Date: Fri, 12 Apr 2002 22:55:00 +0300 (EEST) From: Citt Pjaskh <citt@hot.ee> To: security@freebsd.org Subject: IPFW+nat.problem+advice? Message-ID: <200204121955.WAA23236@sun1.hot.ee>
next in thread | raw e-mail | index | archive | help
This is a MIME encoded message.
--b5d7d11c186c8157684375c37a8d392e7
Content-type: text/plain;
Content-encoding: base64
hello all,
I'm new to FreeBSD (4.4) and unfortunately ipfw's syntax remains a mystery for me for now and probably for quite a long time :). I do realize, it's a bit out of security and more like nat&ipfw howto question, but maybe theres someone out there with appropiate knoleage to just run over the text without going deep into howtos and tutorials like me (without significant luck) and I can't experiment on that box neither, so here goes:
I'm kind of trying to redirect (tcp, service ftp) internet port (123.45.67.89:6666) to internal lan port (192.168.1.111:6666) through freebsd ipfw with nat but :
!Apr 12 17:20:52 server natd[185]: failed to write packet back (Permission denied)
current static rules for ipfw:
00100 614046 237558606 allow ip from any to any via lo0
00110 0 0 deny ip from any to 127.0.0.0/8
00120 0 0 deny ip from 127.0.0.0/8 to any
00211 0 0 allow tcp from 000.000.000.000 to any 22 in
00212 0 0 allow tcp from any 22 to 000.000.000.000 out
00221 13722891 11976856801 allow ip from 192.168.1.0/24 to 192.168.1.0/24 via fxp0
00226 19175 2647319 allow ip from 10.10.10.0/24 to 10.10.10.0/24 via fxp1
00230 5003575 668421565 allow tcp from 192.168.1.0/24 1024-65535 to any via fxp0
00250 2009728 217605591 allow tcp from 10.10.10.0/24 1024-65535 to any via fxp1
00501 62407 5744884 deny ip from any to 10.0.0.0/8 via wi0
00502 30 1440 deny ip from any to 172.16.0.0/12 via wi0
00601 0 0 deny ip from any to 0.0.0.0/8 via wi0
00602 293 35384 deny ip from any to 169.254.0.0/16 via wi0
00603 0 0 deny ip from any to 192.0.2.0/24 via wi0
00604 491059 28724175 deny ip from any to 224.0.0.0/4 via wi0
00605 798321 116391193 deny ip from any to 240.0.0.0/4 via wi0
01001 585 28763 allow tcp from any to 123.45.67.89 20-23,53
01002 71542 27302862 allow tcp from any to 123.45.67.89 25,113
01003 263148 26163248 allow tcp from any to 123.45.67.89 80
01004 3 164 allow tcp from any to 123.45.67.89 110,143
01005 125 6796 allow tcp from any to 123.45.67.89 6666
01010 84591 7147847 allow tcp from any to any 20-25,53,80,110,113 in
02001 5336012 409089310 divert 8668 ip from 192.168.1.0/24 to any via 123.45.67.89
02002 8615895 9126246102 divert 8668 ip from any to 123.45.67.89 via 123.45.67.89
02011 2245061 232307377 divert 8888 ip from 10.10.10.0/24 to any via wi0
02012 16073819 7952662742 divert 8888 ip from any to 234.56.78.90 via wi0
02150 0 0 allow tcp from 123.45.67.89 6666 to 192.168.1.111 6666
02151 0 0 allow tcp from 192.168.1.111 6666 to 123.45.67.89 6666
02200 120487 5980772 allow tcp from 123.45.67.89 to any setup
02201 3308220 197451028 allow tcp from 234.56.78.90 to any setup
02300 52560397 29315365992 allow tcp from any to any established
02400 0 0 allow ip from any to any frag
03502 0 0 allow tcp from any 20 to 192.168.0.0/24 setup
03990 4664 238680 deny log logamount 100 tcp from any to any in recv wi0 setup
04001 72286 7514697 allow udp from any 1024-65535,53 to any 53
04002 98 7448 allow udp from any 1024-65535 to any 123
04004 4546511 587215773 allow udp from any 1024-65535 to any 1024-65535 keep-state
04101 21045 3220087 allow udp from any 53 to any 1024-65535,53
04102 92 6992 allow udp from any 123 to any 1024-65535
05001 24872 1606653 allow icmp from any to any icmptype 0,3,4,8,11,12
65000 218113 27926926 deny log logamount 100 ip from any to any
65535 3 180 allow ip from any to any
@/etc/rc.conf:
firewall_enable="YES"
firewall_quiet="NO"
firewall_type="SIMPLE"
gateway_enable="YES"
natd_enable="YES"
natd_program="/etc/natstart"
natd_flags="-f /etc/natd.conf" #is'nt this repating what's in natstart ?
natd_interface="123.45.67.89"
@/etc/natstart:
/sbin/natd -f /etc/natd.conf -a 123.45.67.89
/sbin/natd -f /etc/natd.aip.conf -p 8888 -a 234.56.78.90
@/etc/natd.conf
unregistered_only yes
same_ports yes
redirect_port tcp 192.168.1.111:6666 123.45.67.89:6666
#punch_fw 10000:999 (I'm about to add this here aswell, iS it right, or does this "FTP/IRC DCC punched holes" need additional
configurations not covered in ipfw .. any experience/security related comments welcome ?
@/etc/natd.aip.conf
unregistered_only yes
same_ports yes
so I was wondering if
someone could correct this setup for me .. sounds kind of lame, I know :(.
So this is it: I'm really stuck with this one (for weeks now), so I could use ANY help ...
thank you.
