Date: Sat, 4 Nov 2000 17:24:56 -0500 From: "John Telford" <j.telford@sympatico.ca> To: <security@freebsd.org> Subject: Natd redirect address not working in 4.1.1 Help Please ?? Message-ID: <001b01c046ae$0f8608b0$0100000a@johnny5>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0018_01C04684.2689B400 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable This is a bit long but I`ve been working on it for a day now so I have = lots of=20 info: What I want: 1 server inside the firewall to have a public IP address. = My BSD=20 guru (he`s away right now) set it up on a 3.4 box and it works fine, now = I`m=20 trying to do it on a 4.1.1 box and followed his example. It doesn`t = work, after=20 much trouble shooting I can tell you this. =20 If I ping from the private box (Private1) to a remote public box (R1) I = can see the=20 packets (using tcpdump) leave the firewall with the redirected address, = they=20 arrive at R1 and R1 responds to the redirected address (RA). The packets = NEVER=20 return to the firewall. If I traceroute from R1 to RA it stops at the firewall ISP`s (Nexxia) = routers.=20 If I traceroute from Private1 to R1 I hit the inside NIC of the firewall = and no more. Here are my rules, .conf files, even the part I added to GENERIC and = recompiled. (IP numbers have been changed to protect the innocent): TEMfw3# ipfw show 00050 11 1344 divert 8668 ip from any to any via fxp0 00100 10 988 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 65000 165 11960 allow ip from any to any 65535 0 0 allow ip from any to any TEMfw3# TEMfw3# more rc.conf # This file now contains just the overrides from /etc/defaults/rc.conf # please make all changes to this file. # Enable network daemons for user convenience. # -- sysinstall generated deltas -- # sendmail_enable=3D"NO" gateway_enable=3D"YES" sshd_enable=3D"YES" inetd_enable=3D"YES" ############################################################## ### Network configuration sub-section ###################### ############################################################## ### Basic network and firewall/security options: ### hostname=3D"TEMfw3" # Set this! firewall_enable=3D"YES" # Set to YES to enable firewall = functionality firewall_type=3D"OPEN" # Firewall type (see /etc/rc.firewall) firewall_quiet=3D"NO" # Set to YES to suppress rule display firewall_logging=3D"YES" natd_enable=3D"YES" # Enable natd (if firewall_enable = =3D=3D YES). natd_interface=3D"fxp0" # Public interface or IPaddress to = use. natd_flags=3D"-f /etc/natd.conf" network_interfaces=3D"auto" # List of network interfaces (or = "auto"). ifconfig_lo0=3D"inet 127.0.0.1" # default loopback device = configuration. ifconfig_fxp0=3D"inet 216.208.171.XXX netmask 255.255.255.224" ifconfig_fxp1=3D"inet 10.150.0.241 netmask 255.255.255.0" # named_enable=3D"YES" # Run named, the DNS server (or NO). defaultrouter=3D"216.208.171.XXX" TEMfw3# TEMfw3# more natd.conf redirect_address 10.150.0.143 216.208.171.XXX TEMfw3# From my kernal I just pull the section out of LINT and go.=20 # # IPFIREWALL enables support for IP firewall construction, in # conjunction with the `ipfw` program. IPFIREWALL_VERBOSE sends # logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT # limits the number of times a matching entry can be logged. # # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # and if you do not add other rules during startup to allow access, # YOU WILL LOCK YOURSELF OUT. It is suggested that you set = firewall_type=3Dopen # in /etc/rc.conf when first enabling this feature, then refining the # firewall rules in /etc/rc.firewall after you`ve tested that the new = kernel # feature works properly. # # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to # allow everything. Use with care, if a cracker can crash your # firewall machine, they can get to your protected machines. However, # if you are using it as an as-needed filter for specific problems as # they arise, then this may be for you. Changing the default to `allow` # means that you won`t get stuck if the kernel and /sbin/ipfw binary get # out of sync. # # IPDIVERT enables the divert IP sockets, used by ``ipfw divert`` # # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the ttl). This can be useful to hide = firewalls # from traceroute and similar tools. # # TCPDEBUG is undocumented. # options TCP_COMPAT_42 #emulate 4.2BSD TCP bugs options MROUTING # Multicast routing