Date: Wed, 21 Apr 1999 00:30:51 -0400 (EDT) From: "Bruno Gallant" <bgallant@ConnecTalk.com> To: Phil Gilley <pgilley@metronet.com> Cc: freebsd-security@freebsd.org Subject: Re: SV: Sample Ipfw scripts? Message-ID: <Pine.BSF.4.05.9904202352150.25868-100000@atlantis.connectalk.com> In-Reply-To: <Pine.HPP.3.95.990420163957.14052A-100000@fohnix.metronet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
We had a client a couple of months ago that wanted to be connected to the internet. They had an IBM F50 as their financial server. They wanted to also have Lotus Domino installed on it, to control email, among other things. They also have salesmen in the US and Canada, logging from their own providers to access their Lotus databases. And they wanted security, obviously. We installed FreeBSD 2.2.8 on an IBM Netfinity as the gateway, and used the ipfw to block every port, except 22, 25, 1352, which stands, as you know, for ssh, smtp and lotusnote. The F50 is obviously behind the gateway, so we used natd to redirect the ports 25 and 1352 to the internal machine. In effect, if you would telnet <gateway's IP> 1352, the F50 would answer, not the gateway. We also restricted ssh connections to those coming from our company's subnet, since our client does not have IT personnel on site, we maintain their network. So here's what I did (dummy addresses): the F50 is 192.168.1.2; the gateway is 789.456.123.111; our corporate subnet is: 123.456.789.0/24; xl0 is the external interface; fxp0 is the internal interface. In the rc.firewall, in the "simple" section I added: $fwcmd add 155 allow tcp from any to 192.168.1.2 25 via xl0 $fwcmd add 157 allow tcp from any to 192.168.1.2 1352 via xl0 $fwcmd add 155 allow ip from any to any via fxp0 $fwcmd add 175 allow tcp from 123.456.789.0/24 to 789.456.123.111 22 In the rc.conf, and that's where the magic is, we edited the following line: natd_flags="-redirect_port tcp 192.168.1.2:25 25 -redirect_port tcp 192.168.1.2:1352 1352" # Additional flags for natd. So what basically happens is that if a packet arrives for the port 1352 on the gateway, it hits the divert rule, where natd recognize that it has to change the destination address to the F50's but keeping the same port, and put the packet back in the rule stack, and so it hits rule 157, and goes through. natd remembers where the packet comes from in its internal database, so there is no problem for the replies going back to the originator. It's more of a natd issue, true enough, but since natd cannot work without ipfw... From this example, you can create quite crazy configurations, where accessing port 25 on one machine could end up in port 100 in another. Don't know if it's a good example or not, but it solved our problem neatly. On Tue, 20 Apr 1999, Phil Gilley wrote: > Date: Tue, 20 Apr 1999 16:43:01 -0500 (CDT) > From: Phil Gilley <pgilley@metronet.com> > To: Thomas Uhrfelt <thomas.uhrfelt@plymovent.se> > Cc: freebsd-security@freebsd.org > Subject: Re: SV: Sample Ipfw scripts? > > On Tue, 20 Apr 1999, Thomas Uhrfelt wrote: > > > You might want to take a look at the FreeBSD IPFW Config page below, but I > > don't think the scripts are very good, > > Then send me some better ones to add to the page. :-) > > I make very limited use of ipfw. I created the ipfw page because > of frequent posts like the one earlier and because when I first > started using ipfw the only examples I could find were in > /etc/rc.firewall. I was hoping to gather some more complex examples > for people to learn from. Does anyone care to show off what they're > doing with ipfw? > > Phil Gilley > pgilley@metronet.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------------------+----------------------------------------------------------- Bruno Gallant | All wars are civil wars, because all men are brothers ... System Integrator | Each one owes infinitely more to the human race than to ConnecTalk | the particular country in which he was born. (514)856-3060 | -- Francois Fenelon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9904202352150.25868-100000>