From owner-freebsd-security Sat Nov 4 14:29: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from tomts6-srv.bellnexxia.net (smtp.bellnexxia.net [209.226.175.26]) by hub.freebsd.org (Postfix) with ESMTP id A21C137B479 for ; Sat, 4 Nov 2000 14:28:52 -0800 (PST) Received: from johnny5 ([64.229.47.182]) by tomts6-srv.bellnexxia.net (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20001104222849.PDFS10530.tomts6-srv.bellnexxia.net@johnny5> for ; Sat, 4 Nov 2000 17:28:49 -0500 Message-ID: <001b01c046ae$0f8608b0$0100000a@johnny5> Reply-To: "John Telford" From: "John Telford" To: Subject: Natd redirect address not working in 4.1.1 Help Please ?? Date: Sat, 4 Nov 2000 17:24:56 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0018_01C04684.2689B400" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0018_01C04684.2689B400 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable This is a bit long but I`ve been working on it for a day now so I have = lots of=20 info: What I want: 1 server inside the firewall to have a public IP address. = My BSD=20 guru (he`s away right now) set it up on a 3.4 box and it works fine, now = I`m=20 trying to do it on a 4.1.1 box and followed his example. It doesn`t = work, after=20 much trouble shooting I can tell you this. =20 If I ping from the private box (Private1) to a remote public box (R1) I = can see the=20 packets (using tcpdump) leave the firewall with the redirected address, = they=20 arrive at R1 and R1 responds to the redirected address (RA). The packets = NEVER=20 return to the firewall. If I traceroute from R1 to RA it stops at the firewall ISP`s (Nexxia) = routers.=20 If I traceroute from Private1 to R1 I hit the inside NIC of the firewall = and no more. Here are my rules, .conf files, even the part I added to GENERIC and = recompiled. (IP numbers have been changed to protect the innocent): TEMfw3# ipfw show 00050 11 1344 divert 8668 ip from any to any via fxp0 00100 10 988 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 65000 165 11960 allow ip from any to any 65535 0 0 allow ip from any to any TEMfw3# TEMfw3# more rc.conf # This file now contains just the overrides from /etc/defaults/rc.conf # please make all changes to this file. # Enable network daemons for user convenience. # -- sysinstall generated deltas -- # sendmail_enable=3D"NO" gateway_enable=3D"YES" sshd_enable=3D"YES" inetd_enable=3D"YES" ############################################################## ### Network configuration sub-section ###################### ############################################################## ### Basic network and firewall/security options: ### hostname=3D"TEMfw3" # Set this! firewall_enable=3D"YES" # Set to YES to enable firewall = functionality firewall_type=3D"OPEN" # Firewall type (see /etc/rc.firewall) firewall_quiet=3D"NO" # Set to YES to suppress rule display firewall_logging=3D"YES" natd_enable=3D"YES" # Enable natd (if firewall_enable = =3D=3D YES). natd_interface=3D"fxp0" # Public interface or IPaddress to = use. natd_flags=3D"-f /etc/natd.conf" network_interfaces=3D"auto" # List of network interfaces (or = "auto"). ifconfig_lo0=3D"inet 127.0.0.1" # default loopback device = configuration. ifconfig_fxp0=3D"inet 216.208.171.XXX netmask 255.255.255.224" ifconfig_fxp1=3D"inet 10.150.0.241 netmask 255.255.255.0" # named_enable=3D"YES" # Run named, the DNS server (or NO). defaultrouter=3D"216.208.171.XXX" TEMfw3# TEMfw3# more natd.conf redirect_address 10.150.0.143 216.208.171.XXX TEMfw3# From my kernal I just pull the section out of LINT and go.=20 # # IPFIREWALL enables support for IP firewall construction, in # conjunction with the `ipfw` program. IPFIREWALL_VERBOSE sends # logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT # limits the number of times a matching entry can be logged. # # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # and if you do not add other rules during startup to allow access, # YOU WILL LOCK YOURSELF OUT. It is suggested that you set = firewall_type=3Dopen # in /etc/rc.conf when first enabling this feature, then refining the # firewall rules in /etc/rc.firewall after you`ve tested that the new = kernel # feature works properly. # # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to # allow everything. Use with care, if a cracker can crash your # firewall machine, they can get to your protected machines. However, # if you are using it as an as-needed filter for specific problems as # they arise, then this may be for you. Changing the default to `allow` # means that you won`t get stuck if the kernel and /sbin/ipfw binary get # out of sync. # # IPDIVERT enables the divert IP sockets, used by ``ipfw divert`` # # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the ttl). This can be useful to hide = firewalls # from traceroute and similar tools. # # TCPDEBUG is undocumented. # options TCP_COMPAT_42 #emulate 4.2BSD TCP bugs options MROUTING # Multicast routing options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about # dropped packets options IPFIREWALL_FORWARD #enable transparent proxy = support options IPFIREWALL_VERBOSE_LIMIT=3D100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by = default options IPDIVERT #divert sockets options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPSTEALTH #support for stealth forwarding options TCPDEBUG # The following options add sysctl variables for controlling how certain # TCP packets are handled. # # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. = This # prevents nmap et al. from identifying the TCP/IP stack, but breaks = support # for RFC1644 extensions and is not recommended for web servers. # # TCP_RESTRICT_RST adds support for blocking the emission of TCP RST = packets. # This is useful on systems which are exposed to SYN floods (e.g. IRC = servers) # or any system which one does not want to be easily portscannable. # options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST # ICMP_BANDLIM enables icmp error response bandwidth limiting. You # typically want this option as it will help protect the machine from # D.O.S. packet attacks. # options "ICMP_BANDLIM" # DUMMYNET enables the "dummynet" bandwidth limiter. You need # IPFIREWALL as well. See the dummynet(4) manpage for more info. # BRIDGE enables bridging between ethernet cards -- see bridge(4). # You can use IPFIREWALL and dummynet together with bridging. options DUMMYNET options BRIDGE TEMfw3# This is how it looks on the 3.4 box too. Could it be that the DSL ISP is = blocking something ?? My 3.4 box is on a different ISP. John... ------=_NextPart_000_0018_01C04684.2689B400 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

