Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 26 Jun 2005 10:29:46 -0400
From:      Andy Sutcliffe <andy.sutcliffe@gmail.com>
To:        john@day-light.com
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IPNAT / IPF / rdr issue
Message-ID:  <9d124e1c0506260729360b1cf6@mail.gmail.com>
In-Reply-To: <NHBBKEEMKJDINKDJBJHGEEFDJHAD.john@day-light.com>
References:  <9d124e1c0506251800635f8cf7@mail.gmail.com> <NHBBKEEMKJDINKDJBJHGEEFDJHAD.john@day-light.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Thank you for the suggestion re: split horizon and tinydns.  This will
probably be the easiest work around.

On 6/25/05, John Brooks <john@day-light.com> wrote:
> Implement a 'split-horizon' dns setup. Clients on the internal network
> are served the internal address for the resource and never need to
> traverse the gateway. External hosts are served from the authoritative
> nameservers as is currently happening.
>=20
> I set up such a system a couple weeks ago with tinydns, took about 30
> minutes, and was fairly easy.
>=20
> Alternately you could use each internal computer's "hosts" file with
> a setting of the internal address for the resource. Can get complicated
> keeping everything in sync. Tinydns works much better. Bind also has a
> split-horizon capability, but then bind is not permitted to exist in any
> of my networks or systems (personal choice, but let's not go there ;-) ).
>=20
> google for tinydns and split-horizon for howto's.
>=20
> --
> John Brooks
> john@day-light.com
>=20
> > -----Original Message-----
> > From: owner-freebsd-questions@freebsd.org
> > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Andy Sutcliffe
> > Sent: Saturday, June 25, 2005 8:01 PM
> > To: freebsd-questions@freebsd.org
> > Subject: IPNAT / IPF / rdr issue
> >
> >
> > I am having problems accessing internal resources (such as a web
> > server) from other internal clients when going from internal client ->
> > public address -> internal resource.  For example, when I attempt to
> > reach 'mydomain.com' from client machine X, the connection is refused
> > (I am of course, able to reach the web server through the internal
> > IP), however, I am able to access the web server via that URL from an
> > external network.  I have 'mydomain.com' pointed towards the external
> > IP of my gateway which in turn relays it to the internal web server.
> > I have included the pertinent contents of /etc/ipnat.rules as well as
> > my /etc/ipf.conf file.  I am at a loss at this point...can anyone
> > point me in the right direction ?
> >
> > Thanks in advance,
> >   - andy ( andy dot sutcliffe at gmail dot com)
> >
> > Gateway:
> >   OS:FreeBSD 5.4
> >   Firewall: IPFilter
> >   Port Forwarding: IPNAT
> >   External eth: dc0
> >   Internal eth: ed0 (10.0.0.0)
> >
> > Web Server
> >   OS: FreeBSD 5.4
> >  WWW: Apache 2.0
> >
> > Client Machine(s)
> >   OS: Windows XP, FreeBSD, Linux
> >
> > I have the following in /etc/ipnat.rules:
> >
> > # innernet
> > map dc0 10.0.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 40000:65000
> > map dc0 10.0.0.0/16 -> 0.0.0.0/32
> >
> > # www
> > rdr dc0 0.0.0.0/0 port 80 -> 10.0.0.3 port 80
> >
> > I have the following in /etc/ipf.conf:
> > #################################################################
> > # No restrictions on Inside LAN Interface for private network
> > # Not needed unless you have LAN
> > #################################################################
> >
> > pass out quick on ed0 all
> > pass in quick on ed0 all
> >
> > #################################################################
> > # No restrictions on Loopback Interface
> > #################################################################
> > pass in quick on lo0 all
> > pass out quick on lo0 all
> >
> > #################################################################
> > # Interface facing Public Internet (Outbound Section)
> > # Interrogate session start requests originating from behind the
> > # firewall on the private network
> > # or from this gateway server destine for the public Internet.
> > #################################################################
> >
> > # Allow out access to my ISP's Domain name server.
> > # xxx must be the IP address of your ISP's DNS.
> > # Dup these lines if your ISP has more than one DNS server
> > # Get the IP addresses from /etc/resolv.conf file
> > pass out quick on dc0 proto tcp from any to 67.43.192.6 port =3D 53
> > flags S keep state
> > pass out quick on dc0 proto udp from any to 67.43.192.6 port =3D 53
> > keep state
> > pass out quick on dc0 proto tcp from any to 137.118.1.33 port =3D 53
> > flags S keep state
> > pass out quick on dc0 proto udp from any to 137.118.1.33 port =3D
> > 53 keep state
> >
> > # Allow out access to my ISP's DHCP server for cable or DSL networks.
> > # This rule is not needed for 'user ppp' type connection to the
> > # public Internet, so you can delete this whole group.
> > # Use the following rule and check log for IP address.
> > # Then put IP address in commented out rule & delete first rule
> > pass out quick on dc0 proto udp from any to 67.43.192.6 port =3D 67
> > keep state
> >
> >
> > # Allow out non-secure standard www function
> > pass out quick on dc0 proto tcp from any to any port =3D 80 flags S
> > keep state
> > pass out quick on dc0 proto tcp from any to any port =3D 81 flags S
> > keep state
> >
> > # Allow out secure www function https over TLS SSL
> > pass out quick on dc0 proto tcp from any to any port =3D 443 flags
> > S keep state
> >
> > # Allow out send & get email function
> > pass out quick on dc0 proto tcp from any to any port =3D 110 flags
> > S keep state
> > pass out quick on dc0 proto tcp from any to any port =3D 25 flags S
> > keep state
> >
> > # Allow out Time
> > pass out quick on dc0 proto tcp from any to any port =3D 37 flags S
> > keep state
> >
> > # Allow out nntp news
> > pass out quick on dc0 proto tcp from any to any port =3D 119 flags
> > S keep state
> >
> > # Allow out gateway & LAN users non-secure FTP ( both passive &
> > active modes)
> > # This function uses the IPNAT built in FTP proxy function coded in
> > # the nat rules file to make this single rule function correctly.
