From owner-freebsd-isp Sun Oct 28 4:15: 1 2001 Delivered-To: freebsd-isp@freebsd.org Received: from blue.frogfoot.net (blue.frogfoot.net [66.8.28.50]) by hub.freebsd.org (Postfix) with SMTP id 0548437B403 for ; Sun, 28 Oct 2001 04:14:46 -0800 (PST) Received: (qmail 2889 invoked by uid 1004); 28 Oct 2001 12:14:37 -0000 Date: Sun, 28 Oct 2001 14:14:36 +0200 From: Johann Botha To: freebsd-isp@freebsd.org Subject: Re: punch_fw Message-ID: <20011028141436.A549@blue.frogfoot.net> References: <20011028011245.A7860@blue.frogfoot.net> <20011028171031.A76033@ns.morning.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011028171031.A76033@ns.morning.ru> User-Agent: Mutt/1.3.22i Organization: Frogfoot Networks X-Operating-System: Debian GNU/Linux blue 2.2.19 (Athlon) X-GPG-Public-Key: http://blue.frogfoot.net/keys/frogfoot.gpg X-Uptime: 1:49pm up 15 days, 22:52, 8 users, load average: 1.07, 1.06, 1.05 X-Edited-With-Muttmode: muttmail.sl - 2001-09-27 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi > > could anybody please point me to some docs on using punch_fw to get active > > ftp working using natd. > > Sorry, I coming with no ideas about `punch_fw' (what it is at all? :-) but > ipnat (ipfilter's sister) does it okay. man natd ------------< snip <------< snip <------< snip <------------ -punch_fw basenumber:count This option directs natd to `punch holes'' in an ipfirewall(4) based firewall for FTP/IRC DCC connections. This is done dynamically by installing temporary firewall rules which allow a particular connection (and only that con- nection) to go through the firewall. The rules are removed once the corresponding connection terminates. A maximum of count rules starting from the rule number basenumber will be used for punching firewall holes. The range will be cleared for all rules on startup. ------------< snip <------< snip <------< snip <------------ i've used ipfilter's nat for active ftp.. worked well, but i would really like to keep this box a ipfw box. some more info on what i would like to do (hoping somebody out there has a working punch_fw setup) i'm running FreeBSD 4.3 release, all the kernel configs are fine.. the box has been doing transparent proxy, logging etc. for some time now with no problems. i would like to enable active ftp (allow ftp-data connections to get routed back to my internal network).. but i dont want to do this: ------------< snip <------< snip <------< snip <------------ #pass tcp from 66.8.28.48/29 1025-65535 to any 20,21 out xmit ed0 #pass tcp from any 20,21 to 66.8.28.48/29 1025-65535 in recv ed0 ------------< snip <------< snip <------< snip <------------ this opens my network up to attacks coming from port 20, like: nmap -g 20 -p 389 -sS 66.8.28.50 ____________ | | outside --|ed0 ed1|----- [66.8.28.48/29] --- (66.8.28.50) |___________| ed0: 66.8.28.22 ed1: 66.8.28.54 i would like my firewall to divert an ftp connection initiated by 66.8.28.50 to natd: /etc/ipfw.rules ------------< snip <------< snip <------< snip <------------ divert 8668 tcp from any to any 20,21 via ed0 ------------< snip <------< snip <------< snip <------------ then it should alias this connection and send the traffic to the outside ftp server as if it where initiated by 66.8.28.22: root@pris:/# natd -punch_fw 0:16 -a 66.8.28.22 -v ------------< snip <------< snip <------< snip <------------ Out [TCP] [TCP] 66.8.28.50:4125 -> 66.8.28.1:21 aliased to [TCP] 66.8.28.22:4125 -> 66.8.28.1:21 ------------< snip <------< snip <------< snip <------------ then, the remote ftp server should respond to 66.8.28.22, this gets diverted to natd, natd passes the response to 66.8.28.50 natd should now add a dynamic rule to allow ftp-data traffic to 66.8.28.22, (i think so anyway) i dont see these rules added ? should i be able to see them with a "ipfw list" ? my ipfw setup also contains: pass tcp from 66.8.28.22/32 to any 20,21 out xmit ed0 to allow nat'd traffic to get out and: pass tcp from any 20,21 to 66.8.28.22/32 in recv ed0 to allow traffic back to natd in what order should these rules be ? ------------< snip <------< snip <------< snip <------------ # FTP divert 8668 tcp from any to any 20,21 via ed0 pass tcp from 66.8.28.22/32 to any 20,21 out xmit ed0 pass tcp from any 20,21 to 66.8.28.22/32 in recv ed0 ------------< snip <------< snip <------< snip <------------ using tcpdump i can see that outgoing requests reach the remote ftp server translated so they look as if they come from 66.8.28.22.. and traffic comes back in to 66.8.28.22.. but the traffic never goes to 66.8.28.50.. i allow all traffic to via ed1 so i think natd is broken.. ? it does not create the dynamic punch rules and it does not route traffic back to the box initiating a connection i've been looking at my ipfw logs, i dont see any deny/drop's relating to what natd should be doing. some example configs using natd/punch_fw with the ipfw rules to go with it would be great! thanks. -- Regards Johann "They mostly come at night, mostly" - Newt ______________________________________________________ Johann L. Botha Debian GNU Jedi: joe@debian.org +27.82.5626.167 PO Box 3472 joe@frogfoot.net Matieland workpage: http://www.frogfoot.net Stellenbosch homepage: http://blue.frogfoot.net 7602 ham: ZR1JOE South Africa Copyright (c) 2001. The Sovereigns of Frogfoot. All rights reserved. Disclaimer available upon request. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message