Date: Thu, 26 Apr 2001 16:21:51 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: =?iso-8859-1?Q?Jes=FAs_Arn=E1iz?= <jesus@pasapues.com> Cc: <questions@FreeBSD.ORG>, <hackers@FreeBSD.ORG> Subject: Re: NAT and IPFiltering Message-ID: <200104262321.f3QNLpx61257@earth.backplane.com> References: <EPEJLCLAKFDENCGMPJJDAECPDFAA.jesus@pasapues.com>
index | next in thread | previous in thread | raw e-mail
:Hi!
:
:I'm configuring a server able to do NAT and IP FILTERING (IPF).
:
:What are the required options that I should set to the kernel?
:
:I have this:
:...
:Jesús Arnáiz
I think all you need is:
options IPFIREWALL
options IPDIVERT
I usually also have (because it is useful):
options IPFILTER
options IPFIREWALL_FORWARD
--
For my firewall configuration
firewall_enable="YES"
firewall_type="/etc/ipfw.conf"
ip_portrange_first=4000
ip_portrange_last=5000
My /etc/ipfw.conf file contains:
# do not allow an outside entity to spoof our internal network
# IPs
add 00300 deny all from 10.0.0.0/8 in via fxp0
# NATD diversions
#
add 00400 divert 8668 ip from 10.0.0.0/8 to not 10.0.0.0/8
add 00400 divert 8668 ip from not 10.0.0.0/8 to 208.161.114.67
# allow data related to already-established TCP connections
# (near the top of the ruleset to packet switch efficiently)
#
add 01000 allow tcp from any to any established
# all all outgoing packets
#
add 01001 allow all from any to any out via fxp0
add 01001 allow all from any to any out via fxp1
# allow all strictly internal network traffic
add 01010 allow all from 10.0.0.0/8 to 10.0.0.0/8
# allow temporary ports and specific UDP services
#
add 02000 allow udp from any to any 4000-65535,domain,ntalk,ntp
add 02500 allow udp from any to any frag
# allow temporary ports and specific TCP services. Note that
# TCP packet fragments are not allowed.
#
add 03000 allow tcp from any to any http,https
add 03000 allow tcp from any to any 4000-65535,ssh,smtp,domain,ntalk
add 03000 allow tcp from any to any auth,pop3,ftp,ftp-data
# allow certain icmp types through for ping, routing errors, and
# tcp mtu path negotiation.
#
add 04000 allow icmp from any to any icmptypes 0,3,5,8,11,12,13,14
# log any remaining fragments that get through and deny the rest
#
add 05000 deny log ip from any to any frag
add 65000 deny ip from any to any
The rc.conf setup for my ethernet port is roughly:
# Exposed network
#
ifconfig_fxp0="inet 208.161.114.65 netmask 255.255.255.192"
# Exposed for NAT
#
ifconfig_fxp0_alias1="inet 208.161.114.67 netmask 255.255.255.192"
# Internal network
#
ifconfig_fxp1="inet 10.0.0.2 netmask 255.255.255.0"
And I run natd from /etc/rc.local using:
natd -s -u -a 208.161.114.67
*ALL* exposed services run from this machine are tied to the machine's
exposed IP address, in my case 208.161.114.65. It requires some work
in named, sendmail.cf, and so forth to the services bound to the
correct IP address (you don't want to bind services to your NAT address).
The .67 address in my case is only used for NAT traffic.
The 4000-65535 junk is only really necessary for programs which use
UDP (like DNS) and expect replies via UDP. I don't run any internal
TCP or UDP services on higher numbered ports but I like having
the flexibility. With some care and hardwiring of UDP ports for the
services that need them, you can rip out the 4000-65535 stuff
entirely. I use it because it's reasonably secure and a 'file and forget'
type of setup.
If you are using NAT, your internal network should be in the 10.x.x.x
space, and your external network should of course be in your
internet-visible space.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104262321.f3QNLpx61257>