> > # If you want to use the pkg_add command to install application package=
s
> > # on your gateway system you need this rule.
> > pass out quick on dc0 proto tcp from any to any port =3D 21 flags S
> > keep state
> >
> > # Allow out secure FTP, Telnet, and SCP
> > # This function is using SSH (secure shell)
> > pass out quick on dc0 proto tcp from any to any port =3D 22 flags S
> > keep state
> >
> > # Allow out non-secure Telnet
> > pass out quick on dc0 proto tcp from any to any port =3D 23 flags S
> > keep state
> >
> > # Allow out FBSD CVSUP function
> > pass out quick on dc0 proto tcp from any to any port =3D 5999 flags
> > S keep state
> >
> > # Allow out ping to public Internet
> > pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state
> >
> > # Allow out whois for LAN PC to public Internet
> > pass out quick on dc0 proto tcp from any to any port =3D 43 flags S
> > keep state
> >
> > # Block and log only the first occurrence of everything
> > # else that's trying to get out.
> > # This rule enforces the block all by default logic.
> > block out log first quick on dc0 all
> >
> > #################################################################
> > # Interface facing Public Internet (Inbound Section)
> > # Interrogate packets originating from the public Internet
> > # destine for this gateway server or the private network.
> > #################################################################
> >
> > # Block all inbound traffic from non-routable or reserved address space=
s
> > block in quick on dc0 from 192.168.0.0/16 to any    #RFC 1918 private I=
P
> > block in quick on dc0 from 172.16.0.0/12 to any     #RFC 1918 private I=
P
> > # block in quick on dc0 from 10.0.0.0/8 to any        #RFC 1918 private=
 IP
> > block in quick on dc0 from 127.0.0.0/8 to any       #loopback
> > block in quick on dc0 from 0.0.0.0/8 to any         #loopback
> > block in quick on dc0 from 169.254.0.0/16 to any    #DHCP auto-config
> > block in quick on dc0 from 192.0.2.0/24 to any      #reserved for docs
> > block in quick on dc0 from 204.152.64.0/23 to any   #Sun cluster
> > interconnect
> > block in quick on dc0 from 224.0.0.0/3 to any       #Class D & E multic=
ast
> >
> > ##### Block a bunch of different nasty things. ############
> > # That I do not want to see in the log
> >
> > # Block frags
> > block in quick on dc0 all with frags
> >
> > # Block short tcp packets
> > block in quick on dc0 proto tcp all with short
> >
> > # block source routed packets
> > block in quick on dc0 all with opt lsrr
> > block in quick on dc0 all with opt ssrr
> >
> > # Block nmap OS fingerprint attempts
> > # Log first occurrence of these so I can get their IP address
> > block in log first quick on dc0 proto tcp from any to any flags FUP
> >
> > # Block anything with special options
> > block in quick on dc0 all with ipopts
> >
> > # Block public pings
> > block in quick on dc0 proto icmp all icmp-type 8
> >
> > # Block ident
> > block in quick on dc0 proto tcp from any to any port =3D 113
> >
> > # Block all Netbios service. 137=3Dname, 138=3Ddatagram, 139=3Dsession
> > # Netbios is MS/Windows sharing services.
> > # Block MS/Windows hosts2 name server requests 81
> > block in log first quick on dc0 proto tcp/udp from any to any port =3D =
137
> > block in log first quick on dc0 proto tcp/udp from any to any port =3D =
138
> > block in log first quick on dc0 proto tcp/udp from any to any port =3D =
139
> > block in log first quick on dc0 proto tcp/udp from any to any port =3D =
81
> >
> > # Allow traffic in from ISP's DHCP server. This rule must contain
> > # the IP address of your ISP's DHCP server as it's the only
> > # authorized source to send this packet type. Only necessary for
> > # cable or DSL configurations. This rule is not needed for
> > # 'user ppp' type connection to the public Internet.
> > # This is the same IP address you captured and
> > # used in the outbound section.
> > pass in quick on dc0 proto udp from 67.43.192.6 to any port =3D 68
> > keep state
> >
> > # Allow in standard www function because I have apache server
> > pass in quick on dc0 proto tcp from any to any port =3D 80 flags S
> > keep state
> > pass in quick on dc0 proto tcp from any to any port =3D 81 flags S
> > keep state
> >
> > # Allow in secure FTP, Telnet, and SCP from public Internet
> > # This function is using SSH (secure shell)
> > pass in quick on dc0 proto tcp from any to any port =3D 22 flags S
> > keep state
> >
> > # Allow in non-scure FTP access to file server (bombadil)
> > pass in quick on dc0 proto ftp from any to 10.0.0.2 port =3D 21
> > flags S keep state
> > pass in quick on dc0 proto ftp from any to 10.0.0.2 port =3D 20
> > flags S keep state
> > pass out quick on dc0 proto ftp from 10.0.0.2 to any port =3D 20 flags =
S
> > keep state
> >
> > # Block and log only first occurrence of all remaining traffic
> > # coming into the firewall. The logging of only the first
> > # occurrence stops a .denial of service. attack targeted
> > # at filling up your log file space.
> > # This rule enforces the block all by default logic.
> > block in log first quick on dc0 all
> > ################### End of rules file
> > #####################################
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe@freebsd.org"
> >
>=20
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9d124e1c0506260729360b1cf6>