Date: Mon, 3 Jul 2006 12:57:35 -0400 (CDT) From: efrenba@dhl.gcc.cu To: freebsd-questions@freebsd.org Subject: Re: firewalls' behavior help Message-ID: <2810.7.96.160.15.1151945855.squirrel@dhlgw.dhl.gcc.cu> In-Reply-To: <20060629130724.GZ1554@sanctum.terrorpin.net> References: <1052.7.96.160.22.1151545386.squirrel@dhlgw.dhl.gcc.cu> <20060629130724.GZ1554@sanctum.terrorpin.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Box:freeBSD 6.0, ipf: IP Filter: v4.1.8 (416), Kernel: IP Filter: v4.1.8 Network layout: --------------- other building [ PCs - 192.168.80.0/24 ] | g1 (ipf - vr0:192.168.80.2 <-> sis0:10.10.10.13) | My Lan ( 10.10.10.0/24 ) [ PCs (DefaultGw = g2) ] [ MailSrv (10.10.10.12) (pop3/smtp/ssh) (DefaultGw = g2) ] [ WebSrv (10.10.10.11) (http) (DefaultGw = g1) ] | g2 | Internet ipnat.rules ----------- map vr0 10.10.10.0/24 -> 192.168.80.2/32 proxy port 21 ftp/tcp map vr0 10.10.10.0/24 -> 192.168.80.2/32 rdr vr0 192.168.80.2/32 port 80 -> 10.10.10.11 port 80 tcp rdr vr0 192.168.80.2/32 port 22 -> 10.10.10.12 port 22 tcp rdr vr0 192.168.80.2/32 port 25 -> 10.10.10.12 port 25 tcp rdr vr0 192.168.80.2/32 port 110 -> 10.10.10.12 port 110 tcp ipf.rules --------- ### No restrictions inside LAN Interface ### pass out quick on sis0 all pass in quick on sis0 all ### No restrictions on Loopback Interface ### pass out quick on lo0 all pass in quick on lo0 all ### Allow out DNS queries ### pass out quick on vr0 proto tcp from any to 192.168.10.5 port = 53 flags S keep state pass out quick on vr0 proto udp from any to 192.168.10.5 port = 53 keep state ### Allow IE out ### pass out quick on vr0 proto tcp from any to any port = 80 flags S keep state ### Allow Squid Access out ### pass out quick on vr0 proto tcp from any to any port = 3128 flags S keep state pass out quick on vr0 proto tcp from any to any port = 3130 flags S keep state ### Allow FTP out ### pass out quick on vr0 proto tcp from any to any port = 21 flags S keep state ### Allow Remote Desktop to WinXP external PCs ### pass out quick on vr0 proto tcp from any to any port = 3389 flags S keep state ### Allow MailServer to Deliver mails ### pass out quick on vr0 proto tcp from any to any port = 25 flags S keep state ### Block and Log only first occurrence of everything ### block out log first quick on vr0 all ### Block all inbound traffic from non-routable or reserved address spaces ... ### Allow in ssh session from other building ### pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state ### Allow in HTTP session from public to Internat MailServer ### pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state ### Allow in SMTP access to Internal Mail Server ### pass in quick on vr0 proto tcp from any to any port = 25 flags S keep state ### Allow in POP3 access to Internal Mail Server ### pass in quick on vr0 proto tcp from any to any port = 110 flags S keep state ### Block and log anly first occurence of all remaining traffic ### block in log first quick on vr0 all The situation: -------------- ...if the server(MailSrv) is redirected to G1, the users are able to connect themselves to the services. To be sure about it I redirected the server(WebSrv) with apache that before was pointing to G1 to G2(internet) and the access was broken for the other building... Why happen this? > If I understand your description, it could be mapped like this: > > net1 is the other building's network > net1pc1 .. net1pcN > > net2 is your network > net2pc1 .. net2pcN > net2server1 .. net2server3 > > g1 == net1,net2 > g2 == net2,Internet > > Assumptions: > net1 and net2 are private > the default gateway for g1 is g2 > g1 is using a map rule to nat net1 hosts to net2 > the default gateway for g2 is on the Internet > g2 is using a map rule to nat net2 hosts to the Internet > > If a net1 PC connects through g1, it would be mapped as coming from g1. > Since g1 is on net2, and g2 can route to net2, the servers using g2 as > the default route should have no problem. My assumptions may be false. > Would you post the g1 and g2 ipf.conf and ipnat.conf, and specify what > the net1 and net2 CIDR? > > Thank you, > > Ben >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2810.7.96.160.15.1151945855.squirrel>