Date: Sat, 4 Nov 2000 17:24:56 -0500 From: "John Telford" <j.telford@sympatico.ca> To: <security@freebsd.org> Subject: Natd redirect address not working in 4.1.1 Help Please ?? Message-ID: <001b01c046ae$0f8608b0$0100000a@johnny5>
index | next in thread | raw e-mail
[-- Attachment #1 --]
This is a bit long but I`ve been working on it for a day now so I have lots of
info:
What I want: 1 server inside the firewall to have a public IP address. My BSD
guru (he`s away right now) set it up on a 3.4 box and it works fine, now I`m
trying to do it on a 4.1.1 box and followed his example. It doesn`t work, after
much trouble shooting I can tell you this.
If I ping from the private box (Private1) to a remote public box (R1) I can see the
packets (using tcpdump) leave the firewall with the redirected address, they
arrive at R1 and R1 responds to the redirected address (RA). The packets NEVER
return to the firewall.
If I traceroute from R1 to RA it stops at the firewall ISP`s (Nexxia) routers.
If I traceroute from Private1 to R1 I hit the inside NIC of the firewall and no more.
Here are my rules, .conf files, even the part I added to GENERIC and recompiled.
(IP numbers have been changed to protect the innocent):
TEMfw3# ipfw show
00050 11 1344 divert 8668 ip from any to any via fxp0
00100 10 988 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
65000 165 11960 allow ip from any to any
65535 0 0 allow ip from any to any
TEMfw3#
TEMfw3# more rc.conf
# This file now contains just the overrides from /etc/defaults/rc.conf
# please make all changes to this file.
# Enable network daemons for user convenience.
# -- sysinstall generated deltas -- #
sendmail_enable="NO"
gateway_enable="YES"
sshd_enable="YES"
inetd_enable="YES"
##############################################################
### Network configuration sub-section ######################
##############################################################
### Basic network and firewall/security options: ###
hostname="TEMfw3" # Set this!
firewall_enable="YES" # Set to YES to enable firewall functionality
firewall_type="OPEN" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="YES"
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_interface="fxp0" # Public interface or IPaddress to use.
natd_flags="-f /etc/natd.conf"
network_interfaces="auto" # List of network interfaces (or "auto").
ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
ifconfig_fxp0="inet 216.208.171.XXX netmask 255.255.255.224"
ifconfig_fxp1="inet 10.150.0.241 netmask 255.255.255.0"
#
named_enable="YES" # Run named, the DNS server (or NO).
defaultrouter="216.208.171.XXX"
TEMfw3#
TEMfw3# more natd.conf
redirect_address 10.150.0.143 216.208.171.XXX
TEMfw3#
From my kernal I just pull the section out of LINT and go.
#
# IPFIREWALL enables support for IP firewall construction, in
# conjunction with the `ipfw` program. IPFIREWALL_VERBOSE sends
# logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT
# limits the number of times a matching entry can be logged.
#
# WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any"
# and if you do not add other rules during startup to allow access,
# YOU WILL LOCK YOURSELF OUT. It is suggested that you set firewall_type=open
# in /etc/rc.conf when first enabling this feature, then refining the
# firewall rules in /etc/rc.firewall after you`ve tested that the new kernel
# feature works properly.
#
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
# allow everything. Use with care, if a cracker can crash your
# firewall machine, they can get to your protected machines. However,
# if you are using it as an as-needed filter for specific problems as
# they arise, then this may be for you. Changing the default to `allow`
# means that you won`t get stuck if the kernel and /sbin/ipfw binary get
# out of sync.
#
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert``
#
# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
# packets without touching the ttl). This can be useful to hide firewalls
# from traceroute and similar tools.
#
# TCPDEBUG is undocumented.
#
options TCP_COMPAT_42 #emulate 4.2BSD TCP bugs
options MROUTING # Multicast routing
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #print information about
# dropped packets
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options IPDIVERT #divert sockets
options IPFILTER #ipfilter support
options IPFILTER_LOG #ipfilter logging
options IPSTEALTH #support for stealth forwarding
options TCPDEBUG
# The following options add sysctl variables for controlling how certain
# TCP packets are handled.
#
# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
# prevents nmap et al. from identifying the TCP/IP stack, but breaks support
# for RFC1644 extensions and is not recommended for web servers.
#
# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets.