options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about # dropped packets options IPFIREWALL_FORWARD #enable transparent proxy = support options IPFIREWALL_VERBOSE_LIMIT=3D100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by = default options IPDIVERT #divert sockets options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPSTEALTH #support for stealth forwarding options TCPDEBUG # The following options add sysctl variables for controlling how certain # TCP packets are handled. # # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. = This # prevents nmap et al. from identifying the TCP/IP stack, but breaks = support # for RFC1644 extensions and is not recommended for web servers. # # TCP_RESTRICT_RST adds support for blocking the emission of TCP RST = packets. # This is useful on systems which are exposed to SYN floods (e.g. IRC = servers) # or any system which one does not want to be easily portscannable. # options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST # ICMP_BANDLIM enables icmp error response bandwidth limiting. You # typically want this option as it will help protect the machine from # D.O.S. packet attacks. # options "ICMP_BANDLIM" # DUMMYNET enables the "dummynet" bandwidth limiter. You need # IPFIREWALL as well. See the dummynet(4) manpage for more info. # BRIDGE enables bridging between ethernet cards -- see bridge(4). # You can use IPFIREWALL and dummynet together with bridging. options DUMMYNET options BRIDGE TEMfw3# This is how it looks on the 3.4 box too. Could it be that the DSL ISP is = blocking something ?? My 3.4 box is on a different ISP. John... ------=_NextPart_000_0018_01C04684.2689B400 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2> <P> <FONT face=3DCOURIER>This is a bit long but I`ve been working = on it for a=20 day now so I have lots of <BR>info:<BR>What I want: 1 server inside the = firewall=20 to have a public IP address. My BSD <BR>guru (he`s away right now) set = it up on=20 a 3.4 box and it works fine, now I`m <BR>trying to do it on a 4.1.1 box = and=20 followed his example. It doesn`t work, after <BR>much trouble shooting I = can=20 tell you this.<BR> <BR>If I ping from the private box (Private1) to a = remote=20 public box (R1) I can see the <BR>packets (using tcpdump) leave the = firewall=20 with the redirected address, they <BR>arrive at R1 and R1 responds to = the=20 redirected address (RA). The packets NEVER <BR>return to the = firewall.<BR>If I=20 traceroute from R1 to RA it stops at the firewall ISP`s (Nexxia) = routers. <BR>If=20 I traceroute from Private1 to R1 I hit the inside NIC of the firewall = and no=20 more.<BR>Here are my rules, .conf files, even the part I added to = GENERIC and=20 recompiled.<BR>(IP numbers have been changed to protect the=20 innocent):<BR><BR>TEMfw3# ipfw show<BR>00050 11 1344 divert = 8668 ip=20 from any to any via fxp0<BR>00100 10 988 allow ip from = any to=20 any via lo0<BR>00200 0 0 deny ip = from any to=20 127.0.0.0/8<BR>65000 165 11960 allow ip from any to = any<BR>65535 =20 0 0 allow ip from any to = any<BR>TEMfw3#<BR><BR>TEMfw3#=20 more rc.conf<BR># This file now contains just the overrides from=20 /etc/defaults/rc.conf<BR># please make all changes to this = file.<BR><BR># Enable=20 network daemons for user convenience.<BR># -- sysinstall generated = deltas --=20 #<BR>sendmail_enable=3D"NO"<BR>gateway_enable=3D"YES"<BR>sshd_enable=3D"Y= ES"<BR>inetd_enable=3D"YES"<BR>##########################################= ####################<BR>### =20 Network configuration sub-section =20 ######################<BR>###############################################= ###############<BR><BR>###=20 Basic network and firewall/security options:=20 ###<BR>hostname=3D"TEMfw3"  = ; = =20 # Set=20 this!<BR>firewall_enable=3D"YES"  = ; =20 # Set to YES to enable firewall=20 functionality<BR>firewall_type=3D"OPEN" &nbs= p; =20 # Firewall type (see=20 /etc/rc.firewall)<BR>firewall_quiet=3D"NO" &= nbsp; =20 # Set to YES to suppress rule=20 display<BR>firewall_logging=3D"YES"<BR>natd_enable=3D"YES" &nb= sp; &nbs= p;=20 # Enable natd (if firewall_enable =3D=3D=20 YES).<BR>natd_interface=3D"fxp0"  = ; =20 # Public interface or IPaddress to use.<BR>natd_flags=3D"-f=20 /etc/natd.conf"<BR>network_interfaces=3D"auto" &nb= sp; =20 # List of network interfaces (or "auto").<BR>ifconfig_lo0=3D"inet=20 127.0.0.1" # default loopback device=20 configuration.