Date: Mon, 26 Oct 1998 15:58:04 -0800 From: Chad Thunberg <chadth@atvideo.com> To: "'Damon Hopkins'" <dhopkins@rtci.com> Cc: "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG>, "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG> Subject: RE: firewall + internal mail server Message-ID: <01BE00F9.6AD9FC00@chadth.atvideo.com>
next in thread | raw e-mail | index | archive | help
Here are all my settings. I went over everything again and even have rc.firewall set to open so no firewalling rules would get in the way. I know natd is working properly because everything is getting out, only the firewalls ip is showing up on servers. I also made sure everything was being diverted to natd in rc.firewall. I have this in my rc.conf. Where vx0 is 204.118.35.21
natd_enable="YES" # Enable natd if firewall_enable.
natd_interface="vx0" # Public interface to use with natd if natd_enable.
natd_flags="-l -m -f /etc/natd.conf" # Additional flags for natd.
My natd.conf looks like:
#smtp
redirect_port tcp 204.118.35.14:25 204.118.35.21:25
redirect_port udp 204.118.35.14:25 204.118.35.21:25
#pop3
redirect_port tcp 204.118.35.14:110 204.118.35.21:110
redirect_port udp 204.118.35.14:110 204.118.35.21:110
Where 204.118.35.14 is my mail server and 204.118.35.21 is my firewall. Both are accessible from the inet now, I would like to make this work before I put the mail server behind the firewall.
Thanks,
-Chad
-----Original Message-----
From: Damon Hopkins [SMTP:dhopkins@rtci.com]
Sent: Monday, October 26, 1998 3:39 PM
To: Chad Thunberg
Subject: Re: firewall + internal mail server
are you using a file to do this and starting natd with the -f option?
I use natd -f /etc/natd.conf
also you need to specify it like this
redirect_port tcp inner.machine.ip:port outer.machine.ip:port
redirect_port udp inner.machine.ip:port outer.machine.ip:port
make sure the firewall rules state that everything needs to go through
natd like this in the rc.firewall
$fwcmd add divert natd all from any to any via ${oif}
here is MY rc.firewall
fwcmd="/sbin/ipfw"
homeip="216.27.37.67"
oif="ed0"
onet="216.27.37.0"
omask="255.255.255.128"
oip="216.27.237.251"
iif="ed1"
inet="10.0.0.0"
imask="255.255.255.0"
iip="10.0.0.1"
# Flush rules
$fwcmd -f flush
# Block stupid rwho from going out wrong port and causing log messages
$fwcmd add deny udp from not ${oip} who to any who out
#incase i fry natd at home allow my one machine through to telnet :)
$fwcmd add pass tcp from ${homeip} to ${oip} 23 via ${oif}
# Run everything through natd
$fwcmd add divert natd all from any to any via ${oif}
# Stop spoofing and LOG it
$fwcmd add deny log all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny log all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny log all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny log all from ${onet}:${imask} to any via ${iif} in
# Stop LAND and LOG it
$fwcmd add deny log all from ${oip} to ${oip} via ${oif}
$fwcmd add deny log all from ${iip} to ${iip} via ${iif}
#allow everything else
$fwcmd add pass all from any to any
-----------------------------------------------------
And here if my natd.conf file kinda long
-----------------------------------------------------
interface ed0
unregistered_only yes
same_ports yes
#All ssh to inside box
redirect_port tcp 10.0.0.2:22 216.27.37.251:22
redirect_port udp 10.0.0.2:22 216.27.37.251:22
redirect_port tcp 10.0.0.2:22 216.27.37.252:22
