Date: Fri, 21 Nov 2003 14:26:51 CET From: julien.biard@netcourrier.com To: freebsd-config@freebsd.org Subject: IPFW+IPNAT cannot attack firewall external interface behind Message-ID: <mnet4.1069421211.13427.julien.biard@netcourrier.com>
next in thread | raw e-mail | index | archive | help
hi i have a firewall configured with IPNAT and IPFW, and i can't access the external interface behind the firewall. however it's possible to ping it... do you have an idea ? my /etc/rc.conf : firewall_enable="YES" firewall_script="/etc/fwrules.sh" ipnat_enable="YES" syslogd_flags="-ss" accounting_enable="NO" gateway_enable="YES" hostname="irie.zion.org" ifconfig_ep0="inet x.x.x.x netmask 255.255.255.0" inetd_enable="NO" kern_securelevel_enable="NO" keymap="fr.iso.acc" keyrate="fast" nfs_reserved_port_only="NO" sendmail_enable="NONE" sshd_enable="YES" usbd_enable="YES" my ipnat.conf : the redirections of ssh and smtp work (tested from outside), but not for the ftp... # mapping map tun0 MyLan/24 -> 0/32 portmap tcp 10000:20000 map tun0 MyLan/24 -> 0/32 # redirections # ftp rdr tun0 0.0.0.0/0 port 1521 -> jahkub port 21 #rdr tun0 0.0.0.0/0 port 1522 -> vibes port 21 # smtp rdr tun0 0.0.0.0/0 port 25 -> jahkub port 25 # ssh rdr tun0 0.0.0.0/0 port 1522 -> vibes port 22 rdr tun0 0.0.0.0/0 port 1523 -> jahkub port 22 # BitTorrent... rdr tun0 0.0.0.0/0 port 6881 -> vibes port 6881 rdr tun0 0.0.0.0/0 port 6882 -> vibes port 6882 rdr tun0 0.0.0.0/0 port 6883 -> vibes port 6883 rdr tun0 0.0.0.0/0 port 6884 -> vibes port 6884 rdr tun0 0.0.0.0/0 port 6885 -> vibes port 6885 rdr tun0 0.0.0.0/0 port 6886 -> vibes port 6886 rdr tun0 0.0.0.0/0 port 6887 -> vibes port 6887 rdr tun0 0.0.0.0/0 port 6888 -> vibes port 6888 # mldonkey rdr tun0 0.0.0.0/0 port 4662 -> vibes port 4662 tcp rdr tun0 0.0.0.0/0 port 4666 -> vibes port 4666 udp # soulseek rdr tun0 0.0.0.0/0 port 2234 -> stick port 2234 rdr tun0 0.0.0.0/0 port 5534 -> stick port 5534 # UT rdr tun0 0.0.0.0/0 port 7777 -> vibes port 7777 udp rdr tun0 0.0.0.0/0 port 7778 -> vibes port 7778 udp my /etc/fwrules : ... #Shaping basique initial # Pas besoin de net.inet.ip.fw.one_pass = 0, on matche les paquets entrants seulement. $cmd pipe 1 config mask src-ip 0x000000ff bw 3Kbit/s queue 50 $cmd add 100 pipe 1 tcp from any ssh,1523 to any in via $oif # UT #$cmd pipe 2 config mask src-ip 0x000000ff bw 10KBit/s #$cmd add 200 pipe 2 udp from any 7777 to any out via $oif #Firewalling #Anti spoof #$cmd add 400 reject log ip from 213.91.4.128/28 to any in via $oif $cmd add 410 reject log ip from $interne to any in via $oif # $cmd add 420 reject log ip from $interne2 to any in via $oif $cmd add 430 reject log ip from 127.0.0.1/8 to any in via $oif #$cmd add 435 allow tcp from any to 192.168.1.42/32 established in via $oif #$cmd add 436 allow icmp from any to 192.168.1.42/32 in via $oif #$cmd add 440 reject log ip from any to not 213.91.4.0/24 in via $oif #pas de probleme pour l'interne $cmd add 500 allow ip from any to any via $iif #pas de probleme pour sortir $cmd add 510 allow ip from any to any out via $oif #pas de probleme pour les sessions TCP etablies $cmd add 600 allow tcp from any to any in via $oif established #UDP... #Peut etre laisser ipf gerer l'udp... Ou alors keep-state ? sur UDP ? $cmd add 700 allow udp from any to any in via $oif #DNS $cmd add 710 allow udp from any to $odns1 domain in via $oif $cmd add 711 allow udp from any to $odns2 domain in via $oif #ICMP #$cmd add 800 allow icmp from any to any in via $oif $cmd add 801 allow icmp from any to $interne in icmptypes 0,3,11,12,13,14 $cmd add 802 allow icmp from $interne to any out icmptypes 1,8,11 #$cmd add 803 allow udp from $interne to any in 33400-33500 $cmd add 804 deny log icmp from any to any # Maintenant on bloque, et authorise les services (TCP) $cmd add 900 allow tcp from any to any http,https,ftp,ftp\-data setup in via $oif #$cmd add 901 allow tcp from any to any ssh,auth setup in via $oif # OU # UT ? #$cmd add 901 allow tcp from any to any ssh,auth,7777,7778,4662,4666 setup in via $oif $cmd add 901 allow tcp from any to any ssh,auth,4662,1521 setup in via $oif $cmd add 902 allow tcp from any to any smtp,pop3,imap setup in via $oif $cmd add 903 allow tcp from any to any domain,6667,2234,5534 setup in via $oif $cmd add 904 allow tcp from any to any 8888 in via $oif $cmd add 905 allow udp from any to any 7777,7778 in via $oif # ftpd $cmd add 906 allow tcp from any to any 49152-65535 in via $oif #deny TCP SYN par defaut $cmd add 1000 reject log tcp from any to any setup in via $oif regards, julien ------------------------------------------------------------- NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar... Web/Wap : www.netcourrier.com Téléphone/Fax : 08 92 69 00 21 (0,34 € TTC/min) Minitel: 3615 NETCOURRIER (0,16 € TTC/min)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?mnet4.1069421211.13427.julien.biard>