 This is a bit long but I`ve been working = on it for a=20 day now so I have lots of
info:
What I want: 1 server inside the = firewall=20 to have a public IP address. My BSD
guru (he`s away right now) set = it up on=20 a 3.4 box and it works fine, now I`m
trying to do it on a 4.1.1 box = and=20 followed his example. It doesn`t work, after
much trouble shooting I = can=20 tell you this.

If I ping from the private box (Private1) to a = remote=20 public box (R1) I can see the
packets (using tcpdump) leave the = firewall=20 with the redirected address, they
arrive at R1 and R1 responds to = the=20 redirected address (RA). The packets NEVER
return to the = firewall.
If I=20 traceroute from R1 to RA it stops at the firewall ISP`s (Nexxia) = routers.
If=20 I traceroute from Private1 to R1 I hit the inside NIC of the firewall = and no=20 more.
Here are my rules, .conf files, even the part I added to = GENERIC and=20 recompiled.
(IP numbers have been changed to protect the=20 innocent):

TEMfw3# ipfw show
00050  11  1344 divert = 8668 ip=20 from any to any via fxp0
00100  10   988 allow ip from = any to=20 any via lo0
00200   0     0 deny ip = from any to=20 127.0.0.0/8
65000 165 11960 allow ip from any to = any
65535  =20 0     0 allow ip from any to = any
TEMfw3#

TEMfw3#=20 more rc.conf
# This file now contains just the overrides from=20 /etc/defaults/rc.conf
# please make all changes to this = file.

# Enable=20 network daemons for user convenience.
# -- sysinstall generated = deltas --=20 #
sendmail_enable=3D"NO"
gateway_enable=3D"YES"
sshd_enable=3D"Y= ES"
inetd_enable=3D"YES"
##########################################= ####################
### =20 Network configuration sub-section =20 ######################
###############################################= ###############

###=20 Basic network and firewall/security options:=20 ###
hostname=3D"TEMfw3"        = ;            =   =20 # Set=20 this!
firewall_enable=3D"YES"       = ;   =20 # Set to YES to enable firewall=20 functionality
firewall_type=3D"OPEN"     &nbs= p;     =20 # Firewall type (see=20 /etc/rc.firewall)
firewall_quiet=3D"NO"     &= nbsp;      =20 # Set to YES to suppress rule=20 display
firewall_logging=3D"YES"
natd_enable=3D"YES"  &nb= sp;           &nbs= p;=20 # Enable natd (if firewall_enable =3D=3D=20 YES).
natd_interface=3D"fxp0"       = ;   =20 # Public interface or IPaddress to use.
natd_flags=3D"-f=20 /etc/natd.conf"
network_interfaces=3D"auto"    &nb= sp; =20 # List of network interfaces (or "auto").
ifconfig_lo0=3D"inet=20 127.0.0.1"   # default loopback device=20 configuration.
ifconfig_fxp0=3D"inet 216.208.171.XXX netmask=20 255.255.255.224"
ifconfig_fxp1=3D"inet 10.150.0.241 netmask=20 255.255.255.0"
#
named_enable=3D"YES"     =         =20 # Run named, the DNS server (or=20 NO).
defaultrouter=3D"216.208.171.XXX"
TEMfw3#
TEMfw3# more=20 natd.conf
redirect_address 10.150.0.143 = 216.208.171.XXX
TEMfw3#

