Date: Sat, 4 Nov 2000 17:24:56 -0500 From: "John Telford" <j.telford@sympatico.ca> To: <security@freebsd.org> Subject: Natd redirect address not working in 4.1.1 Help Please ?? Message-ID: <001b01c046ae$0f8608b0$0100000a@johnny5>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_0018_01C04684.2689B400
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
This is a bit long but I`ve been working on it for a day now so I have =
lots of=20
info:
What I want: 1 server inside the firewall to have a public IP address. =
My BSD=20
guru (he`s away right now) set it up on a 3.4 box and it works fine, now =
I`m=20
trying to do it on a 4.1.1 box and followed his example. It doesn`t =
work, after=20
much trouble shooting I can tell you this.
=20
If I ping from the private box (Private1) to a remote public box (R1) I =
can see the=20
packets (using tcpdump) leave the firewall with the redirected address, =
they=20
arrive at R1 and R1 responds to the redirected address (RA). The packets =
NEVER=20
return to the firewall.
If I traceroute from R1 to RA it stops at the firewall ISP`s (Nexxia) =
routers.=20
If I traceroute from Private1 to R1 I hit the inside NIC of the firewall =
and no more.
Here are my rules, .conf files, even the part I added to GENERIC and =
recompiled.
(IP numbers have been changed to protect the innocent):
TEMfw3# ipfw show
00050 11 1344 divert 8668 ip from any to any via fxp0
00100 10 988 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
65000 165 11960 allow ip from any to any
65535 0 0 allow ip from any to any
TEMfw3#
TEMfw3# more rc.conf
# This file now contains just the overrides from /etc/defaults/rc.conf
# please make all changes to this file.
# Enable network daemons for user convenience.
# -- sysinstall generated deltas -- #
sendmail_enable=3D"NO"
gateway_enable=3D"YES"
sshd_enable=3D"YES"
inetd_enable=3D"YES"
##############################################################
### Network configuration sub-section ######################
##############################################################
### Basic network and firewall/security options: ###
hostname=3D"TEMfw3" # Set this!
firewall_enable=3D"YES" # Set to YES to enable firewall =
functionality
firewall_type=3D"OPEN" # Firewall type (see /etc/rc.firewall)
firewall_quiet=3D"NO" # Set to YES to suppress rule display
firewall_logging=3D"YES"
natd_enable=3D"YES" # Enable natd (if firewall_enable =
=3D=3D YES).
natd_interface=3D"fxp0" # Public interface or IPaddress to =
use.
natd_flags=3D"-f /etc/natd.conf"
network_interfaces=3D"auto" # List of network interfaces (or =
"auto").
ifconfig_lo0=3D"inet 127.0.0.1" # default loopback device =
configuration.
ifconfig_fxp0=3D"inet 216.208.171.XXX netmask 255.255.255.224"
ifconfig_fxp1=3D"inet 10.150.0.241 netmask 255.255.255.0"
#
named_enable=3D"YES" # Run named, the DNS server (or NO).
defaultrouter=3D"216.208.171.XXX"
TEMfw3#
TEMfw3# more natd.conf
redirect_address 10.150.0.143 216.208.171.XXX
TEMfw3#
From my kernal I just pull the section out of LINT and go.=20
#
# IPFIREWALL enables support for IP firewall construction, in
# conjunction with the `ipfw` program. IPFIREWALL_VERBOSE sends
# logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT
# limits the number of times a matching entry can be logged.
#
# WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any"
# and if you do not add other rules during startup to allow access,
# YOU WILL LOCK YOURSELF OUT. It is suggested that you set =
firewall_type=3Dopen
# in /etc/rc.conf when first enabling this feature, then refining the
# firewall rules in /etc/rc.firewall after you`ve tested that the new =
kernel
# feature works properly.
#
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
# allow everything. Use with care, if a cracker can crash your
# firewall machine, they can get to your protected machines. However,
# if you are using it as an as-needed filter for specific problems as
# they arise, then this may be for you. Changing the default to `allow`
# means that you won`t get stuck if the kernel and /sbin/ipfw binary get
# out of sync.
#
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert``
#
# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
# packets without touching the ttl). This can be useful to hide =
firewalls
# from traceroute and similar tools.
#
# TCPDEBUG is undocumented.
#
options TCP_COMPAT_42 #emulate 4.2BSD TCP bugs
options MROUTING # Multicast routing
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #print information about
# dropped packets
options IPFIREWALL_FORWARD #enable transparent proxy =
support
options IPFIREWALL_VERBOSE_LIMIT=3D100 #limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by =
default
options IPDIVERT #divert sockets
options IPFILTER #ipfilter support
options IPFILTER_LOG #ipfilter logging
options IPSTEALTH #support for stealth forwarding
options TCPDEBUG
# The following options add sysctl variables for controlling how certain
# TCP packets are handled.
#
# TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. =
This
# prevents nmap et al. from identifying the TCP/IP stack, but breaks =
support
# for RFC1644 extensions and is not recommended for web servers.
#
# TCP_RESTRICT_RST adds support for blocking the emission of TCP RST =
packets.