redirect_port udp 10.0.0.2:22 216.27.37.252:22
#All smtp to inside box
redirect_port tcp 10.0.0.2:25 216.27.37.251:25
redirect_port udp 10.0.0.2:25 216.27.37.251:25
redirect_port tcp 10.0.0.2:25 216.27.37.252:25
redirect_port udp 10.0.0.2:25 216.27.37.252:25
#ALL pop3 to inside box
redirect_port tcp 10.0.0.2:110 216.27.37.251:110
redirect_port udp 10.0.0.2:110 216.27.37.251:110
redirect_port tcp 10.0.0.2:110 216.27.37.252:110
redirect_port udp 10.0.0.2:110 216.27.37.252:110
#all imap to inside box
redirect_port tcp 10.0.0.2:143 216.27.37.251:143
redirect_port udp 10.0.0.2:143 216.27.37.251:143
redirect_port tcp 10.0.0.2:143 216.27.37.252:143
redirect_port udp 10.0.0.2:143 216.27.37.252:143
#redirect telnet for oxygen.rtci.com to totally.schizo.com
redirect_port tcp 10.0.0.2:23 216.27.37.252:23
redirect_port udp 10.0.0.2:23 216.27.37.252:23
#ftp for inside freebsd machine
redirect_port tcp 10.0.0.2:21 216.27.37.252:21
redirect_port udp 10.0.0.2:21 216.27.37.252:21
#ftp for windows box inside nat
redirect_port tcp 10.0.0.3:21 216.27.37.251:2121
redirect_port udp 10.0.0.3:21 216.27.37.251:2121
#http for totally.schizo.com (2 ip's)
redirect_port tcp 10.0.0.2:80 216.27.37.251:80
redirect_port udp 10.0.0.2:80 216.27.37.251:80
redirect_port tcp 10.0.0.5:80 216.27.37.252:80
redirect_port udp 10.0.0.5:80 216.27.37.252:80
#ident for totally.schizo.com
redirect_port tcp 10.0.0.2:113 216.27.37.252:113
redirect_port udp 10.0.0.2:113 216.27.37.252:113
--------------------------------------------------------
Hope this helps
Damon Hopkins
Chad Thunberg wrote:
>
> Damon,
> Thank you for your response but I am unable to make this work. Do I need to set something so natd listens to port 25 and 110? I have sendmail turned off on the firewalling server so that natd can bind to that port. I tried just adding redirect_port port mail.server.ip 25 as well as your example below but still can't connect to the specified port at all.
>
> Thanks,
>
> -Chad
>
> -----Original Message-----
> From: Damon Hopkins [SMTP:dhopkins@rtci.com]
> Sent: Thursday, October 22, 1998 12:58 PM
> To: Chad Thunberg
> Cc: freebsd-security@FreeBSD.ORG; freebsd-questions@FreeBSD.ORG
> Subject: Re: firewall + internal mail server
>
> I do it this way.. I don't think that the udp stuff is necessary but I
> put it in there because Im to lazy to find out
>
> my natd.conf file
> #smtp
> redirect_port tcp 10.0.0.2:25 216.27.37.251:25
> redirect_port udp 10.0.0.2:25 216.27.37.251:25
>
> #pop3
> redirect_port tcp 10.0.0.2:110 216.27.37.251:110
> redirect_port udp 10.0.0.2:110 216.27.37.251:110
>
> #imap
> redirect_port tcp 10.0.0.2:143 216.27.37.251:143
> redirect_port udp 10.0.0.2:143 216.27.37.251:143
>
> Chad Thunberg wrote:
> >
> > I am setting up a firewall and enabled natd but have an internal mail
> > server. Is there a way to still be able to access the internal mail
> server
> > from the outside for sending and receiving email? I thought about giving
> > the firewall a vhost of mail.host.com and diverting packets that came in
> > from 110 and 25 to the internal mail server but from the man pages, divert
> > seems to be used for diverting packets from one port to another on the
> same
> > machine instead of diverting them to a new or ineternal ip. Any help on
> the
> > subject would be great. I would rather not put the mail server outside of
> > the firewall.
> >
> > Thanks,
> > -Chad
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01BE00F9.6AD9FC00>