From owner-freebsd-questions Fri Jun 14 22:57:18 2002 Delivered-To: freebsd-questions@freebsd.org Received: from relay2.cae.ca (gate1.cae.com [142.39.200.150]) by hub.freebsd.org (Postfix) with ESMTP id D6C2C37B40B for ; Fri, 14 Jun 2002 22:57:10 -0700 (PDT) Received: from dns1.cae.ca (dns1.cae.ca [142.39.20.1]) Received: from caemsx04.cae.ca (caemsx04.cae.ca [142.39.20.178]) Received: by caemsx04.cae.ca with Internet Mail Service (5.5.2655.55) Message-ID: <8A6A2A139700D5118EB6009027B0FF3A0D91D7B6@caemsx02.cae.ca> From: Andrea Bacchet To: "FreeBSD Questions List (E-mail)" Subject: IPFW/NATd Jail config (almost there!) Date: Thu, 13 Jun 2002 17:21:38 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.55) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Greetings, Things are progressing very well! for those of you who already know of my IPFW/NATd and jail problem, please skip the intro and go right down to the question! ================== intro =========================================== Ok, so I setup IPFW and NATd on my freeBSD 4.5-RELEASE box, where I configured a jail environment. Here are some details for first time readers: I have a host computer called dagobah, which runs a virtual system in a jailed environment, called darkside. This system is running FreeBSD 4.5-RELEASE. host (dagobah) xl0 IP 143.XX.XX.238 jail (darkside) IP alias to xl0 (192.168.200.13) What had happened is that once I setup IPFW, I could no longer connect (DNS lookup failure was causing huge delay on connect) to my jail (darkside). My other problem was making it possible to connect to these services from the outside world: host (dagobah) allow ftp (port 21) allow www (port 80) allow ssh (port 777) jail (darkside) allow ssh (port 22) with natd forwarding all requests dagobah received on port 22 to the jail's sshd. Everything else should be blocked. =========== question ===================================== My DNS lookup problem with IPFW running is now solved, internally I can connect to my jail without any problem. However, I can't connect from the outside world to my host (dagobah). I have tried to view the web page, as well as telnet and both don't connect. Although I do see in the IPFW SHOP output that some stuff seems to be reaching my port 80. I would really appreciate it if someone could look at my configs and point out my mistake. I have pretty much just learned how to do this stuff, and I may have missed something obvious! -------------- # rc.conf # hostname="dagobah.somewhere.ca" ifconfig_xl0="inet 142.XX.XX.238 netmask 255.255.255.0" defaultrouter="142.XX.XX.254" inetd_enable="YES" kern_securelevel_enable="NO" linux_enable="YES" moused_enable="YES" nfs_reserved_port_only="YES" sendmail_enable="NO" sshd_enable="YES" usbd_enable="YES" quota_enable="YES" check_quotas="YES" firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="/etc/ipfw.rules" gateway_enable="YES" natd_enable="YES" natd_interface="xl0" natd_flags="-config /etc/natd_rules" inetd_flags="-wW -a 142.XX.XX.238" portmap_enable="NO" syslogd_flags="-ss" -------------- # # natd config (/etc/natd_config) # redirect_port tcp 192.168.200.13:22 22 -------------- # # my ipfw.rules (additional to rc.firewall defaults) # #make sure natd gets a hold of the packets prior to FIREWALL add 00320 divert natd all from any to any via xl0 # # # from man 8 ipfw: allow only outbound TCP connections I've created add 00350 check-state add 00351 deny tcp from any to any in established add 00352 allow tcp from any to any out setup keep-state # # #allow DNS add 00400 allow udp from 142.XX.XX.1 to any in recv xl0 add 00401 allow udp from 142.XX.XX.2 to any in recv xl0 add 00402 allow udp from 142.XX.XX.3 to any in recv xl0 add 00403 allow udp from any to any out # #allow some ICMP types (codes not supported) ## allow path-mtu in both directions add 00600 allow icmp from any to any icmptypes 3 ## allow source quench in and out add 00601 allow icmp from any to any icmptypes 4 ## allow me to ping out and receive response back add 00602 allow icmp from any to any icmptypes 8 out add 00603 allow icmp from any to any icmptypes 0 in ## allow me to traceroute # # when I traceroute, I send out UDP packets (rule 00403) # add 00604 allow icmp from any to any icmptypes 11 in # # # enable www server on dagobah (142.XX.XX.238) add 00700 allow tcp from any to any 80 in via xl0 add 00701 allow tcp from any to any 80 out via xl0 # # # enable ssh server on dagobah (142.XX.XX.238) add 00702 allow tcp from any to any 777 in via xl0 add 00703 allow tcp from any to any 777 out via xl0 # # # enable ssh server on darkside (142.XX.XX.238) add 00704 allow tcp from any to any 22 in via xl0 add 00705 allow tcp from any to any 22 out via xl0 -------------- OUTPUT OF THE IPFW SHOW command 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00320 171 34652 divert 8668 ip from any to any via xl0 00350 0 0 check-state 00351 0 0 deny tcp from any to any in established 00352 78 8668 allow tcp from any to any keep-state out setup 00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0 00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0 00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0 00403 2 120 allow udp from any to any out 00600 0 0 allow icmp from any to any icmptype 3 00601 0 0 allow icmp from any to any icmptype 4 00602 0 0 allow icmp from any to any out icmptype 8 00603 0 0 allow icmp from any to any in icmptype 0 00604 0 0 allow icmp from any to any in icmptype 11 00700 3 144 allow tcp from any to any 80 in recv xl0 00701 0 0 allow tcp from any to any 80 out xmit xl0 00702 0 0 allow tcp from any to any 777 in recv xl0 00703 0 0 allow tcp from any to any 777 out xmit xl0 00704 0 0 allow tcp from any to any 22 in recv xl0 00705 0 0 allow tcp from any to any 22 out xmit xl0 65535 86 25238 deny ip from any to any __ Andrea Bacchet Technical Instructor, Software Systems Technology Engineering Technical Training Department e-mail: baccheta@cae.com phone: (514) 341-6780 X-2083 s-mail: CAE Inc, 8585 Cote de Liesse, St-Laurent, Canada, H4T 1G6 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message