# This is useful on systems which are exposed to SYN floods (e.g. IRC =
servers)
# or any system which one does not want to be easily portscannable.
#
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
options TCP_RESTRICT_RST #restrict emission of TCP RST
# ICMP_BANDLIM enables icmp error response bandwidth limiting. You
# typically want this option as it will help protect the machine from
# D.O.S. packet attacks.
#
options "ICMP_BANDLIM"
# DUMMYNET enables the "dummynet" bandwidth limiter. You need
# IPFIREWALL as well. See the dummynet(4) manpage for more info.
# BRIDGE enables bridging between ethernet cards -- see bridge(4).
# You can use IPFIREWALL and dummynet together with bridging.
options DUMMYNET
options BRIDGE
TEMfw3#
This is how it looks on the 3.4 box too. Could it be that the DSL ISP is =
blocking something ?? My 3.4 box is on a different ISP.
John...
------=_NextPart_000_0018_01C04684.2689B400
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>
<P> <FONT face=3DCOURIER>This is a bit long but I`ve been working =
on it for a=20
day now so I have lots of <BR>info:<BR>What I want: 1 server inside the =
firewall=20
to have a public IP address. My BSD <BR>guru (he`s away right now) set =
it up on=20
a 3.4 box and it works fine, now I`m <BR>trying to do it on a 4.1.1 box =
and=20
followed his example. It doesn`t work, after <BR>much trouble shooting I =
can=20
tell you this.<BR> <BR>If I ping from the private box (Private1) to a =
remote=20
public box (R1) I can see the <BR>packets (using tcpdump) leave the =
firewall=20
with the redirected address, they <BR>arrive at R1 and R1 responds to =
the=20
redirected address (RA). The packets NEVER <BR>return to the =
firewall.<BR>If I=20
traceroute from R1 to RA it stops at the firewall ISP`s (Nexxia) =
routers. <BR>If=20
I traceroute from Private1 to R1 I hit the inside NIC of the firewall =
and no=20
more.<BR>Here are my rules, .conf files, even the part I added to =
GENERIC and=20
recompiled.<BR>(IP numbers have been changed to protect the=20
innocent):<BR><BR>TEMfw3# ipfw show<BR>00050 11 1344 divert =
8668 ip=20
from any to any via fxp0<BR>00100 10 988 allow ip from =
any to=20
any via lo0<BR>00200 0 0 deny ip =
from any to=20
127.0.0.0/8<BR>65000 165 11960 allow ip from any to =
any<BR>65535 =20
0 0 allow ip from any to =
any<BR>TEMfw3#<BR><BR>TEMfw3#=20
more rc.conf<BR># This file now contains just the overrides from=20
/etc/defaults/rc.conf<BR># please make all changes to this =
file.<BR><BR># Enable=20
network daemons for user convenience.<BR># -- sysinstall generated =
deltas --=20
#<BR>sendmail_enable=3D"NO"<BR>gateway_enable=3D"YES"<BR>sshd_enable=3D"Y=
ES"<BR>inetd_enable=3D"YES"<BR>##########################################=
####################<BR>### =20
Network configuration sub-section =20
######################<BR>###############################################=
###############<BR><BR>###=20
Basic network and firewall/security options:=20
###<BR>hostname=3D"TEMfw3"  =
; =
=20
# Set=20
this!<BR>firewall_enable=3D"YES"  =
; =20
# Set to YES to enable firewall=20
functionality<BR>firewall_type=3D"OPEN" &nbs=
p; =20
# Firewall type (see=20
/etc/rc.firewall)<BR>firewall_quiet=3D"NO" &=
nbsp; =20
# Set to YES to suppress rule=20
display<BR>firewall_logging=3D"YES"<BR>natd_enable=3D"YES" &nb=
sp; &nbs=
p;=20
# Enable natd (if firewall_enable =3D=3D=20
YES).<BR>natd_interface=3D"fxp0"  =
; =20
# Public interface or IPaddress to use.<BR>natd_flags=3D"-f=20
/etc/natd.conf"<BR>network_interfaces=3D"auto" &nb=
sp; =20
# List of network interfaces (or "auto").<BR>ifconfig_lo0=3D"inet=20
127.0.0.1" # default loopback device=20
configuration.<BR>ifconfig_fxp0=3D"inet 216.208.171.XXX netmask=20
255.255.255.224"<BR>ifconfig_fxp1=3D"inet 10.150.0.241 netmask=20
255.255.255.0"<BR>#<BR>named_enable=3D"YES" =
=20
# Run named, the DNS server (or=20
NO).<BR>defaultrouter=3D"216.208.171.XXX"<BR>TEMfw3#<BR>TEMfw3# more=20
natd.conf<BR>redirect_address 10.150.0.143 =
216.208.171.XXX<BR>TEMfw3#</FONT></P>