# This is useful on systems which are exposed to SYN floods (e.g. IRC servers)
# or any system which one does not want to be easily portscannable.
#
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
options TCP_RESTRICT_RST #restrict emission of TCP RST
# ICMP_BANDLIM enables icmp error response bandwidth limiting. You
# typically want this option as it will help protect the machine from
# D.O.S. packet attacks.
#
options "ICMP_BANDLIM"
# DUMMYNET enables the "dummynet" bandwidth limiter. You need
# IPFIREWALL as well. See the dummynet(4) manpage for more info.
# BRIDGE enables bridging between ethernet cards -- see bridge(4).
# You can use IPFIREWALL and dummynet together with bridging.
options DUMMYNET
options BRIDGE
TEMfw3#
This is how it looks on the 3.4 box too. Could it be that the DSL ISP is
blocking something ?? My 3.4 box is on a different ISP.
John...
[-- Attachment #2 --]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4134.600" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>
<P> <FONT face=COURIER>This is a bit long but I`ve been working on it for a
day now so I have lots of <BR>info:<BR>What I want: 1 server inside the firewall
to have a public IP address. My BSD <BR>guru (he`s away right now) set it up on
a 3.4 box and it works fine, now I`m <BR>trying to do it on a 4.1.1 box and
followed his example. It doesn`t work, after <BR>much trouble shooting I can
tell you this.<BR> <BR>If I ping from the private box (Private1) to a remote
public box (R1) I can see the <BR>packets (using tcpdump) leave the firewall
with the redirected address, they <BR>arrive at R1 and R1 responds to the
redirected address (RA). The packets NEVER <BR>return to the firewall.<BR>If I
traceroute from R1 to RA it stops at the firewall ISP`s (Nexxia) routers. <BR>If
I traceroute from Private1 to R1 I hit the inside NIC of the firewall and no
more.<BR>Here are my rules, .conf files, even the part I added to GENERIC and
recompiled.<BR>(IP numbers have been changed to protect the
innocent):<BR><BR>TEMfw3# ipfw show<BR>00050 11 1344 divert 8668 ip
from any to any via fxp0<BR>00100 10 988 allow ip from any to
any via lo0<BR>00200 0 0 deny ip from any to
127.0.0.0/8<BR>65000 165 11960 allow ip from any to any<BR>65535
0 0 allow ip from any to any<BR>TEMfw3#<BR><BR>TEMfw3#
more rc.conf<BR># This file now contains just the overrides from
/etc/defaults/rc.conf<BR># please make all changes to this file.<BR><BR># Enable
network daemons for user convenience.<BR># -- sysinstall generated deltas --
#<BR>sendmail_enable="NO"<BR>gateway_enable="YES"<BR>sshd_enable="YES"<BR>inetd_enable="YES"<BR>##############################################################<BR>###
Network configuration sub-section
######################<BR>##############################################################<BR><BR>###
Basic network and firewall/security options:
###<BR>hostname="TEMfw3"
# Set
this!<BR>firewall_enable="YES"
# Set to YES to enable firewall
functionality<BR>firewall_type="OPEN"
# Firewall type (see
/etc/rc.firewall)<BR>firewall_quiet="NO"
# Set to YES to suppress rule
display<BR>firewall_logging="YES"<BR>natd_enable="YES"
# Enable natd (if firewall_enable ==
YES).<BR>natd_interface="fxp0"
# Public interface or IPaddress to use.<BR>natd_flags="-f
/etc/natd.conf"<BR>network_interfaces="auto"
# List of network interfaces (or "auto").<BR>ifconfig_lo0="inet
127.0.0.1" # default loopback device
configuration.<BR>ifconfig_fxp0="inet 216.208.171.XXX netmask
255.255.255.224"<BR>ifconfig_fxp1="inet 10.150.0.241 netmask
255.255.255.0"<BR>#<BR>named_enable="YES"
# Run named, the DNS server (or
NO).<BR>defaultrouter="216.208.171.XXX"<BR>TEMfw3#<BR>TEMfw3# more
natd.conf<BR>redirect_address 10.150.0.143 216.208.171.XXX<BR>TEMfw3#</FONT></P>
<P><FONT face=COURIER>From my kernal I just pull the section out of LINT and go.
