Date: Thu, 26 Apr 2001 23:09:46 -0500 (CDT) From: Nick Rogness <nick@rogness.net> To: Chris Hardie <chris@summersault.com> Cc: questions@FreeBSD.ORG Subject: Re: Confusion about router/firewall traffic from router itself Message-ID: <Pine.BSF.4.21.0104262235340.52943-100000@cody.jharris.com> In-Reply-To: <Pine.BSF.4.33.0104261819100.620-100000@nollie.summersault.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 26 Apr 2001, Chris Hardie wrote: > > > We have a FreeBSD 4.2 box acting as a router and firewall (ipfw) for > our internal network. We have a range of (real) IP addresses that we > use for all of the machines on our network, as most all of them > require direct addressing from the outside world. For what purpose? I can think of only a couple reasons that this might be needed of which natd can not handle properly. > The router has two> NICs, one going to the ISP (xl1) and one going to > the internal network (xl0): > > /etc/rc.conf > ifconfig_xl1="inet 192.168.21.9 netmask 255.255.255.0" > ifconfig_xl0="inet 208.196.32.193 netmask 255.255.255.192" > defaultrouter="192.168.21.1" > gateway_enable="YES" > firewall_enable="YES" > > All of our internal machines point to 208.196.32.193 as their gateway. > > I believe that 192.168.21.9 is the (RFC1918) IP address of the interface > on our ISP's router that our connection goes to. Your ISP connects to you with a non-routeable IPs????? > > We're not running natd. > > So, things work fine. I can write firewall rules that work, all of > the internal hosts can reach the outside world and vice versa. > > What doesn't work is traffic originating from the firewall box itself > into the outside world. My understanding is that this is happening > because it's standard for routers to deny traffic coming from > 192.168.0.0/16 (in this case) and going to the outside world. As a > result, ping.yahoo.com returns "permission denied." If I alter the > source address (using ping -S) to be the real IP of the firewall box, > then this kind of traffic can get through. > Sure, as you go outbound to the internet your source address is 192.168.21.9. Even if the IP is not getting filtered (not-likely) going to the destination, the destination machine does not know how to get back to the 192.168 network because it is not being carried in any backbone BGP tables. > So the question is, how do I configure things so that other kinds of > traffic on the firewall box (like DNS queries, NTP queries, etc) can get > to the outside world, even though they're coming from a source address of > 192.168.1.29? > > Is this a matter of different firewall rules that permit traffic with that > source address (but still prevent RFC1918 spoofing), or is it a matter of > finding some way to make the traffic come from the real IP address? Or am > I not understanding some basic concepts here? Run natd with an alias address of 208.196.32.193. Be careful of this as it may break your existing 192.168 stuff from your ISP. So an ipfw ruleset like the following should work alright: # Allow packets from your ISP to your machine without nat ipfw allow ip from 192.168.21.0/24 to 192.168.21.9 in via xl1 # Allow packets from your machine to your ISP without nat ipfw allow ip from 192.168.21.9 to 192.168.21.0/24 out via xl1 # Nat just this machine to the rest of the world ipfw divert natd ip from 192.168.21.9 to any out via xl1 ipfw divert natd ip from any to 208.196.32.193 in via xl1 *Note* I left out the add and number of the above ruleset to keep the lines so they wouldn't wrap, but the sequence is VERY important and must go into your firewall in the above listed order or things worn't work. Then run natd like so: /sbin/natd -a 208.196.32.193 You can also change things around a bit and run private ranges on your internal network and run natd for them as well. Like I said earlier, it is not a good idea to be running public IP's on your internal net unless you absoultely have to...but it is up to you...I'm sure you probably have some good reasons why. Hope this helps. Nick Rogness <nick@rogness.net> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0104262235340.52943-100000>