Date: Sun, 16 Jun 2002 22:44:40 -0400 From: grimm <grimm@planetquake.com> To: "Nielsen" <nielsen@memberwebs.com> Cc: freebsd-security@freebsd.org Subject: Re: ipfw-ntad-jail Message-ID: <20020616224440.46dcdfaa.grimm@planetquake.com> In-Reply-To: <200206170035.g5H0Zr3g029046@mail2.gamespy.com> References: <20020616134201.529b01aa.grimm@planetquake.com> <200206170035.g5H0Zr3g029046@mail2.gamespy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings Nielsen, On Sun, 16 Jun 2002 17:35:53 -0700 "Nielsen" <nielsen@memberwebs.com> wrote: > Hmmm, first of all (and maybe you've done this) you need to alias the > jail's ip on you network card. Yes, I have aliased the ip to the network card with ipconfig. >Secondly make sure that > "net.inet.ip.fw.one_pass" is set to 1 (the default). Otherwise > diverted packets will continue down the fire wall after the divert > rule. It's on my list of things to do. That could definately be a huge problem, if the diverted packets were then being chewed up by a firewall rule. > Lastly, I would check that the packets are in fact getting NAT'd in. > It may be the out that's the problem. How do I check that? >I think in addition to the > redirect_tcp you also have to do a proper NAT thing. In my > inderstanding, redirections open holes to let stuff in, but for the > packets to get back out proper Natting is required. OTOH, most of my > experience is with ipnat, so I'm not sure here. I am not sure if there is a proper nat thing required, cause from within the machine, I can ssh and telnet to the jail no problem. Do you think, given that it works from within, that it could still be a problem? I am trying right now, just to figure out why my web server, and ssh on the host (dagobah) aren't responding. It seems like there is something fundamentally wrong with my firewall rules. No one has been able to pinpoint an exact major problem that could cause this. I think once I fix that, I could then concentrate on the jail issue. But right now, the simplest thing isn't working! cheers, __ Andrew > ----- Original Message ----- > From: "grimm" <grimm@planetquake.com> > To: <freebsd-security@freebsd.org> > Sent: Sunday, June 16, 2002 11:42 > Subject: ipfw-ntad-jail > > > > Greetings, > > > > Ok, so I setup IPFW and NATd on my freeBSD 4.5-RELEASE box, > > where I configured a jail environment. Here are some details for > > first time readers: > > > > I have a host computer called dagobah, which > > runs a virtual system in a jailed environment, called > > darkside. This system is running FreeBSD 4.5-RELEASE. > > > > host (dagobah) xl0 IP 143.XX.XX.238 > > jail (darkside) IP alias to xl0 (192.168.200.13) > > > > What had happened is that once I setup IPFW, I could no > > longer connect (DNS lookup failure was causing huge delay > > on connect) to my jail (darkside). > > > > My other problem was making it possible to connect to > > these services from the outside world: > > > > host (dagobah) > > allow ftp (port 21) > > allow www (port 80) > > allow ssh (port 777) > > > > jail (darkside) > > allow ssh (port 22) > > > > with natd forwarding all requests dagobah received on port 22 > > to the jail's sshd. > > > > Everything else should be blocked. > > > > =========== question ===================================== > > > > My DNS lookup problem with IPFW running is now solved, internally > > I can connect to my jail without any problem. > > > > However, I can't connect from the outside world to my host > > (dagobah). I have tried to view the web page, as well as telnet and > > both don't connect. Although I do see in the IPFW SHOP output that > > some stuff seems to be reaching my port 80. > > > > I would really appreciate it if someone could look at my configs > > and point out my mistake. I have pretty much just learned how to > > do this stuff, and I may have missed something obvious! > > > > -------------- > > > > # rc.conf > > # > > hostname="dagobah.somewhere.ca" > > ifconfig_xl0="inet 142.XX.XX.238 netmask 255.255.255.0" > > defaultrouter="142.XX.XX.254" > > inetd_enable="YES" > > kern_securelevel_enable="NO" > > linux_enable="YES" > > moused_enable="YES" > > nfs_reserved_port_only="YES" > > sendmail_enable="NO" > > sshd_enable="YES" > > usbd_enable="YES" > > quota_enable="YES" > > check_quotas="YES" > > firewall_enable="YES" > > firewall_script="/etc/rc.firewall" > > firewall_type="/etc/ipfw.rules" > > gateway_enable="YES" > > natd_enable="YES" > > natd_interface="xl0" > > natd_flags="-config /etc/natd_rules" > > inetd_flags="-wW -a 142.XX.XX.238" > > portmap_enable="NO" > > syslogd_flags="-ss" > > > > > > -------------- > > > > # > > # natd config (/etc/natd_config) > :> # > > redirect_port tcp 192.168.200.13:22 22 > > > > > > -------------- > > > > # > > # my ipfw.rules (additional to rc.firewall defaults) > > # > > #make sure natd gets a hold of the packets prior to FIREWALL > > add 00320 divert natd all from any to any via xl0 > > # > > # > > # from man 8 ipfw: allow only outbound TCP connections I've created > > add 00350 check-state > > add 00351 deny tcp from any to any in established > > add 00352 allow tcp from any to any out setup keep-state > > # > > # > > #allow DNS > > add 00400 allow udp from 142.XX.XX.1 to any in recv xl0 > > add 00401 allow udp from 142.XX.XX.2 to any in recv xl0 > > add 00402 allow udp from 142.XX.XX.3 to any in recv xl0 > > add 00403 allow udp from any to any out > > # > > #allow some ICMP types (codes not supported) > > ## allow path-mtu in both directions > > add 00600 allow icmp from any to any icmptypes 3 > > ## allow source quench in and out > > add 00601 allow icmp from any to any icmptypes 4 > > ## allow me to ping out and receive response back > > add 00602 allow icmp from any to any icmptypes 8 out > > add 00603 allow icmp from any to any icmptypes 0 in > > ## allow me to traceroute > > # > > # when I traceroute, I send out UDP packets (rule 00403) > > # > > add 00604 allow icmp from any to any icmptypes 11 in > > # > > # > > # enable www server on dagobah (142.XX.XX.238) > > add 00700 allow tcp from any to any 80 in via xl0 > > add 00701 allow tcp from any to any 80 out via xl0 > > # > > # > > # enable ssh server on dagobah (142.XX.XX.238) > > add 00702 allow tcp from any to any 777 in via xl0 > > add 00703 allow tcp from any to any 777 out via xl0 > > # > > # > > # enable ssh server on darkside (142.XX.XX.238) > > add 00704 allow tcp from any to any 22 in via xl0 > > add 00705 allow tcp from any to any 22 out via xl0 > > > > > > -------------- > > > > OUTPUT OF THE IPFW SHOW command > > > > 00100 0 0 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 00320 171 34652 divert 8668 ip from any to any via xl0 > > 00350 0 0 check-state > > 00351 0 0 deny tcp from any to any in established > > 00352 78 8668 allow tcp from any to any keep-state out setup > > 00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0 > > 00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0 > > 00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0 > > 00403 2 120 allow udp from any to any out > > 00600 0 0 allow icmp from any to any icmptype 3 > > 00601 0 0 allow icmp from any to any icmptype 4 > > 00602 0 0 allow icmp from any to any out icmptype 8 > > 00603 0 0 allow icmp from any to any in icmptype 0 > > 00604 0 0 allow icmp from any to any in icmptype 11 > > 00700 3 144 allow tcp from any to any 80 in recv xl0 > > 00701 0 0 allow tcp from any to any 80 out xmit xl0 > > 00702 0 0 allow tcp from any to any 777 in recv xl0 > > 00703 0 0 allow tcp from any to any 777 out xmit xl0 > > 00704 0 0 allow tcp from any to any 22 in recv xl0 > > 00705 0 0 allow tcp from any to any 22 out xmit xl0 > > 65535 86 25238 deny ip from any to any > > > > __ > > grimm > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020616224440.46dcdfaa.grimm>