-----------------------------------------
Eraisikute ja firmade kontaktandmete otsing - vajalik info kiiresti ja kohe saadaval!
http://www.hot.ee
--b5d7d11c186c8157684375c37a8d392e7--
hello all,
I'm new to FreeBSD (4.4) and unfortunately ipfw's syntax remains a mystery for me for now and probably for quite a long time :). I do realize, it's a bit out of security and more like nat&ipfw howto question, but maybe theres someone out there with appropiate knoleage to just run over the text without going deep into howtos and tutorials like me (without significant luck) and I can't experiment on that box neither, so here goes:
I'm kind of trying to redirect (tcp, service ftp) internet port (123.45.67.89:6666) to internal lan port (192.168.1.111:6666) through freebsd ipfw with nat but :
!Apr 12 17:20:52 server natd[185]: failed to write packet back (Permission denied)
current static rules for ipfw:
00100 614046 237558606 allow ip from any to any via lo0
00110 0 0 deny ip from any to 127.0.0.0/8
00120 0 0 deny ip from 127.0.0.0/8 to any
00211 0 0 allow tcp from 000.000.000.000 to any 22 in
00212 0 0 allow tcp from any 22 to 000.000.000.000 out
00221 13722891 11976856801 allow ip from 192.168.1.0/24 to 192.168.1.0/24 via fxp0
00226 19175 2647319 allow ip from 10.10.10.0/24 to 10.10.10.0/24 via fxp1
00230 5003575 668421565 allow tcp from 192.168.1.0/24 1024-65535 to any via fxp0
00250 2009728 217605591 allow tcp from 10.10.10.0/24 1024-65535 to any via fxp1
00501 62407 5744884 deny ip from any to 10.0.0.0/8 via wi0
00502 30 1440 deny ip from any to 172.16.0.0/12 via wi0
00601 0 0 deny ip from any to 0.0.0.0/8 via wi0
00602 293 35384 deny ip from any to 169.254.0.0/16 via wi0
00603 0 0 deny ip from any to 192.0.2.0/24 via wi0
00604 491059 28724175 deny ip from any to 224.0.0.0/4 via wi0
00605 798321 116391193 deny ip from any to 240.0.0.0/4 via wi0
01001 585 28763 allow tcp from any to 123.45.67.89 20-23,53
01002 71542 27302862 allow tcp from any to 123.45.67.89 25,113
01003 263148 26163248 allow tcp from any to 123.45.67.89 80
01004 3 164 allow tcp from any to 123.45.67.89 110,143
01005 125 6796 allow tcp from any to 123.45.67.89 6666
01010 84591 7147847 allow tcp from any to any 20-25,53,80,110,113 in
02001 5336012 409089310 divert 8668 ip from 192.168.1.0/24 to any via 123.45.67.89
02002 8615895 9126246102 divert 8668 ip from any to 123.45.67.89 via 123.45.67.89
02011 2245061 232307377 divert 8888 ip from 10.10.10.0/24 to any via wi0
02012 16073819 7952662742 divert 8888 ip from any to 234.56.78.90 via wi0
02150 0 0 allow tcp from 123.45.67.89 6666 to 192.168.1.111 6666
02151 0 0 allow tcp from 192.168.1.111 6666 to 123.45.67.89 6666
02200 120487 5980772 allow tcp from 123.45.67.89 to any setup
02201 3308220 197451028 allow tcp from 234.56.78.90 to any setup
02300 52560397 29315365992 allow tcp from any to any established
02400 0 0 allow ip from any to any frag
03502 0 0 allow tcp from any 20 to 192.168.0.0/24 setup
03990 4664 238680 deny log logamount 100 tcp from any to any in recv wi0 setup
04001 72286 7514697 allow udp from any 1024-65535,53 to any 53
04002 98 7448 allow udp from any 1024-65535 to any 123
04004 4546511 587215773 allow udp from any 1024-65535 to any 1024-65535 keep-state
04101 21045 3220087 allow udp from any 53 to any 1024-65535,53
04102 92 6992 allow udp from any 123 to any 1024-65535
05001 24872 1606653 allow icmp from any to any icmptype 0,3,4,8,11,12
65000 218113 27926926 deny log logamount 100 ip from any to any
65535 3 180 allow ip from any to any
@/etc/rc.conf:
firewall_enable="YES"
firewall_quiet="NO"
firewall_type="SIMPLE"
gateway_enable="YES"
natd_enable="YES"
natd_program="/etc/natstart"
natd_flags="-f /etc/natd.conf" #is'nt this repating what's in natstart ?
natd_interface="123.45.67.89"
@/etc/natstart:
/sbin/natd -f /etc/natd.conf -a 123.45.67.89
/sbin/natd -f /etc/natd.aip.conf -p 8888 -a 234.56.78.90
@/etc/natd.conf
unregistered_only yes
same_ports yes
redirect_port tcp 192.168.1.111:6666 123.45.67.89:6666
#punch_fw 10000:999 (I'm about to add this here aswell, iS it right, or does this "FTP/IRC DCC punched holes" need additional
configurations not covered in ipfw .. any experience/security related comments welcome ?
@/etc/natd.aip.conf
unregistered_only yes
same_ports yes
so I was wondering if
someone could correct this setup for me .. sounds kind of lame, I know :(.
So this is it: I'm really stuck with this one (for weeks now), so I could use ANY help ...
thank you.
-----------------------------------------
Eraisikute ja firmade kontaktandmete otsing - vajalik info kiiresti ja kohe saadaval!
http://www.hot.ee
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204121955.WAA23236>