From owner-freebsd-questions@FreeBSD.ORG Mon Jul 3 17:30:39 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0A0516A40F for ; Mon, 3 Jul 2006 17:30:39 +0000 (UTC) (envelope-from efrenba@dhl.gcc.cu) Received: from smtp.gcc.cu (ns1.gcc.cu [200.55.168.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14C0D43EC2 for ; Mon, 3 Jul 2006 16:58:18 +0000 (GMT) (envelope-from efrenba@dhl.gcc.cu) Received: (qmail 10304 invoked by uid 509); 3 Jul 2006 12:58:26 -0400 Received: from 192.168.80.2 by wall.correosdecuba.cu (envelope-from , uid 501) with qmail-scanner-2.01 (clamdscan: 0.88.2/1478. spamassassin: 3.0.4. Clear:RC:1(192.168.80.2):SA:0(-2.6/5.0):. Processed in 0.175345 secs); 03 Jul 2006 16:58:26 -0000 X-Spam-Status: No, score=-2.6 required=5.0 X-Spam-Level: Received: from unknown (HELO dhlgw.dhl.gcc.cu) (192.168.80.2) by smtp.gcc.cu with AES256-SHA encrypted SMTP; 3 Jul 2006 12:58:25 -0400 Received: from dhlgw.dhl.gcc.cu (localhost.dhl.gcc.cu [127.0.0.1]) by dhlgw.dhl.gcc.cu (8.13.4/8.13.4) with ESMTP id k63Gvb3L052602 for ; Mon, 3 Jul 2006 12:57:38 -0400 (CDT) (envelope-from efrenba@dhl.gcc.cu) Received: (from www@localhost) by dhlgw.dhl.gcc.cu (8.13.4/8.13.4/Submit) id k63GvZBf052601; Mon, 3 Jul 2006 12:57:35 -0400 (CDT) (envelope-from efrenba@dhl.gcc.cu) X-Authentication-Warning: dhlgw.dhl.gcc.cu: www set sender to efrenba@dhl.gcc.cu using -f Received: from 7.96.160.15 (SquirrelMail authenticated user efrenba) by dhlgw.dhl.gcc.cu with HTTP; Mon, 3 Jul 2006 12:57:35 -0400 (CDT) Message-ID: <2810.7.96.160.15.1151945855.squirrel@dhlgw.dhl.gcc.cu> In-Reply-To: <20060629130724.GZ1554@sanctum.terrorpin.net> References: <1052.7.96.160.22.1151545386.squirrel@dhlgw.dhl.gcc.cu> <20060629130724.GZ1554@sanctum.terrorpin.net> Date: Mon, 3 Jul 2006 12:57:35 -0400 (CDT) From: efrenba@dhl.gcc.cu To: freebsd-questions@freebsd.org User-Agent: SquirrelMail/1.4.6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: firewalls' behavior help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jul 2006 17:30:39 -0000 Box:freeBSD 6.0, ipf: IP Filter: v4.1.8 (416), Kernel: IP Filter: v4.1.8 Network layout: --------------- other building [ PCs - 192.168.80.0/24 ] | g1 (ipf - vr0:192.168.80.2 <-> sis0:10.10.10.13) | My Lan ( 10.10.10.0/24 ) [ PCs (DefaultGw = g2) ] [ MailSrv (10.10.10.12) (pop3/smtp/ssh) (DefaultGw = g2) ] [ WebSrv (10.10.10.11) (http) (DefaultGw = g1) ] | g2 | Internet ipnat.rules ----------- map vr0 10.10.10.0/24 -> 192.168.80.2/32 proxy port 21 ftp/tcp map vr0 10.10.10.0/24 -> 192.168.80.2/32 rdr vr0 192.168.80.2/32 port 80 -> 10.10.10.11 port 80 tcp rdr vr0 192.168.80.2/32 port 22 -> 10.10.10.12 port 22 tcp rdr vr0 192.168.80.2/32 port 25 -> 10.10.10.12 port 25 tcp rdr vr0 192.168.80.2/32 port 110 -> 10.10.10.12 port 110 tcp ipf.rules --------- ### No restrictions inside LAN Interface ### pass out quick on sis0 all pass in quick on sis0 all ### No restrictions on Loopback Interface ### pass out quick on lo0 all pass in quick on lo0 all ### Allow out DNS queries ### pass out quick on vr0 proto tcp from any to 192.168.10.5 port = 53 flags S keep state pass out quick on vr0 proto udp from any to 192.168.10.5 port = 53 keep state ### Allow IE out ### pass out quick on vr0 proto tcp from any to any port = 80 flags S keep state ### Allow Squid Access out ### pass out quick on vr0 proto tcp from any to any port = 3128 flags S keep state pass out quick on vr0 proto tcp from any to any port = 3130 flags S keep state ### Allow FTP out ### pass out quick on vr0 proto tcp from any to any port = 21 flags S keep state ### Allow Remote Desktop to WinXP external PCs ### pass out quick on vr0 proto tcp from any to any port = 3389 flags S keep state ### Allow MailServer to Deliver mails ### pass out quick on vr0 proto tcp from any to any port = 25 flags S keep state ### Block and Log only first occurrence of everything ### block out log first quick on vr0 all ### Block all inbound traffic from non-routable or reserved address spaces ... ### Allow in ssh session from other building ### pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state ### Allow in HTTP session from public to Internat MailServer ### pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state ### Allow in SMTP access to Internal Mail Server ### pass in quick on vr0 proto tcp from any to any port = 25 flags S keep state ### Allow in POP3 access to Internal Mail Server ### pass in quick on vr0 proto tcp from any to any port = 110 flags S keep state ### Block and log anly first occurence of all remaining traffic ### block in log first quick on vr0 all The situation: -------------- ...if the server(MailSrv) is redirected to G1, the users are able to connect themselves to the services. To be sure about it I redirected the server(WebSrv) with apache that before was pointing to G1 to G2(internet) and the access was broken for the other building... Why happen this? > If I understand your description, it could be mapped like this: > > net1 is the other building's network > net1pc1 .. net1pcN > > net2 is your network > net2pc1 .. net2pcN > net2server1 .. net2server3 > > g1 == net1,net2 > g2 == net2,Internet > > Assumptions: > net1 and net2 are private > the default gateway for g1 is g2 > g1 is using a map rule to nat net1 hosts to net2 > the default gateway for g2 is on the Internet > g2 is using a map rule to nat net2 hosts to the Internet > > If a net1 PC connects through g1, it would be mapped as coming from g1. > Since g1 is on net2, and g2 can route to net2, the servers using g2 as > the default route should have no problem. My assumptions may be false. > Would you post the g1 and g2 ipf.conf and ipnat.conf, and specify what > the net1 and net2 CIDR? > > Thank you, > > Ben >