Date: Thu, 2 Aug 2001 00:41:54 +0200 From: "Dennis Berger" <HypnotiZer@gmx.net> To: <freebsd-ipfw@freebsd.org> Subject: ipfw dynamic-rules Message-ID: <000801c11adb$29da7ff0$650110ac@nachpolierer>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C11AEB.ED4DF330 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, following devices are attached. tun0: dynamic-IP rl0:10.0.0.148 <-- is connected to the adsl-modem xl0:172.16.1.1 Ok now here is my Problem I have IPFW set up with the following ruleset ------------------------------------------------------------------ fwcmd=3D"/sbin/ipfw" $fwcmd -f flush $fwcmd add 20 pass all from any to any via lo0 $fwcmd add 30 pass all from any to any via rl0 $fwcmd add 40 pass all from any to any via xl0 $fwcmd add 50 deny log all from 192.168.0.0/16 to any in via tun0 $fwcmd add 60 deny log all from 172.16.0.0/12 to any in via tun0 $fwcmd add 70 deny log all from 10.0.0.0/8 to any in via tun0 $fwcmd add 80 deny log all from 127.0.0.0/8 to any in via tun0 $fwcmd add 90 deny log all from 0.0.0.0/8 to any in via tun0 $fwcmd add 100 deny log all from 169.254.0.0/16 to any in via tun0 $fwcmd add 110 deny log all from 192.0.2.0/24 to any in via tun0 $fwcmd add 120 deny log all from 204.152.64.0/23 to any in via tun0 $fwcmd add 130 deny log all from 224.0.0.0/3 to any in via tun0 $fwcmd add 131 count tcp from any to any via tun0 $fwcmd add 132 count udp from any to any 27000-28000 out via tun0=20 $fwcmd add 133 count tcp from any 1024-65535 to any 21 in via tun0 $fwcmd add 134 count tcp from any 20 to any 1024-65535 out via tun0=20 $fwcmd add 135 count tcp from any 49153-65535 to any 1024-65535 out via = tun0=20 $fwcmd add 136 count tcp from any to any 80 in via tun0=20 $fwcmd add 136 count tcp from any to any 80 out via tun0 $fwcmd add 140 pipe 1 tcp from any to any 22,1494 via tun0=20 $fwcmd add 141 pipe 2 udp from any to any 27000-28000 out via tun0 $fwcmd add 142 pipe 3 tcp from any to any in via tun0 $fwcmd add 143 pipe 4 tcp from any to any out via tun0=20 $fwcmd pipe 1 config bandwidth 0 queue 10Kbyte $fwcmd pipe 2 config bandwidth 0 queue 20Kbyte $fwcmd pipe 3 config bandwidth 728Kbit/s queue 50Kbyte $fwcmd pipe 4 config bandwidth 96Kbit/s queue 10Kbyte=20 $fwcmd add 149 divert natd ip from any to any via tun0=20 $fwcmd add 160 check-state $fwcmd add 200 pass icmp from any to any in via tun0 icmptypes 0,11 $fwcmd add 210 pass tcp from any to any 22 in via tun0 keep-state = tcpflags syn=20 $fwcmd add 220 pass tcp from any to any 80 in via tun0 keep-state = tcpflags syn=20 $fwcmd add 230 pass tcp from any to any 443 in via tun0 keep-state = tcpflags syn=20 $fwcmd add 240 pass tcp from any to any 21 in via tun0 keep-state = tcpflags syn $fwcmd add 250 pass tcp from any 1024-65535 to any 49153-65535 in via = tun0 keep-state tcpflags syn $fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0=20 $fwcmd add 270 deny log tcp from any to any 6666-6669 out via tun0=20 $fwcmd add 280 pass tcp from any to any out via tun0 setup keep-state=20 $fwcmd add 290 pass udp from any to any out via tun0 keep-state=20 $fwcmd add 300 pass icmp from any to any out via tun0 keep-state=20 $fwcmd add 65530 deny log all from any to any=20 ------------------------------------------------------------------- and the following natd.cf -------------------------------------- redirect_port udp 127.0.0.1:27952 192.246.40.56:27952 use_sockets yes unregistered_only no interface tun0 dynamic yes same_ports yes punch_fw 500:100 -------------------------------------- Ok when a packet tries to go out it passes the divert rule and gets = rewitten now it passes rewritten with my external IP the keep-state = rule. This rule add a dynamic rule like this=20 00280 2 96 (T 6, # 49) ty 0 tcp, 213.23.32.173 4264 <-> 216.239.35.100 = 80 thats ok. now the packet from externalhost come back with source ip = 216.239.35.100 and destination IP 213.32.23.173 which is my EXTERNAL ip. = it passes the ruleset and gets rewritten by the divert rule to source-IP = 216.239.35.100 and Destination-IP 172.16.1.101(this is my client on = LAN). But let us remeber which was the dynamic rule created by the = keep-state one. So the packet rewritten by the divert rule CAN'T pass = the dynamic rule created by the keep-state rule. Aug 2 00:31:38 Nipsi /kernel: ipfw: 65530 Deny TCP 216.136.35.100:80 = 172.16.1.101:4262 in via tun0 How could I fix this, or which is the clean implementation of keep-state = rules in combination with divert rules ? ------=_NextPart_000_0005_01C11AEB.ED4DF330 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3315.2870" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Hi,</FONT></DIV> <DIV><FONT face=3DArial size=3D2>following devices are = attached.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>tun0: dynamic-IP</FONT></DIV> <DIV><FONT face=3DArial size=3D2>rl0:10.0.0.148 <--<FONT = face=3DArial size=3D2>=20 is connected to the adsl-modem</FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D2>xl0:172.16.1.1</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Ok now here is my Problem I have IPFW = set up with=20 the following ruleset</FONT></DIV> <DIV><FONT face=3DArial=20 size=3D2>----------------------------------------------------------------= --</FONT></DIV> <DIV><FONT face=3DArial size=3D2>fwcmd=3D"/sbin/ipfw"</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>$fwcmd -f flush<BR>$fwcmd add 20 pass = all from any=20 to any via lo0<BR>$fwcmd add 30 pass all from any to any via = rl0<BR>$fwcmd add=20 40 pass all from any to any via xl0</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>$fwcmd add 50 deny log all from = 192.168.0.0/16 to=20 any in via tun0<BR>$fwcmd add 60 deny log all from 172.16.0.0/12 to any = in via=20 tun0<BR>$fwcmd add 70 deny log all from 10.0.0.0/8 to any in via = tun0<BR>$fwcmd=20 add 80 deny log all from 127.0.0.0/8 to any in via tun0<BR>$fwcmd add 90 = deny=20 log all from 0.0.0.0/8 to any in via tun0<BR>$fwcmd add 100 deny log all = from=20 169.254.0.0/16 to any in via tun0<BR>$fwcmd add 110 deny log all from=20 192.0.2.0/24 to any in via tun0<BR>$fwcmd add 120 deny log all from=20 204.152.64.0/23 to any in via tun0<BR>$fwcmd add 130 deny log all from=20 224.0.0.0/3 to any in via tun0</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>$fwcmd add 131 count tcp from any to = any via=20 tun0<BR>$fwcmd add 132 count udp from any to any 27000-28000 out via = tun0=20 <BR>$fwcmd add 133 count tcp from any 1024-65535 to any 21 in via = tun0<BR>$fwcmd=20 add 134 count tcp from any 20 to any 1024-65535 out via tun0 <BR>$fwcmd = add 135=20 count tcp from any 49153-65535 to any 1024-65535 out via tun0 <BR>$fwcmd = add 136=20 count tcp from any to any 80 in via tun0 <BR>$fwcmd add 136 count tcp = from any=20 to any 80 out via tun0</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>$fwcmd add 140 pipe 1 tcp from any to = any 22,1494=20 via tun0 <BR>$fwcmd add 141 pipe 2 udp from any to any 27000-28000 out = via=20 tun0<BR>$fwcmd add 142 pipe 3 tcp