From owner-freebsd-config@FreeBSD.ORG Fri Nov 21 05:32:27 2003 Return-Path: Delivered-To: freebsd-config@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3D8116A4CE for ; Fri, 21 Nov 2003 05:32:27 -0800 (PST) Received: from netc-1v.grolier.fr (netc-1v.grolier.fr [194.158.97.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CD8443F75 for ; Fri, 21 Nov 2003 05:32:26 -0800 (PST) (envelope-from julien.biard@netcourrier.com) Received: from netcourrier.com (netc-3v.grolier.fr [194.158.97.220]) by netc-1v.grolier.fr (Postfix) with SMTP id 6D0A527982 for ; Fri, 21 Nov 2003 14:26:52 +0100 (CET) Received: from [81.48.136.240] by netcourrier-3v.netcourrier.com via html interface From: julien.biard@netcourrier.com To: freebsd-config@freebsd.org Date: Fri, 21 Nov 2003 14:26:51 CET Mime-Version: 1.0 X-Mailer: Medianet/v2.0 Message-Id: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: IPFW+IPNAT cannot attack firewall external interface behind X-BeenThere: freebsd-config@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Installation and Configuration List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2003 13:32:27 -0000 hi i have a firewall configured with IPNAT and IPFW, and i can't access the e= xternal interface behind the firewall. however it's possible to ping it...= do you have an idea ? my /etc/rc.conf : firewall=5Fenable=3D=22YES=22 firewall=5Fscript=3D=22/etc/fwrules.sh=22 ipnat=5Fenable=3D=22YES=22 syslogd=5Fflags=3D=22-ss=22 accounting=5Fenable=3D=22NO=22 gateway=5Fenable=3D=22YES=22 hostname=3D=22irie.zion.org=22 ifconfig=5Fep0=3D=22inet x.x.x.x netmask 255.255.255.0=22 inetd=5Fenable=3D=22NO=22 kern=5Fsecurelevel=5Fenable=3D=22NO=22 keymap=3D=22fr.iso.acc=22 keyrate=3D=22fast=22 nfs=5Freserved=5Fport=5Fonly=3D=22NO=22 sendmail=5Fenable=3D=22NONE=22 sshd=5Fenable=3D=22YES=22 usbd=5Fenable=3D=22YES=22 my ipnat.conf : the redirections of ssh and smtp work (tested from outside= ), but not for the ftp... = =23 mapping map tun0 MyLan/24 -> 0/32 portmap tcp 10000:20000 map tun0 MyLan/24 -> 0/32 =23 redirections =23 ftp rdr tun0 0.0.0.0/0 port 1521 -> jahkub port 21 =23rdr tun0 0.0.0.0/0 port 1522 -> vibes port 21 =23 smtp rdr tun0 0.0.0.0/0 port 25 -> jahkub port 25 = =23 ssh rdr tun0 0.0.0.0/0 port 1522 -> vibes port 22 rdr tun0 0.0.0.0/0 port 1523 -> jahkub port 22 = =23 BitTorrent... rdr tun0 0.0.0.0/0 port 6881 -> vibes port 6881 rdr tun0 0.0.0.0/0 port 6882 -> vibes port 6882 rdr tun0 0.0.0.0/0 port 6883 -> vibes port 6883 rdr tun0 0.0.0.0/0 port 6884 -> vibes port 6884 rdr tun0 0.0.0.0/0 port 6885 -> vibes port 6885 rdr tun0 0.0.0.0/0 port 6886 -> vibes port 6886 rdr tun0 0.0.0.0/0 port 6887 -> vibes port 6887 rdr tun0 0.0.0.0/0 port 6888 -> vibes port 6888 =23 mldonkey rdr tun0 0.0.0.0/0 port 4662 -> vibes port 4662 tcp rdr tun0 0.0.0.0/0 port 4666 -> vibes port 4666 udp =23 soulseek rdr tun0 0.0.0.0/0 port 2234 -> stick port 2234 rdr tun0 0.0.0.0/0 port 5534 -> stick port 5534 =23 UT rdr tun0 0.0.0.0/0 port 7777 -> vibes port 7777 udp rdr tun0 