that # it does what you nexl. Remember that you have to enable the corresponding # inbound filter in your /etc/ipf.rules file, too. #-------------------------------------------------------------------- rdr xl0 0.0.0.0/0 port 21 -> 192.168.1.50 port 21 tcp rdr xl0 0.0.0.0/0 port 22 -> any port 22 tcp rdr xl0 0.0.0.0/0 port 25 -> any port 25 tcp rdr xl0 0.0.0.0/0 port 80 -> 192.168.1.50 port 80 tcp rdr xl0 0.0.0.0/0 port 10000 -> 192.168.1.50 port 10000 tcp rdr xl0 0.0.0.0/0 port > 1023 -> 192.168.1.50 port > 1023 tcp rdr xl0 0.0.0.0/0 port 3306 -> any port 3306 tcp rdr xl0 129.x.x.32/24 -> any tcp rdr xl0 129.x.x.32/24 -> any udp ------- /etc/sysctl.conf on gateway ------- et.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 ------- i've managed to get it nat'ing one machine so far, the webserver. the public ip of the webserver is aliased to the external nic on the gateway machine. httpd and ftp work ok behind the gateway box. i have many questions, however. the first being why - despite the firewall rules i have in place on the gateway, when i nmap the public ip of the webserver it shows me all sorts of ports being open. i can't make out from my gateway configuration where this is happening. any advice would be appreciated thanks redmond [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SEJgFNjun16SvHYRAmJaAKCCcrLqWW91RBotZB6JiJ5YMz9TJQCgnUlR E+RrlbKLFrEuVoeoIlK08UY= =AsND -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211002256.GA824>