Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Apr 2002 22:55:00 +0300 (EEST)
From:      Citt Pjaskh <citt@hot.ee>
To:        security@freebsd.org
Subject:   IPFW+nat.problem+advice?
Message-ID:  <200204121955.WAA23236@sun1.hot.ee>
next in thread | raw e-mail | index | archive | help 

hello all,

I'm new to FreeBSD (4.4) and unfortunately ipfw's syntax remains a mystery for me for now and probably for quite a long time :). I do realize, it's a bit out of security and more like nat&ipfw howto question, but maybe theres someone out there with appropiate knoleage to just run over the text without going deep into howtos and tutorials like me (without significant luck) and I can't experiment on that box neither, so here goes:
    
I'm kind of trying to redirect (tcp, service ftp) internet port (123.45.67.89:6666) to internal lan port (192.168.1.111:6666) through freebsd ipfw with nat but :

!Apr 12 17:20:52 server natd[185]: failed to write packet back (Permission denied) 
    
current static rules for ipfw:

00100   614046   237558606 allow ip from any to any via lo0
00110        0           0 deny ip from any to 127.0.0.0/8
00120        0           0 deny ip from 127.0.0.0/8 to any
00211        0           0 allow tcp from 000.000.000.000 to any 22 in
00212        0           0 allow tcp from any 22 to 000.000.000.000 out
00221 13722891 11976856801 allow ip from 192.168.1.0/24 to 192.168.1.0/24 via fxp0
00226    19175     2647319 allow ip from 10.10.10.0/24 to 10.10.10.0/24 via fxp1
00230  5003575   668421565 allow tcp from 192.168.1.0/24 1024-65535 to any via fxp0
00250  2009728   217605591 allow tcp from 10.10.10.0/24 1024-65535 to any via fxp1
00501    62407     5744884 deny ip from any to 10.0.0.0/8 via wi0
00502       30        1440 deny ip from any to 172.16.0.0/12 via wi0
00601        0           0 deny ip from any to 0.0.0.0/8 via wi0
00602      293       35384 deny ip from any to 169.254.0.0/16 via wi0
00603        0           0 deny ip from any to 192.0.2.0/24 via wi0
00604   491059    28724175 deny ip from any to 224.0.0.0/4 via wi0
00605   798321   116391193 deny ip from any to 240.0.0.0/4 via wi0
01001      585       28763 allow tcp from any to 123.45.67.89 20-23,53
01002    71542    27302862 allow tcp from any to 123.45.67.89 25,113
01003   263148    26163248 allow tcp from any to 123.45.67.89 80
01004        3         164 allow tcp from any to 123.45.67.89 110,143
01005      125        6796 allow tcp from any to 123.45.67.89 6666
01010    84591     7147847 allow tcp from any to any 20-25,53,80,110,113 in
02001  5336012   409089310 divert 8668 ip from 192.168.1.0/24 to any via 123.45.67.89
02002  8615895  9126246102 divert 8668 ip from any to 123.45.67.89 via 123.45.67.89
02011  2245061   232307377 divert 8888 ip from 10.10.10.0/24 to any via wi0
02012 16073819  7952662742 divert 8888 ip from any to 234.56.78.90 via wi0
02150        0           0 allow tcp from 123.45.67.89 6666 to 192.168.1.111 6666
02151        0           0 allow tcp from 192.168.1.111 6666 to 123.45.67.89 6666
02200   120487     5980772 allow tcp from 123.45.67.89 to any setup
02201  3308220   197451028 allow tcp from 234.56.78.90 to any setup
02300 52560397 29315365992 allow tcp from any to any established
02400        0           0 allow ip from any to any frag
03502        0           0 allow tcp from any 20 to 192.168.0.0/24 setup
03990     4664      238680 deny log logamount 100 tcp from any to any in recv wi0 setup
04001    72286     7514697 allow udp from any 1024-65535,53 to any 53
04002       98        7448 allow udp from any 1024-65535 to any 123
04004  4546511   587215773 allow udp from any 1024-65535 to any 1024-65535 keep-state
04101    21045     3220087 allow udp from any 53 to any 1024-65535,53
04102       92        6992 allow udp from any 123 to any 1024-65535
05001    24872     1606653 allow icmp from any to any icmptype 0,3,4,8,11,12
65000   218113    27926926 deny log logamount 100 ip from any to any
65535        3         180 allow ip from any to any

@/etc/rc.conf:

firewall_enable="YES"
firewall_quiet="NO"
firewall_type="SIMPLE"

gateway_enable="YES"
natd_enable="YES"
natd_program="/etc/natstart"
natd_flags="-f /etc/natd.conf"    #is'nt this repating what's in natstart ?
natd_interface="123.45.67.89"

@/etc/natstart:
/sbin/natd -f /etc/natd.conf -a 123.45.67.89
/sbin/natd -f /etc/natd.aip.conf -p 8888 -a 234.56.78.90

@/etc/natd.conf

unregistered_only yes
same_ports yes
redirect_port tcp 192.168.1.111:6666 123.45.67.89:6666
#punch_fw 10000:999 (I'm about to add this here aswell, iS it right, or does this "FTP/IRC DCC punched holes" need additional
configurations not covered in ipfw .. any experience/security related comments welcome ?

@/etc/natd.aip.conf

unregistered_only yes
same_ports yes

so I was wondering if
someone could correct this setup for me .. sounds kind of lame, I know :(. 

So this is it: I'm really stuck with this one (for weeks now), so I could use ANY help ...

thank you.

-----------------------------------------
Eraisikute ja firmade kontaktandmete otsing - vajalik info kiiresti ja kohe saadaval!
http://www.hot.ee

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204121955.WAA23236>