From my kernal I just pull the section out of = LINT and go.=20

#
# IPFIREWALL enables support for IP firewall construction, = in
#=20 conjunction with the `ipfw` program.  IPFIREWALL_VERBOSE sends
# = logged=20 packets to the system logger.  IPFIREWALL_VERBOSE_LIMIT
# limits = the=20 number of times a matching entry can be logged.
#
# WARNING:  = IPFIREWALL defaults to a policy of "deny ip from any to any"
# and if = you do=20 not add other rules during startup to allow access,
# YOU WILL LOCK = YOURSELF=20 OUT.  It is suggested that you set firewall_type=3Dopen
# in = /etc/rc.conf=20 when first enabling this feature, then refining the
# firewall rules = in=20 /etc/rc.firewall after you`ve tested that the new kernel
# feature = works=20 properly.
#
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule = (at=20 boot) to
# allow everything.  Use with care, if a cracker can = crash=20 your
# firewall machine, they can get to your protected = machines. =20 However,
# if you are using it as an as-needed filter for specific = problems=20 as
# they arise, then this may be for you.  Changing the default = to=20 `allow`
# means that you won`t get stuck if the kernel and /sbin/ipfw = binary=20 get
# out of sync.
#
# IPDIVERT enables the divert IP sockets, = used by=20 ``ipfw divert``
#
# IPSTEALTH enables code to support stealth = forwarding=20 (i.e., forwarding
# packets without touching the ttl).  This can = be=20 useful to hide firewalls
# from traceroute and similar = tools.
#
#=20 TCPDEBUG is=20 undocumented.
#
options       &n= bsp;=20 TCP_COMPAT_42          = =20 #emulate 4.2BSD TCP=20 bugs
options        =20 MROUTING           = ;    =20 # Multicast = routing
options        =20 IPFIREWALL          &nb= sp;  =20 #firewall
options        =20 IPFIREWALL_VERBOSE      #print information=20 about
          &nbs= p;            = ;            =     =20 # dropped = packets
options        =20 IPFIREWALL_FORWARD      #enable transparent = proxy=20 support
options        =20 IPFIREWALL_VERBOSE_LIMIT=3D100    #limit=20 verbosity
options        =20 IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by=20 default
options        =20 IPDIVERT           = ;    =20 #divert = sockets
options        =20 IPFILTER           = ;    =20 #ipfilter = support
options        =20 IPFILTER_LOG          &= nbsp;=20 #ipfilter = logging
options        =20 IPSTEALTH          &nbs= p;   =20 #support for stealth=20 forwarding
options        =20 TCPDEBUG


# The following options add sysctl variables for = controlling=20 how certain
# TCP packets are handled.
#
# TCP_DROP_SYNFIN adds = support=20 for ignoring TCP packets with SYN+FIN. This
# prevents nmap et al. = from=20 identifying the TCP/IP stack, but breaks support
# for RFC1644 = extensions and=20 is not recommended for web servers.
#
# TCP_RESTRICT_RST adds = support for=20 blocking the emission of TCP RST packets.
# This is useful on systems = which=20 are exposed to SYN floods (e.g. IRC servers)
# or any system which = one does=20 not want to be easily=20 portscannable.
#
options       &= nbsp;=20 TCP_DROP_SYNFIN         #drop = TCP=20 packets with = SYN+FIN
options        =20 TCP_RESTRICT_RST        #restrict = emission of=20 TCP RST

# ICMP_BANDLIM enables icmp error response bandwidth=20 limiting.   You
# typically want this option as it will = help=20 protect the machine from
# D.O.S. packet=20 attacks.
#
options         = "ICMP_BANDLIM"

# DUMMYNET enables the "dummynet" bandwidth = limiter. You=20 need
# IPFIREWALL as well. See the dummynet(4) manpage for more = info.
#=20 BRIDGE enables bridging between ethernet cards -- see bridge(4).
# = You can=20 use IPFIREWALL and dummynet together with=20 bridging.
options        =20 DUMMYNET
options        =20 BRIDGE

TEMfw3#

This is how it looks on the 3.4 box too. = Could it=20 be that the DSL ISP is
blocking something ?? My 3.4 box is on a = different=20 ISP.
John...

------=_NextPart_000_0018_01C04684.2689B400-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message