from any to any in via tun0<BR>$fwcmd = add 143=20 pipe 4 tcp from any to any out via tun0 <BR>$fwcmd pipe 1 config = bandwidth 0=20 queue 10Kbyte<BR>$fwcmd pipe 2 config bandwidth 0 queue = 20Kbyte<BR>$fwcmd pipe 3=20 config bandwidth 728Kbit/s queue 50Kbyte<BR>$fwcmd pipe 4 config = bandwidth=20 96Kbit/s queue 10Kbyte </FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>$fwcmd add 149 divert natd ip from any = to any via=20 tun0 <BR>$fwcmd add 160 check-state</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>$fwcmd add 200 pass icmp from any to = any in via=20 tun0 icmptypes 0,11<BR>$fwcmd add 210 pass tcp from any to any 22 in via = tun0=20 keep-state tcpflags syn <BR>$fwcmd add 220 pass tcp from any to any 80 = in via=20 tun0 keep-state tcpflags syn <BR>$fwcmd add 230 pass tcp from any to any = 443 in=20 via tun0 keep-state tcpflags syn <BR>$fwcmd add 240 pass tcp from any to = any 21=20 in via tun0 keep-state tcpflags syn<BR>$fwcmd add 250 pass tcp from any=20 1024-65535 to any 49153-65535 in via tun0 keep-state tcpflags=20 syn<BR>$fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0 = <BR>$fwcmd=20 add 270 deny log tcp from any to any 6666-6669 out via tun0 <BR>$fwcmd = add 280=20 pass tcp from any to any out via tun0 setup keep-state <BR>$fwcmd add = 290 pass=20 udp from any to any out via tun0 keep-state <BR>$fwcmd add 300 pass icmp = from=20 any to any out via tun0 keep-state <BR>$fwcmd add 65530 deny log all = from any to=20 any </FONT></DIV> <DIV><FONT face=3DArial=20 size=3D2>----------------------------------------------------------------= ---</FONT></DIV> <DIV><FONT face=3DArial size=3D2>and the following natd.cf</FONT></DIV> <DIV><FONT face=3DArial = size=3D2>--------------------------------------</FONT></DIV> <DIV><FONT face=3DArial size=3D2>redirect_port udp 127.0.0.1:27952=20 192.246.40.56:27952<BR>use_sockets yes<BR>unregistered_only = no<BR>interface=20 tun0<BR>dynamic yes<BR>same_ports yes<BR>punch_fw 500:100</FONT></DIV> <DIV><FONT face=3DArial = size=3D2>--------------------------------------</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Ok when a packet tries to go out it = passes the=20 divert rule and gets rewitten now it passes rewritten with my external = IP the=20 keep-state rule. This rule add a dynamic rule like this </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>00280 2 96 (T 6, # 49) ty 0 tcp, = 213.23.32.173 4264=20 <-> 216.239.35.100 80</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>thats ok. now the packet = from externalhost=20 come back with source ip 216.239.35.100 and destination IP 213.32.23.173 = which=20 is my EXTERNAL ip. it passes the ruleset and gets rewritten by the = divert rule=20 to source-IP 216.239.35.100 and Destination-IP 172.16.1.101(this is my = client on=20 LAN). But let us remeber which was the dynamic rule created by the = keep-state=20 one. So the packet rewritten by the divert rule CAN'T pass the dynamic = rule=20 created by the keep-state rule.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Aug 2 00:31:38 Nipsi /kernel: = ipfw: 65530=20 Deny TCP 216.136.35.100:80 172.16.1.101:4262 in via tun0</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>How could I fix this, or which is the = clean=20 implementation of keep-state rules in combination with divert = rules=20 ?</FONT></DIV> <DIV> </DIV> <DIV> </DIV></BODY></HTML> ------=_NextPart_000_0005_01C11AEB.ED4DF330-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801c11adb$29da7ff0$650110ac>