From owner-freebsd-questions@FreeBSD.ORG Sun Jun 26 14:29:47 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02E9416A41C for ; Sun, 26 Jun 2005 14:29:47 +0000 (GMT) (envelope-from andy.sutcliffe@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id A96C143D53 for ; Sun, 26 Jun 2005 14:29:46 +0000 (GMT) (envelope-from andy.sutcliffe@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so106680nzd for ; Sun, 26 Jun 2005 07:29:46 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=HN1jR5lZoHbnUEINNJoXQDTsxVsM3Kjrdyz+/GYEaQqbiiSnWtX2Nb63HHYV1TM25JjGYipEEX/gCoZp1+VOwAiryktEEHV7842VM/MVuNuaAnOhhva3OIwTg0rAUK81nkvaYHjQnWmOcPMtUFMIfvsnSnwytgaXX6BQN9W7J0E= Received: by 10.36.32.11 with SMTP id f11mr3210169nzf; Sun, 26 Jun 2005 07:29:46 -0700 (PDT) Received: by 10.36.108.15 with HTTP; Sun, 26 Jun 2005 07:29:46 -0700 (PDT) Message-ID: <9d124e1c0506260729360b1cf6@mail.gmail.com> Date: Sun, 26 Jun 2005 10:29:46 -0400 From: Andy Sutcliffe To: john@day-light.com In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <9d124e1c0506251800635f8cf7@mail.gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPNAT / IPF / rdr issue X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Andy Sutcliffe List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2005 14:29:47 -0000 Thank you for the suggestion re: split horizon and tinydns. This will probably be the easiest work around. On 6/25/05, John Brooks wrote: > Implement a 'split-horizon' dns setup. Clients on the internal network > are served the internal address for the resource and never need to > traverse the gateway. External hosts are served from the authoritative > nameservers as is currently happening. >=20 > I set up such a system a couple weeks ago with tinydns, took about 30 > minutes, and was fairly easy. >=20 > Alternately you could use each internal computer's "hosts" file with > a setting of the internal address for the resource. Can get complicated > keeping everything in sync. Tinydns works much better. Bind also has a > split-horizon capability, but then bind is not permitted to exist in any > of my networks or systems (personal choice, but let's not go there ;-) ). >=20 > google for tinydns and split-horizon for howto's. >=20 > -- > John Brooks > john@day-light.com >=20 > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Andy Sutcliffe > > Sent: Saturday, June 25, 2005 8:01 PM > > To: freebsd-questions@freebsd.org > > Subject: IPNAT / IPF / rdr issue > > > > > > I am having problems accessing internal resources (such as a web > > server) from other internal clients when going from internal client -> > > public address -> internal resource. For example, when I attempt to > > reach 'mydomain.com' from client machine X, the connection is refused > > (I am of course, able to reach the web server through the internal > > IP), however, I am able to access the web server via that URL from an > > external network. I have 'mydomain.com' pointed towards the external > > IP of my gateway which in turn relays it to the internal web server. > > I have included the pertinent contents of /etc/ipnat.rules as well as > > my /etc/ipf.conf file. I am at a loss at this point...can anyone > > point me in the right direction ? > > > > Thanks in advance, > > - andy ( andy dot sutcliffe at gmail dot com) > > > > Gateway: > > OS:FreeBSD 5.4 > > Firewall: IPFilter > > Port Forwarding: IPNAT > > External eth: dc0 > > Internal eth: ed0 (10.0.0.0) > > > > Web Server > > OS: FreeBSD 5.4 > > WWW: Apache 2.0 > > > > Client Machine(s) > > OS: Windows XP, FreeBSD, Linux > > > > I have the following in /etc/ipnat.rules: > > > > # innernet > > map dc0 10.0.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 40000:65000 > > map dc0 10.0.0.0/16 -> 0.0.0.0/32 > > > > # www > > rdr dc0 0.0.0.0/0 port 80 -> 10.0.0.3 port 80 > > > > I have the following in /etc/ipf.conf: > > ################################################################# > > # No restrictions on Inside LAN Interface for private network > > # Not needed unless you have LAN > > ################################################################# > > > > pass out quick on ed0 all > > pass in quick on ed0 all > > > > ################################################################# > > # No restrictions on Loopback Interface > > ################################################################# > > pass in quick on lo0 all > > pass out quick on lo0 all > > > > ################################################################# > > # Interface facing Public Internet (Outbound Section) > > # Interrogate session start requests originating from behind the > > # firewall on the private network > > # or from this gateway server destine for the public Internet. > > ################################################################# > > > > # Allow out access to my ISP's Domain name server. > > # xxx must be the IP address of your ISP's DNS. > > # Dup these lines if your ISP has more than one DNS server > > # Get the IP addresses from /etc/resolv.conf file > > pass out quick on dc0 proto tcp from any to 67.43.192.6 port =3D 53 > > flags S keep state > > pass out quick on dc0 proto udp from any to 67.43.192.6 port =3D 53 > > keep state > > pass out quick on dc0 proto tcp from any to 137.118.1.33 port =3D 53 > > flags S keep state > > pass out quick on dc0 proto udp from any to 137.118.1.33 port =3D > > 53 keep state > > > > # Allow out access to my ISP's DHCP server for cable or DSL networks. > > # This rule is not needed for 'user ppp' type connection to the > > # public Internet, so you can delete this whole group. > > # Use the following rule and check log for IP address. > > # Then put IP address in commented out rule & delete first rule > > pass out quick on dc0 proto udp from any to 67.43.192.6 port =3D 67 > > keep state > > > > > > # Allow out non-secure standard www function > > pass out quick on dc0 proto tcp from any to any port =3D 80 flags S > > keep state > > pass out quick on dc0 proto tcp from any to any port =3D 81 flags S > > keep state > > > > # Allow out