From owner-freebsd-questions@FreeBSD.ORG Mon Jul 3 18:38:33 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A27E416A597 for ; Mon, 3 Jul 2006 18:38:33 +0000 (UTC) (envelope-from efrenba@dhl.gcc.cu) Received: from smtp.gcc.cu (ns1.gcc.cu [200.55.168.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF3D944EDE for ; Mon, 3 Jul 2006 18:20:20 +0000 (GMT) (envelope-from efrenba@dhl.gcc.cu) Received: (qmail 28037 invoked by uid 509); 3 Jul 2006 14:20:35 -0400 Received: from 192.168.80.2 by wall.correosdecuba.cu (envelope-from , uid 501) with qmail-scanner-2.01 (clamdscan: 0.88.2/1478. spamassassin: 3.0.4. Clear:RC:1(192.168.80.2):SA:0(-2.6/5.0):. Processed in 0.218195 secs); 03 Jul 2006 18:20:35 -0000 X-Spam-Status: No, score=-2.6 required=5.0 X-Spam-Level: Received: from unknown (HELO dhlgw.dhl.gcc.cu) (192.168.80.2) by smtp.gcc.cu with AES256-SHA encrypted SMTP; 3 Jul 2006 14:20:34 -0400 Received: from dhlgw.dhl.gcc.cu (localhost.dhl.gcc.cu [127.0.0.1]) by dhlgw.dhl.gcc.cu (8.13.4/8.13.4) with ESMTP id k63IJkTm053679 for ; Mon, 3 Jul 2006 14:19:47 -0400 (CDT) (envelope-from efrenba@dhl.gcc.cu) Received: (from www@localhost) by dhlgw.dhl.gcc.cu (8.13.4/8.13.4/Submit) id k63IJiuC053678; Mon, 3 Jul 2006 14:19:44 -0400 (CDT) (envelope-from efrenba@dhl.gcc.cu) X-Authentication-Warning: dhlgw.dhl.gcc.cu: www set sender to efrenba@dhl.gcc.cu using -f Received: from 7.96.160.15 (SquirrelMail authenticated user efrenba) by dhlgw.dhl.gcc.cu with HTTP; Mon, 3 Jul 2006 14:19:44 -0400 (CDT) Message-ID: <2942.7.96.160.15.1151950784.squirrel@dhlgw.dhl.gcc.cu> In-Reply-To: <2810.7.96.160.15.1151945855.squirrel@dhlgw.dhl.gcc.cu> References: <1052.7.96.160.22.1151545386.squirrel@dhlgw.dhl.gcc.cu> <20060629130724.GZ1554@sanctum.terrorpin.net> <2810.7.96.160.15.1151945855.squirrel@dhlgw.dhl.gcc.cu> Date: Mon, 3 Jul 2006 14:19:44 -0400 (CDT) From: efrenba@dhl.gcc.cu To: freebsd-questions@freebsd.org User-Agent: SquirrelMail/1.4.6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: firewalls' behavior help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jul 2006 18:38:34 -0000 Sorry, this mail was for the ipfilter's list... > Box:freeBSD 6.0, ipf: IP Filter: v4.1.8 (416), Kernel: IP Filter: v4.1.8 > > Network layout: > --------------- > other building [ PCs - 192.168.80.0/24 ] > | > g1 (ipf - vr0:192.168.80.2 <-> sis0:10.10.10.13) > | > My Lan ( 10.10.10.0/24 ) > > [ PCs (DefaultGw = g2) ] > > [ MailSrv (10.10.10.12) (pop3/smtp/ssh) (DefaultGw = g2) ] > > [ WebSrv (10.10.10.11) (http) (DefaultGw = g1) ] > | > g2 > | > Internet > > > ipnat.rules > ----------- > map vr0 10.10.10.0/24 -> 192.168.80.2/32 proxy port 21 ftp/tcp > map vr0 10.10.10.0/24 -> 192.168.80.2/32 > > rdr vr0 192.168.80.2/32 port 80 -> 10.10.10.11 port 80 tcp > rdr vr0 192.168.80.2/32 port 22 -> 10.10.10.12 port 22 tcp > rdr vr0 192.168.80.2/32 port 25 -> 10.10.10.12 port 25 tcp > rdr vr0 192.168.80.2/32 port 110 -> 10.10.10.12 port 110 tcp > > > ipf.rules > --------- > ### No restrictions inside LAN Interface ### > pass out quick on sis0 all > pass in quick on sis0 all > > ### No restrictions on Loopback Interface ### > pass out quick on lo0 all > pass in quick on lo0 all > > ### Allow out DNS queries ### > pass out quick on vr0 proto tcp from any to 192.168.10.5 port = 53 flags S > keep state > pass out quick on vr0 proto udp from any to 192.168.10.5 port = 53 keep > state > > > ### Allow IE out ### > pass out quick on vr0 proto tcp from any to any port = 80 flags S keep > state > > ### Allow Squid Access out ### > pass out quick on vr0 proto tcp from any to any port = 3128 flags S keep > state > pass out quick on vr0 proto tcp from any to any port = 3130 flags S keep > state > > ### Allow FTP out ### > pass out quick on vr0 proto tcp from any to any port = 21 flags S keep > state > > ### Allow Remote Desktop to WinXP external PCs ### > pass out quick on vr0 proto tcp from any to any port = 3389 flags S keep > state > > ### Allow MailServer to Deliver mails ### > pass out quick on vr0 proto tcp from any to any port = 25 flags S keep > state > > > ### Block and Log only first occurrence of everything ### > block out log first quick on vr0 all > > > ### Block all inbound traffic from non-routable or reserved address spaces > ... > > > > ### Allow in ssh session from other building ### > pass in quick on vr0 proto tcp from any to any port = 22 flags S keep > state > > ### Allow in HTTP session from public to Internat MailServer ### > pass in quick on vr0 proto tcp from any to any port = 80 flags S keep > state > > ### Allow in SMTP access to Internal Mail Server ### > pass in quick on vr0 proto tcp from any to any port = 25 flags S keep > state > > ### Allow in POP3 access to Internal Mail Server ### > pass in quick on vr0 proto tcp from any to any port = 110 flags S keep > state > > > ### Block and log anly first occurence of all remaining traffic ### > block in log first quick on vr0 all > > > The situation: > -------------- > ...if the server(MailSrv) is redirected to G1, the users are able to > connect themselves to the services. To be sure about it I redirected the > server(WebSrv) with apache that before was pointing to G1 to G2(internet) > and the access was broken for the other building... > > Why happen this? > > > > > >> If I understand your description, it could be mapped like this: >> >> net1 is the other building's network >> net1pc1 .. net1pcN >> >> net2 is your network >> net2pc1 .. net2pcN >> net2server1 .. net2server3 >> >> g1 == net1,net2 >> g2 == net2,Internet >> >> Assumptions: >> net1 and net2 are private >> the default gateway for g1 is g2 >> g1 is using a map rule to nat net1 hosts to net2 >> the default gateway for g2 is on the Internet >> g2 is using a map rule to nat net2 hosts to the Internet >> >> If a net1 PC connects through g1, it would be mapped as coming from g1. >> Since g1 is on net2, and g2 can route to net2, the servers using g2 as >> the default route should have no problem. My assumptions may be false. >> Would you post the g1 and g2 ipf.conf and ipnat.conf, and specify what >> the net1 and net2 CIDR? >> >> Thank you, >> >> Ben >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > -- Efren Bravo Sistemas DHL-Cuba Telf-Pizarra: (537)-2041578 Ext 123