0.0.0.0/0 port 7778 -> vibes port 7778 udp my /etc/fwrules : =2E.. =23Shaping basique initial =23 Pas besoin de net.inet.ip.fw.one=5Fpass =3D 0, on matche les paquets e= ntrants seulement. =24cmd pipe 1 config mask src-ip 0x000000ff bw 3Kbit/s queue 50 =24cmd add 100 pipe 1 tcp from any ssh,1523 to any in via =24oif =23 UT =23=24cmd pipe 2 config mask src-ip 0x000000ff bw 10KBit/s =23=24cmd add 200 pipe 2 udp from any 7777 to any out via =24oif =23Firewalling =23Anti spoof =23=24cmd add 400 reject log ip from 213.91.4.128/28 to any in via =24oif =24cmd add 410 reject log ip from =24interne to any in via =24oif =23 =24cmd add 420 reject log ip from =24interne2 to any in via =24oif =24cmd add 430 reject log ip from 127.0.0.1/8 to any in via =24oif =23=24cmd add 435 allow tcp from any to 192.168.1.42/32 established in via= =24oif =23=24cmd add 436 allow icmp from any to 192.168.1.42/32 in via =24oif =23=24cmd add 440 reject log ip from any to not 213.91.4.0/24 in via =24oi= f =23pas de probleme pour l'interne =24cmd add 500 allow ip from any to any via =24iif =23pas de probleme pour sortir =24cmd add 510 allow ip from any to any out via =24oif =23pas de probleme pour les sessions TCP etablies =24cmd add 600 allow tcp from any to any in via =24oif established =23UDP... =23Peut etre laisser ipf gerer l'udp... Ou alors keep-state ? sur UDP ? =24cmd add 700 allow udp from any to any in via =24oif =23DNS =24cmd add 710 allow udp from any to =24odns1 domain in via =24oif =24cmd add 711 allow udp from any to =24odns2 domain in via =24oif =23ICMP =23=24cmd add 800 allow icmp from any to any in via =24oif =24cmd add 801 allow icmp from any to =24interne in icmptypes 0,3,11,12,13= ,14 =24cmd add 802 allow icmp from =24interne to any out icmptypes 1,8,11 =23=24cmd add 803 allow udp from =24interne to any in 33400-33500 =24cmd add 804 deny log icmp from any to any =23 Maintenant on bloque, et authorise les services (TCP) =24cmd add 900 allow tcp from any to any http,https,ftp,ftp=5C-data setup = in via =24oif =23=24cmd add 901 allow tcp from any to any ssh,auth setup in via =24oif =23 OU =23 UT ? =23=24cmd add 901 allow tcp from any to any ssh,auth,7777,7778,4662,4666 s= etup in via =24oif =24cmd add 901 allow tcp from any to any ssh,auth,4662,1521 setup in via =24= oif =24cmd add 902 allow tcp from any to any smtp,pop3,imap setup in via =24oi= f =24cmd add 903 allow tcp from any to any domain,6667,2234,5534 setup in vi= a =24oif =24cmd add 904 allow tcp from any to any 8888 in via =24oif =24cmd add 905 allow udp from any to any 7777,7778 in via =24oif =23 ftpd =24cmd add 906 allow tcp from any to any 49152-65535 in via =24oif =23deny TCP SYN par defaut =24cmd add 1000 reject log tcp from any to any setup in via =24oif regards, julien ------------------------------------------------------------- NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Tool= bar... Web/Wap : www.netcourrier.com T=E9l=E9phone/Fax : 08 92 69 00 21 (0,34 =80 TTC/min) Minitel: 3615 NETCOURRIER (0,16 =80 TTC/min)