secure www function https over TLS SSL > > pass out quick on dc0 proto tcp from any to any port =3D 443 flags > > S keep state > > > > # Allow out send & get email function > > pass out quick on dc0 proto tcp from any to any port =3D 110 flags > > S keep state > > pass out quick on dc0 proto tcp from any to any port =3D 25 flags S > > keep state > > > > # Allow out Time > > pass out quick on dc0 proto tcp from any to any port =3D 37 flags S > > keep state > > > > # Allow out nntp news > > pass out quick on dc0 proto tcp from any to any port =3D 119 flags > > S keep state > > > > # Allow out gateway & LAN users non-secure FTP ( both passive & > > active modes) > > # This function uses the IPNAT built in FTP proxy function coded in > > # the nat rules file to make this single rule function correctly. > > # If you want to use the pkg_add command to install application package= s > > # on your gateway system you need this rule. > > pass out quick on dc0 proto tcp from any to any port =3D 21 flags S > > keep state > > > > # Allow out secure FTP, Telnet, and SCP > > # This function is using SSH (secure shell) > > pass out quick on dc0 proto tcp from any to any port =3D 22 flags S > > keep state > > > > # Allow out non-secure Telnet > > pass out quick on dc0 proto tcp from any to any port =3D 23 flags S > > keep state > > > > # Allow out FBSD CVSUP function > > pass out quick on dc0 proto tcp from any to any port =3D 5999 flags > > S keep state > > > > # Allow out ping to public Internet > > pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state > > > > # Allow out whois for LAN PC to public Internet > > pass out quick on dc0 proto tcp from any to any port =3D 43 flags S > > keep state > > > > # Block and log only the first occurrence of everything > > # else that's trying to get out. > > # This rule enforces the block all by default logic. > > block out log first quick on dc0 all > > > > ################################################################# > > # Interface facing Public Internet (Inbound Section) > > # Interrogate packets originating from the public Internet > > # destine for this gateway server or the private network. > > ################################################################# > > > > # Block all inbound traffic from non-routable or reserved address space= s > > block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 private I= P > > block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 private I= P > > # block in quick on dc0 from 10.0.0.0/8 to any #RFC 1918 private= IP > > block in quick on dc0 from 127.0.0.0/8 to any #loopback > > block in quick on dc0 from 0.0.0.0/8 to any #loopback > > block in quick on dc0 from 169.254.0.0/16 to any #DHCP auto-config > > block in quick on dc0 from 192.0.2.0/24 to any #reserved for docs > > block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster > > interconnect > > block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multic= ast > > > > ##### Block a bunch of different nasty things. ############ > > # That I do not want to see in the log > > > > # Block frags > > block in quick on dc0 all with frags > > > > # Block short tcp packets > > block in quick on dc0 proto tcp all with short > > > > # block source routed packets > > block in quick on dc0 all with opt lsrr > > block in quick on dc0 all with opt ssrr > > > > # Block nmap OS fingerprint attempts > > # Log first occurrence of these so I can get their IP address > > block in log first quick on dc0 proto tcp from any to any flags FUP > > > > # Block anything with special options > > block in quick on dc0 all with ipopts > > > > # Block public pings > > block in quick on dc0 proto icmp all icmp-type 8 > > > > # Block ident > > block in quick on dc0 proto tcp from any to any port =3D 113 > > > > # Block all Netbios service. 137=3Dname, 138=3Ddatagram, 139=3Dsession > > # Netbios is MS/Windows sharing services. > > # Block MS/Windows hosts2 name server requests 81 > > block in log first quick on dc0 proto tcp/udp from any to any port =3D = 137 > > block in log first quick on dc0 proto tcp/udp from any to any port =3D = 138 > > block in log first quick on dc0 proto tcp/udp from any to any port =3D = 139 > > block in log first quick on dc0 proto tcp/udp from any to any port =3D = 81 > > > > # Allow traffic in from ISP's DHCP server. This rule must contain > > # the IP address of your ISP's DHCP server as it's the only > > # authorized source to send this packet type. Only necessary for > > # cable or DSL configurations. This rule is not needed for > > # 'user ppp' type connection to the public Internet. > > # This is the same IP address you captured and > > # used in the outbound section. > > pass in quick on dc0 proto udp from 67.43.192.6 to any port =3D 68 > > keep state > > > > # Allow in standard www function because I have apache server > > pass in quick on dc0 proto tcp from any to any port =3D 80 flags S > > keep state > > pass in quick on dc0 proto tcp from any to any port =3D 81 flags S > > keep state > > > > # Allow in secure FTP, Telnet, and SCP from public Internet > > # This function is using SSH (secure shell) > > pass in quick on dc0 proto tcp from any to any port =3D 22 flags S > > keep state > > > > # Allow in non-scure FTP access to file server (bombadil) > > pass in quick on dc0 proto ftp from any to 10.0.0.2 port =3D 21 > > flags S keep state > > pass in quick on dc0 proto ftp from any to 10.0.0.2 port =3D 20 > > flags S keep state > > pass out quick on dc0 proto ftp from 10.0.0.2 to any port =3D 20 flags = S > > keep state > > > > # Block and log only first occurrence of all remaining traffic > > # coming into the firewall. The logging of only the first > > # occurrence stops a .denial of service. attack targeted > > # at filling up your log file space. > > # This rule enforces the block all by default logic. > > block in log first quick on dc0 all > > ################### End of rules file > > ##################################### > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > >=20 >