<BR>ifconfig_fxp0=3D"inet 216.208.171.XXX netmask=20 255.255.255.224"<BR>ifconfig_fxp1=3D"inet 10.150.0.241 netmask=20 255.255.255.0"<BR>#<BR>named_enable=3D"YES" = =20 # Run named, the DNS server (or=20 NO).<BR>defaultrouter=3D"216.208.171.XXX"<BR>TEMfw3#<BR>TEMfw3# more=20 natd.conf<BR>redirect_address 10.150.0.143 = 216.208.171.XXX<BR>TEMfw3#</FONT></P> <P><FONT face=3DCOURIER>From my kernal I just pull the section out of = LINT and go.=20 <BR><BR>#<BR># IPFIREWALL enables support for IP firewall construction, = in<BR>#=20 conjunction with the `ipfw` program. IPFIREWALL_VERBOSE sends<BR># = logged=20 packets to the system logger. IPFIREWALL_VERBOSE_LIMIT<BR># limits = the=20 number of times a matching entry can be logged.<BR>#<BR># WARNING: = IPFIREWALL defaults to a policy of "deny ip from any to any"<BR># and if = you do=20 not add other rules during startup to allow access,<BR># YOU WILL LOCK = YOURSELF=20 OUT. It is suggested that you set firewall_type=3Dopen<BR># in = /etc/rc.conf=20 when first enabling this feature, then refining the<BR># firewall rules = in=20 /etc/rc.firewall after you`ve tested that the new kernel<BR># feature = works=20 properly.<BR>#<BR># IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule = (at=20 boot) to<BR># allow everything. Use with care, if a cracker can = crash=20 your<BR># firewall machine, they can get to your protected = machines. =20 However,<BR># if you are using it as an as-needed filter for specific = problems=20 as<BR># they arise, then this may be for you. Changing the default = to=20 `allow`<BR># means that you won`t get stuck if the kernel and /sbin/ipfw = binary=20 get<BR># out of sync.<BR>#<BR># IPDIVERT enables the divert IP sockets, = used by=20 ``ipfw divert``<BR>#<BR># IPSTEALTH enables code to support stealth = forwarding=20 (i.e., forwarding<BR># packets without touching the ttl). This can = be=20 useful to hide firewalls<BR># from traceroute and similar = tools.<BR>#<BR>#=20 TCPDEBUG is=20 undocumented.<BR>#<BR>options &n= bsp;=20 TCP_COMPAT_42 = =20 #emulate 4.2BSD TCP=20 bugs<BR>options =20 MROUTING  = ; =20 # Multicast = routing<BR>options =20 IPFIREWALL &nb= sp; =20 #firewall<BR>options =20 IPFIREWALL_VERBOSE #print information=20 about<BR> &nbs= p;  = ; = =20 # dropped = packets<BR>options =20 IPFIREWALL_FORWARD #enable transparent = proxy=20 support<BR>options =20 IPFIREWALL_VERBOSE_LIMIT=3D100 #limit=20 verbosity<BR>options =20 IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by=20 default<BR>options =20 IPDIVERT  = ; =20 #divert = sockets<BR>options =20 IPFILTER  = ; =20 #ipfilter = support<BR>options =20 IPFILTER_LOG &= nbsp;=20 #ipfilter = logging<BR>options =20 IPSTEALTH &nbs= p; =20 #support for stealth=20 forwarding<BR>options =20 TCPDEBUG<BR><BR><BR># The following options add sysctl variables for = controlling=20 how certain<BR># TCP packets are handled.<BR>#<BR># TCP_DROP_SYNFIN adds = support=20 for ignoring TCP packets with SYN+FIN. This<BR># prevents nmap et al. = from=20 identifying the TCP/IP stack, but breaks support<BR># for RFC1644 = extensions and=20 is not recommended for web servers.<BR>#<BR># TCP_RESTRICT_RST adds = support for=20 blocking the emission of TCP RST packets.<BR># This is useful on systems = which=20 are exposed to SYN floods (e.g. IRC servers)<BR># or any system which = one does=20 not want to be easily=20 portscannable.<BR>#<BR>options &= nbsp;=20 TCP_DROP_SYNFIN #drop = TCP=20 packets with = SYN+FIN<BR>options =20 TCP_RESTRICT_RST #restrict = emission of=20 TCP RST<BR><BR># ICMP_BANDLIM enables icmp error response bandwidth=20 limiting. You<BR># typically want this option as it will = help=20 protect the machine from<BR># D.O.S. packet=20 attacks.<BR>#<BR>options = "ICMP_BANDLIM"<BR><BR># DUMMYNET enables the "dummynet" bandwidth = limiter. You=20 need<BR># IPFIREWALL as well. See the dummynet(4) manpage for more = info.<BR>#=20 BRIDGE enables bridging between ethernet cards -- see bridge(4).<BR># = You can=20 use IPFIREWALL and dummynet together with=20 bridging.<BR>options =20 DUMMYNET<BR>options =20 BRIDGE<BR><BR>TEMfw3#<BR><BR>This is how it looks on the 3.4 box too. = Could it=20 be that the DSL ISP is <BR>blocking something ?? My 3.4 box is on a = different=20 ISP.<BR>John...<BR><BR></P></FONT></FONT></DIV></BODY></HTML> ------=_NextPart_000_0018_01C04684.2689B400-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001b01c046ae$0f8608b0$0100000a>