Date: Thu, 13 Jun 2002 17:21:38 -0400 From: Andrea Bacchet <baccheta@cae.com> To: "FreeBSD Questions List (E-mail)" <questions@freebsd.org> Subject: IPFW/NATd Jail config (almost there!) Message-ID: <8A6A2A139700D5118EB6009027B0FF3A0D91D7B6@caemsx02.cae.ca>
next in thread | raw e-mail | index | archive | help
Greetings,
Things are progressing very well! for those
of you who already know of my IPFW/NATd and jail problem,
please skip the intro and go right down to the question!
================== intro ===========================================
Ok, so I setup IPFW and NATd on my freeBSD 4.5-RELEASE box,
where I configured a jail environment. Here are some details for
first time readers:
I have a host computer called dagobah, which
runs a virtual system in a jailed environment, called
darkside. This system is running FreeBSD 4.5-RELEASE.
host (dagobah) xl0 IP 143.XX.XX.238
jail (darkside) IP alias to xl0 (192.168.200.13)
What had happened is that once I setup IPFW, I could no
longer connect (DNS lookup failure was causing huge delay
on connect) to my jail (darkside).
My other problem was making it possible to connect to
these services from the outside world:
host (dagobah)
allow ftp (port 21)
allow www (port 80)
allow ssh (port 777)
jail (darkside)
allow ssh (port 22)
with natd forwarding all requests dagobah received on port 22
to the jail's sshd.
Everything else should be blocked.
=========== question =====================================
My DNS lookup problem with IPFW running is now solved, internally
I can connect to my jail without any problem.
However, I can't connect from the outside world to my host (dagobah).
I have tried to view the web page, as well as telnet and both
don't connect. Although I do see in the IPFW SHOP output that
some stuff seems to be reaching my port 80.
I would really appreciate it if someone could look at my configs
and point out my mistake. I have pretty much just learned how to
do this stuff, and I may have missed something obvious!
--------------
# rc.conf
#
hostname="dagobah.somewhere.ca"
ifconfig_xl0="inet 142.XX.XX.238 netmask 255.255.255.0"
defaultrouter="142.XX.XX.254"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
moused_enable="YES"
nfs_reserved_port_only="YES"
sendmail_enable="NO"
sshd_enable="YES"
usbd_enable="YES"
quota_enable="YES"
check_quotas="YES"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="/etc/ipfw.rules"
gateway_enable="YES"
natd_enable="YES"
natd_interface="xl0"
natd_flags="-config /etc/natd_rules"
inetd_flags="-wW -a 142.XX.XX.238"
portmap_enable="NO"
syslogd_flags="-ss"
--------------
#
# natd config (/etc/natd_config)
#
redirect_port tcp 192.168.200.13:22 22
--------------
#
# my ipfw.rules (additional to rc.firewall defaults)
#
#make sure natd gets a hold of the packets prior to FIREWALL
add 00320 divert natd all from any to any via xl0
#
#
# from man 8 ipfw: allow only outbound TCP connections I've created
add 00350 check-state
add 00351 deny tcp from any to any in established
add 00352 allow tcp from any to any out setup keep-state
#
#
#allow DNS
add 00400 allow udp from 142.XX.XX.1 to any in recv xl0
add 00401 allow udp from 142.XX.XX.2 to any in recv xl0
add 00402 allow udp from 142.XX.XX.3 to any in recv xl0
add 00403 allow udp from any to any out
#
#allow some ICMP types (codes not supported)
## allow path-mtu in both directions
add 00600 allow icmp from any to any icmptypes 3
## allow source quench in and out
add 00601 allow icmp from any to any icmptypes 4
## allow me to ping out and receive response back
add 00602 allow icmp from any to any icmptypes 8 out
add 00603 allow icmp from any to any icmptypes 0 in
## allow me to traceroute
#
# when I traceroute, I send out UDP packets (rule 00403)
#
add 00604 allow icmp from any to any icmptypes 11 in
#
#
# enable www server on dagobah (142.XX.XX.238)
add 00700 allow tcp from any to any 80 in via xl0
add 00701 allow tcp from any to any 80 out via xl0
#
#
# enable ssh server on dagobah (142.XX.XX.238)
add 00702 allow tcp from any to any 777 in via xl0
add 00703 allow tcp from any to any 777 out via xl0
#
#
# enable ssh server on darkside (142.XX.XX.238)
add 00704 allow tcp from any to any 22 in via xl0
add 00705 allow tcp from any to any 22 out via xl0
--------------
OUTPUT OF THE IPFW SHOW command
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00320 171 34652 divert 8668 ip from any to any via xl0
00350 0 0 check-state
00351 0 0 deny tcp from any to any in established
00352 78 8668 allow tcp from any to any keep-state out setup
00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0
00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0
00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0
00403 2 120 allow udp from any to any out
00600 0 0 allow icmp from any to any icmptype 3
00601 0 0 allow icmp from any to any icmptype 4
00602 0 0 allow icmp from any to any out icmptype 8
00603 0 0 allow icmp from any to any in icmptype 0
00604 0 0 allow icmp from any to any in icmptype 11
00700 3 144 allow tcp from any to any 80 in recv xl0
00701 0 0 allow tcp from any to any 80 out xmit xl0
00702 0 0 allow tcp from any to any 777 in recv xl0
00703 0 0 allow tcp from any to any 777 out xmit xl0
00704 0 0 allow tcp from any to any 22 in recv xl0
00705 0 0 allow tcp from any to any 22 out xmit xl0
65535 86 25238 deny ip from any to any
__
Andrea Bacchet
Technical Instructor, Software Systems Technology Engineering
Technical Training Department
e-mail: baccheta@cae.com phone: (514) 341-6780 X-2083
s-mail: CAE Inc, 8585 Cote de Liesse, St-Laurent, Canada, H4T 1G6
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8A6A2A139700D5118EB6009027B0FF3A0D91D7B6>