From owner-freebsd-questions@FreeBSD.ORG Fri Jan 30 11:48:54 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBB4C16A4CF for ; Fri, 30 Jan 2004 11:48:54 -0800 (PST) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 236C743D2F for ; Fri, 30 Jan 2004 11:48:53 -0800 (PST) (envelope-from jshamlet@comcast.net) Received: from alexandria (pcp04637401pcs.gambrl01.md.comcast.net[68.49.84.210]) by comcast.net (rwcrmhc13) with SMTP id <20040130194852015003s4g7e>; Fri, 30 Jan 2004 19:48:52 +0000 From: "J. Seth Henry" To: freebsd-questions@freebsd.org Date: Fri, 30 Jan 2004 14:48:51 -0500 User-Agent: KMail/1.5.4 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200401301448.51088.jshamlet@comcast.net> Subject: IPFILTER/NAT problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jan 2004 19:48:55 -0000 Guys/gals, I've got a curious networking problem with ipfilter/ipnat (or possibly ssh). The firewall where I work allows only 4 ports to go through unmolested (i.e., no proxy servers/authentication). These are 21 (FTP), 22 (SSH), 23 (TELNET), and 110 (POP3). I have three hosts at the house I would like to be able to ssh into, and window X apps back. So, I thought I would use each of these ports to point to a host on the lan at home, plus FTP access to the file server host. The local network is very simple. I have a FreeBSD router sitting between the CM and the local LAN. The two other hosts are connected to the router via switched ethenet - and all have LAN address in the 192.168.1.x range. So, I allow these four ports to pass through my firewall, and use nat to redirect, ala: # External Interface block out on xl0 all block in log on xl0 all pass in quick on xl0 proto tcp from any to any port = 21 flags S keep frags keep state pass in quick on xl0 proto tcp from any to any port = 22 flags S keep frags keep state pass in quick on xl0 proto tcp from any to any port = 23 flags S keep frags keep state pass in quick on xl0 proto tcp from any to any port = 110 flags S keep frags keep state pass in quick on xl0 proto udp from any to any port = 68 keep state pass out quick on xl0 proto tcp from any to any flags S keep frags keep state pass out quick on xl0 proto udp from any to any keep state keep frags pass out quick on xl0 proto icmp from any to any keep state # Internal Interface pass in quick on vr0 all pass out quick on vr0 all pass in quick on xl1 all pass out quick on xl1 all # Loopback Interface pass in quick on lo0 all pass out quick on lo0 all I checked the firewall log, and used tcpdump to verify that these ports were getting passed through. (well, they aren't being blocked at least) And then redirect the ports to the appropriate hosts: map xl0 192.168.1.254/24 -> 0/32 proxy port ftp ftp/tcp rdr xl0 0.0.0.0/0 port 21 -> 192.168.1.1 port 21 tcp rdr xl0 0.0.0.0/0 port 22 -> 192.168.1.1 port 22 tcp rdr x10 0.0.0.0/0 port 23 -> 192.168.1.249 port 23 tcp map xl0 192.168.1.254/24 -> 0/32 portmap tcp/udp auto map xl0 192.168.1.254/24 -> 0/32 The router (which is also one of the hosts) is listening on port 110 at the moment, but it will work on any of the ports. Port 22 will work to either of the remote hosts. BUT if I try to to run sshd on an _internal_ host on port 23, the connection doesn't go through. I know ssh is listening on the ports, because I can use ssh -p 23 from the router or other host and get a login. I can also toggle the local IP addresses for port 22 and 23 in the ipnat.rules file, and login on 22 to either host. The router is a FreeBSD 4.8-REL system, and, although simply switching the IP addresses allows login to either host, the other hosts are a FreeBSD 4.9-REL file server, and a RedHat Linux 9 test box. Ipfilter is set to block all by default, so only the four ports mentioned are allowed in. My work machine is a Win2k box, and I'm using the F-secure client, version 5.2 build 33. (I've also tried putty 0.53b. I have verified that the sshd daemons on all of the machines are responding on the both 22 and 23 by logging in from the other host (iow, I can ssh to 192.168.1.249 at port 23 by typing 'ssh hades -p 23' from one of the other hosts, and it works. The reason I suspect an ipnat problem is that i don't see any traffic on port 23 on the local interface. (iow, typing tcpdump -i xl1 | grep telnet produces nothing) I also don't see anything on the local network from any of the other hosts - so it doesn't appear that the router is passing packets on port 23 to the local interface. Programs on the remote network all report timeouts. Did I miss something? Thanks, Seth Henry