Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 26 Apr 2001 16:21:51 -0700 (PDT)
From:      Matt Dillon <dillon@earth.backplane.com>
To:        =?iso-8859-1?Q?Jes=FAs_Arn=E1iz?= <jesus@pasapues.com>
Cc:        <questions@FreeBSD.ORG>, <hackers@FreeBSD.ORG>
Subject:   Re: NAT and IPFiltering
Message-ID:  <200104262321.f3QNLpx61257@earth.backplane.com>
References:   <EPEJLCLAKFDENCGMPJJDAECPDFAA.jesus@pasapues.com>

next in thread | previous in thread | raw e-mail | index | archive | help

:Hi!
:
:I'm configuring a server able to do NAT and IP FILTERING (IPF).
:
:What are the required options that I should set to the kernel?
:
:I have this:
:...
:Jesús Arnáiz

    I think all you need is:

	options         IPFIREWALL
	options         IPDIVERT

    I usually also have (because it is useful):

	options         IPFILTER
	options         IPFIREWALL_FORWARD

    --

    For my firewall configuration

	firewall_enable="YES"
	firewall_type="/etc/ipfw.conf"
	ip_portrange_first=4000
	ip_portrange_last=5000

    My /etc/ipfw.conf file contains:

	# do not allow an outside entity to spoof our internal network
	# IPs
	add 00300 deny all from 10.0.0.0/8 in via fxp0

	# NATD diversions
	#
	add 00400 divert 8668 ip from 10.0.0.0/8 to not 10.0.0.0/8
	add 00400 divert 8668 ip from not 10.0.0.0/8 to 208.161.114.67

	# allow data related to already-established TCP connections
	# (near the top of the ruleset to packet switch efficiently)
	#
	add 01000 allow tcp from any to any established

	# all all outgoing packets
	#
	add 01001 allow all from any to any out via fxp0
	add 01001 allow all from any to any out via fxp1

	# allow all strictly internal network traffic
	add 01010 allow all from 10.0.0.0/8 to 10.0.0.0/8

	# allow temporary ports and specific UDP services 
	#
	add 02000 allow udp from any to any 4000-65535,domain,ntalk,ntp
	add 02500 allow udp from any to any frag

	# allow temporary ports and specific TCP services.  Note that
	# TCP packet fragments are not allowed.
	#
	add 03000 allow tcp from any to any http,https
	add 03000 allow tcp from any to any 4000-65535,ssh,smtp,domain,ntalk
	add 03000 allow tcp from any to any auth,pop3,ftp,ftp-data

	# allow certain icmp types through for ping, routing errors, and
	# tcp mtu path negotiation.
	#
	add 04000 allow icmp from any to any icmptypes 0,3,5,8,11,12,13,14

	# log any remaining fragments that get through and deny the rest
	#
	add 05000 deny log ip from any to any frag
	add 65000 deny ip from any to any

    The rc.conf setup for my ethernet port is roughly:

	# Exposed network
	#
	ifconfig_fxp0="inet 208.161.114.65 netmask 255.255.255.192"

	# Exposed for NAT
	#
	ifconfig_fxp0_alias1="inet 208.161.114.67 netmask 255.255.255.192"

	# Internal network
	#
	ifconfig_fxp1="inet 10.0.0.2 netmask 255.255.255.0"

    And I run natd from /etc/rc.local using:

	natd -s -u -a 208.161.114.67

    *ALL* exposed services run from this machine are tied to the machine's
    exposed IP address, in my case 208.161.114.65.  It requires some work
    in named, sendmail.cf, and so forth to the services bound to the
    correct IP address (you don't want to bind services to your NAT address).

    The .67 address in my case is only used for NAT traffic.

    The 4000-65535 junk is only really necessary for programs which use
    UDP (like DNS) and expect replies via UDP.  I don't run any internal
    TCP or UDP services on higher numbered ports but I like having
    the flexibility.  With some care and hardwiring of UDP ports for the
    services that need them, you can rip out the 4000-65535 stuff
    entirely.  I use it because it's reasonably secure and a 'file and forget'
    type of setup.

    If you are using NAT, your internal network should be in the 10.x.x.x
    space, and your external network should of course be in your
    internet-visible space.

						-Matt


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104262321.f3QNLpx61257>