Date: Mon, 3 Jul 2006 14:19:44 -0400 (CDT) From: efrenba@dhl.gcc.cu To: freebsd-questions@freebsd.org Subject: Re: firewalls' behavior help Message-ID: <2942.7.96.160.15.1151950784.squirrel@dhlgw.dhl.gcc.cu> In-Reply-To: <2810.7.96.160.15.1151945855.squirrel@dhlgw.dhl.gcc.cu> References: <1052.7.96.160.22.1151545386.squirrel@dhlgw.dhl.gcc.cu> <20060629130724.GZ1554@sanctum.terrorpin.net> <2810.7.96.160.15.1151945855.squirrel@dhlgw.dhl.gcc.cu>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry, this mail was for the ipfilter's list... > Box:freeBSD 6.0, ipf: IP Filter: v4.1.8 (416), Kernel: IP Filter: v4.1.8 > > Network layout: > --------------- > other building [ PCs - 192.168.80.0/24 ] > | > g1 (ipf - vr0:192.168.80.2 <-> sis0:10.10.10.13) > | > My Lan ( 10.10.10.0/24 ) > > [ PCs (DefaultGw = g2) ] > > [ MailSrv (10.10.10.12) (pop3/smtp/ssh) (DefaultGw = g2) ] > > [ WebSrv (10.10.10.11) (http) (DefaultGw = g1) ] > | > g2 > | > Internet > > > ipnat.rules > ----------- > map vr0 10.10.10.0/24 -> 192.168.80.2/32 proxy port 21 ftp/tcp > map vr0 10.10.10.0/24 -> 192.168.80.2/32 > > rdr vr0 192.168.80.2/32 port 80 -> 10.10.10.11 port 80 tcp > rdr vr0 192.168.80.2/32 port 22 -> 10.10.10.12 port 22 tcp > rdr vr0 192.168.80.2/32 port 25 -> 10.10.10.12 port 25 tcp > rdr vr0 192.168.80.2/32 port 110 -> 10.10.10.12 port 110 tcp > > > ipf.rules > --------- > ### No restrictions inside LAN Interface ### > pass out quick on sis0 all > pass in quick on sis0 all > > ### No restrictions on Loopback Interface ### > pass out quick on lo0 all > pass in quick on lo0 all > > ### Allow out DNS queries ### > pass out quick on vr0 proto tcp from any to 192.168.10.5 port = 53 flags S > keep state > pass out quick on vr0 proto udp from any to 192.168.10.5 port = 53 keep > state > > > ### Allow IE out ### > pass out quick on vr0 proto tcp from any to any port = 80 flags S keep > state > > ### Allow Squid Access out ### > pass out quick on vr0 proto tcp from any to any port = 3128 flags S keep > state > pass out quick on vr0 proto tcp from any to any port = 3130 flags S keep > state > > ### Allow FTP out ### > pass out quick on vr0 proto tcp from any to any port = 21 flags S keep > state > > ### Allow Remote Desktop to WinXP external PCs ### > pass out quick on vr0 proto tcp from any to any port = 3389 flags S keep > state > > ### Allow MailServer to Deliver mails ### > pass out quick on vr0 proto tcp from any to any port = 25 flags S keep > state > > > ### Block and Log only first occurrence of everything ### > block out log first quick on vr0 all > > > ### Block all inbound traffic from non-routable or reserved address spaces > ... > > > > ### Allow in ssh session from other building ### > pass in quick on vr0 proto tcp from any to any port = 22 flags S keep > state > > ### Allow in HTTP session from public to Internat MailServer ### > pass in quick on vr0 proto tcp from any to any port = 80 flags S keep > state > > ### Allow in SMTP access to Internal Mail Server ### > pass in quick on vr0 proto tcp from any to any port = 25 flags S keep > state > > ### Allow in POP3 access to Internal Mail Server ### > pass in quick on vr0 proto tcp from any to any port = 110 flags S keep > state > > > ### Block and log anly first occurence of all remaining traffic ### > block in log first quick on vr0 all > > > The situation: > -------------- > ...if the server(MailSrv) is redirected to G1, the users are able to > connect themselves to the services. To be sure about it I redirected the > server(WebSrv) with apache that before was pointing to G1 to G2(internet) > and the access was broken for the other building... > > Why happen this? > > > > > >> If I understand your description, it could be mapped like this: >> >> net1 is the other building's network >> net1pc1 .. net1pcN >> >> net2 is your network >> net2pc1 .. net2pcN >> net2server1 .. net2server3 >> >> g1 == net1,net2 >> g2 == net2,Internet >> >> Assumptions: >> net1 and net2 are private >> the default gateway for g1 is g2 >> g1 is using a map rule to nat net1 hosts to net2 >> the default gateway for g2 is on the Internet >> g2 is using a map rule to nat net2 hosts to the Internet >> >> If a net1 PC connects through g1, it would be mapped as coming from g1. >> Since g1 is on net2, and g2 can route to net2, the servers using g2 as >> the default route should have no problem. My assumptions may be false. >> Would you post the g1 and g2 ipf.conf and ipnat.conf, and specify what >> the net1 and net2 CIDR? >> >> Thank you, >> >> Ben >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > -- Efren Bravo Sistemas DHL-Cuba Telf-Pizarra: (537)-2041578 Ext 123
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2942.7.96.160.15.1151950784.squirrel>