<P><FONT face=3DCOURIER>From my kernal I just pull the section out of =
LINT and go.=20
<BR><BR>#<BR># IPFIREWALL enables support for IP firewall construction, =
in<BR>#=20
conjunction with the `ipfw` program. IPFIREWALL_VERBOSE sends<BR># =
logged=20
packets to the system logger. IPFIREWALL_VERBOSE_LIMIT<BR># limits =
the=20
number of times a matching entry can be logged.<BR>#<BR># WARNING: =
IPFIREWALL defaults to a policy of "deny ip from any to any"<BR># and if =
you do=20
not add other rules during startup to allow access,<BR># YOU WILL LOCK =
YOURSELF=20
OUT. It is suggested that you set firewall_type=3Dopen<BR># in =
/etc/rc.conf=20
when first enabling this feature, then refining the<BR># firewall rules =
in=20
/etc/rc.firewall after you`ve tested that the new kernel<BR># feature =
works=20
properly.<BR>#<BR># IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule =
(at=20
boot) to<BR># allow everything. Use with care, if a cracker can =
crash=20
your<BR># firewall machine, they can get to your protected =
machines. =20
However,<BR># if you are using it as an as-needed filter for specific =
problems=20
as<BR># they arise, then this may be for you. Changing the default =
to=20
`allow`<BR># means that you won`t get stuck if the kernel and /sbin/ipfw =
binary=20
get<BR># out of sync.<BR>#<BR># IPDIVERT enables the divert IP sockets, =
used by=20
``ipfw divert``<BR>#<BR># IPSTEALTH enables code to support stealth =
forwarding=20
(i.e., forwarding<BR># packets without touching the ttl). This can =
be=20
useful to hide firewalls<BR># from traceroute and similar =
tools.<BR>#<BR>#=20
TCPDEBUG is=20
undocumented.<BR>#<BR>options &n=
bsp;=20
TCP_COMPAT_42 =
=20
#emulate 4.2BSD TCP=20
bugs<BR>options =20
MROUTING  =
; =20
# Multicast =
routing<BR>options =20
IPFIREWALL &nb=
sp; =20
#firewall<BR>options =20
IPFIREWALL_VERBOSE #print information=20
about<BR> &nbs=
p;  =
; =
=20
# dropped =
packets<BR>options =20
IPFIREWALL_FORWARD #enable transparent =
proxy=20
support<BR>options =20
IPFIREWALL_VERBOSE_LIMIT=3D100 #limit=20
verbosity<BR>options =20
IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by=20
default<BR>options =20
IPDIVERT  =
; =20
#divert =
sockets<BR>options =20
IPFILTER  =
; =20
#ipfilter =
support<BR>options =20
IPFILTER_LOG &=
nbsp;=20
#ipfilter =
logging<BR>options =20
IPSTEALTH &nbs=
p; =20
#support for stealth=20
forwarding<BR>options =20
TCPDEBUG<BR><BR><BR># The following options add sysctl variables for =
controlling=20
how certain<BR># TCP packets are handled.<BR>#<BR># TCP_DROP_SYNFIN adds =
support=20
for ignoring TCP packets with SYN+FIN. This<BR># prevents nmap et al. =
from=20
identifying the TCP/IP stack, but breaks support<BR># for RFC1644 =
extensions and=20
is not recommended for web servers.<BR>#<BR># TCP_RESTRICT_RST adds =
support for=20
blocking the emission of TCP RST packets.<BR># This is useful on systems =
which=20
are exposed to SYN floods (e.g. IRC servers)<BR># or any system which =
one does=20
not want to be easily=20
portscannable.<BR>#<BR>options &=
nbsp;=20
TCP_DROP_SYNFIN #drop =
TCP=20
packets with =
SYN+FIN<BR>options =20
TCP_RESTRICT_RST #restrict =
emission of=20
TCP RST<BR><BR># ICMP_BANDLIM enables icmp error response bandwidth=20
limiting. You<BR># typically want this option as it will =
help=20
protect the machine from<BR># D.O.S. packet=20
attacks.<BR>#<BR>options =
"ICMP_BANDLIM"<BR><BR># DUMMYNET enables the "dummynet" bandwidth =
limiter. You=20
need<BR># IPFIREWALL as well. See the dummynet(4) manpage for more =
info.<BR>#=20
BRIDGE enables bridging between ethernet cards -- see bridge(4).<BR># =
You can=20
use IPFIREWALL and dummynet together with=20
bridging.<BR>options =20
DUMMYNET<BR>options =20
BRIDGE<BR><BR>TEMfw3#<BR><BR>This is how it looks on the 3.4 box too. =
Could it=20
be that the DSL ISP is <BR>blocking something ?? My 3.4 box is on a =
different=20
ISP.<BR>John...<BR><BR></P></FONT></FONT></DIV></BODY></HTML>
------=_NextPart_000_0018_01C04684.2689B400--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001b01c046ae$0f8608b0$0100000a>