<BR><BR>#<BR># IPFIREWALL enables support for IP firewall construction, in<BR>#
conjunction with the `ipfw` program. IPFIREWALL_VERBOSE sends<BR># logged
packets to the system logger. IPFIREWALL_VERBOSE_LIMIT<BR># limits the
number of times a matching entry can be logged.<BR>#<BR># WARNING:
IPFIREWALL defaults to a policy of "deny ip from any to any"<BR># and if you do
not add other rules during startup to allow access,<BR># YOU WILL LOCK YOURSELF
OUT. It is suggested that you set firewall_type=open<BR># in /etc/rc.conf
when first enabling this feature, then refining the<BR># firewall rules in
/etc/rc.firewall after you`ve tested that the new kernel<BR># feature works
properly.<BR>#<BR># IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at
boot) to<BR># allow everything. Use with care, if a cracker can crash
your<BR># firewall machine, they can get to your protected machines.
However,<BR># if you are using it as an as-needed filter for specific problems
as<BR># they arise, then this may be for you. Changing the default to
`allow`<BR># means that you won`t get stuck if the kernel and /sbin/ipfw binary
get<BR># out of sync.<BR>#<BR># IPDIVERT enables the divert IP sockets, used by
``ipfw divert``<BR>#<BR># IPSTEALTH enables code to support stealth forwarding
(i.e., forwarding<BR># packets without touching the ttl). This can be
useful to hide firewalls<BR># from traceroute and similar tools.<BR>#<BR>#
TCPDEBUG is
undocumented.<BR>#<BR>options
TCP_COMPAT_42
#emulate 4.2BSD TCP
bugs<BR>options
MROUTING
# Multicast routing<BR>options
IPFIREWALL
#firewall<BR>options
IPFIREWALL_VERBOSE #print information
about<BR>
# dropped packets<BR>options
IPFIREWALL_FORWARD #enable transparent proxy
support<BR>options
IPFIREWALL_VERBOSE_LIMIT=100 #limit
verbosity<BR>options
IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by
default<BR>options
IPDIVERT
#divert sockets<BR>options
IPFILTER
#ipfilter support<BR>options
IPFILTER_LOG
#ipfilter logging<BR>options
IPSTEALTH
#support for stealth
forwarding<BR>options
TCPDEBUG<BR><BR><BR># The following options add sysctl variables for controlling
how certain<BR># TCP packets are handled.<BR>#<BR># TCP_DROP_SYNFIN adds support
for ignoring TCP packets with SYN+FIN. This<BR># prevents nmap et al. from
identifying the TCP/IP stack, but breaks support<BR># for RFC1644 extensions and
is not recommended for web servers.<BR>#<BR># TCP_RESTRICT_RST adds support for
blocking the emission of TCP RST packets.<BR># This is useful on systems which
are exposed to SYN floods (e.g. IRC servers)<BR># or any system which one does
not want to be easily
portscannable.<BR>#<BR>options
TCP_DROP_SYNFIN #drop TCP
packets with SYN+FIN<BR>options
TCP_RESTRICT_RST #restrict emission of
TCP RST<BR><BR># ICMP_BANDLIM enables icmp error response bandwidth
limiting. You<BR># typically want this option as it will help
protect the machine from<BR># D.O.S. packet
attacks.<BR>#<BR>options
"ICMP_BANDLIM"<BR><BR># DUMMYNET enables the "dummynet" bandwidth limiter. You
need<BR># IPFIREWALL as well. See the dummynet(4) manpage for more info.<BR>#
BRIDGE enables bridging between ethernet cards -- see bridge(4).<BR># You can
use IPFIREWALL and dummynet together with
bridging.<BR>options
DUMMYNET<BR>options
BRIDGE<BR><BR>TEMfw3#<BR><BR>This is how it looks on the 3.4 box too. Could it
be that the DSL ISP is <BR>blocking something ?? My 3.4 box is on a different
ISP.<BR>John...<BR><BR></P></FONT></FONT></DIV></BODY></HTML>
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001b01c046ae$0f8608b0$0100000a>