Date: Thu, 2 Aug 2001 00:41:54 +0200 From: "Dennis Berger" <HypnotiZer@gmx.net> To: <freebsd-ipfw@freebsd.org> Subject: ipfw dynamic-rules Message-ID: <000801c11adb$29da7ff0$650110ac@nachpolierer>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hi, following devices are attached. tun0: dynamic-IP rl0:10.0.0.148 <-- is connected to the adsl-modem xl0:172.16.1.1 Ok now here is my Problem I have IPFW set up with the following ruleset ------------------------------------------------------------------ fwcmd="/sbin/ipfw" $fwcmd -f flush $fwcmd add 20 pass all from any to any via lo0 $fwcmd add 30 pass all from any to any via rl0 $fwcmd add 40 pass all from any to any via xl0 $fwcmd add 50 deny log all from 192.168.0.0/16 to any in via tun0 $fwcmd add 60 deny log all from 172.16.0.0/12 to any in via tun0 $fwcmd add 70 deny log all from 10.0.0.0/8 to any in via tun0 $fwcmd add 80 deny log all from 127.0.0.0/8 to any in via tun0 $fwcmd add 90 deny log all from 0.0.0.0/8 to any in via tun0 $fwcmd add 100 deny log all from 169.254.0.0/16 to any in via tun0 $fwcmd add 110 deny log all from 192.0.2.0/24 to any in via tun0 $fwcmd add 120 deny log all from 204.152.64.0/23 to any in via tun0 $fwcmd add 130 deny log all from 224.0.0.0/3 to any in via tun0 $fwcmd add 131 count tcp from any to any via tun0 $fwcmd add 132 count udp from any to any 27000-28000 out via tun0 $fwcmd add 133 count tcp from any 1024-65535 to any 21 in via tun0 $fwcmd add 134 count tcp from any 20 to any 1024-65535 out via tun0 $fwcmd add 135 count tcp from any 49153-65535 to any 1024-65535 out via tun0 $fwcmd add 136 count tcp from any to any 80 in via tun0 $fwcmd add 136 count tcp from any to any 80 out via tun0 $fwcmd add 140 pipe 1 tcp from any to any 22,1494 via tun0 $fwcmd add 141 pipe 2 udp from any to any 27000-28000 out via tun0 $fwcmd add 142 pipe 3 tcp from any to any in via tun0 $fwcmd add 143 pipe 4 tcp from any to any out via tun0 $fwcmd pipe 1 config bandwidth 0 queue 10Kbyte $fwcmd pipe 2 config bandwidth 0 queue 20Kbyte $fwcmd pipe 3 config bandwidth 728Kbit/s queue 50Kbyte $fwcmd pipe 4 config bandwidth 96Kbit/s queue 10Kbyte $fwcmd add 149 divert natd ip from any to any via tun0 $fwcmd add 160 check-state $fwcmd add 200 pass icmp from any to any in via tun0 icmptypes 0,11 $fwcmd add 210 pass tcp from any to any 22 in via tun0 keep-state tcpflags syn $fwcmd add 220 pass tcp from any to any 80 in via tun0 keep-state tcpflags syn $fwcmd add 230 pass tcp from any to any 443 in via tun0 keep-state tcpflags syn $fwcmd add 240 pass tcp from any to any 21 in via tun0 keep-state tcpflags syn $fwcmd add 250 pass tcp from any 1024-65535 to any 49153-65535 in via tun0 keep-state tcpflags syn $fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0 $fwcmd add 270 deny log tcp from any to any 6666-6669 out via tun0 $fwcmd add 280 pass tcp from any to any out via tun0 setup keep-state $fwcmd add 290 pass udp from any to any out via tun0 keep-state $fwcmd add 300 pass icmp from any to any out via tun0 keep-state $fwcmd add 65530 deny log all from any to any ------------------------------------------------------------------- and the following natd.cf -------------------------------------- redirect_port udp 127.0.0.1:27952 192.246.40.56:27952 use_sockets yes unregistered_only no interface tun0 dynamic yes same_ports yes punch_fw 500:100 -------------------------------------- Ok when a packet tries to go out it passes the divert rule and gets rewitten now it passes rewritten with my external IP the keep-state rule. This rule add a dynamic rule like this 00280 2 96 (T 6, # 49) ty 0 tcp, 213.23.32.173 4264 <-> 216.239.35.100 80 thats ok. now the packet from externalhost come back with source ip 216.239.35.100 and destination IP 213.32.23.173 which is my EXTERNAL ip. it passes the ruleset and gets rewritten by the divert rule to source-IP 216.239.35.100 and Destination-IP 172.16.1.101(this is my client on LAN). But let us remeber which was the dynamic rule created by the keep-state one. So the packet rewritten by the divert rule CAN'T pass the dynamic rule created by the keep-state rule. Aug 2 00:31:38 Nipsi /kernel: ipfw: 65530 Deny TCP 216.136.35.100:80 172.16.1.101:4262 in via tun0 How could I fix this, or which is the clean implementation of keep-state rules in combination with divert rules ? [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content="text/html; charset=iso-8859-1" http-equiv=Content-Type> <META content="MSHTML 5.00.3315.2870" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face=Arial size=2>Hi,</FONT></DIV> <DIV><FONT face=Arial size=2>following devices are attached.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>tun0: dynamic-IP</FONT></DIV> <DIV><FONT face=Arial size=2>rl0:10.0.0.148 <--<FONT face=Arial size=2> is connected to the adsl-modem</FONT></FONT></DIV> <DIV><FONT face=Arial size=2>xl0:172.16.1.1</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Ok now here is my Problem I have IPFW set up with the following ruleset</FONT></DIV> <DIV><FONT face=Arial size=2>------------------------------------------------------------------</FONT></DIV> <DIV><FONT face=Arial size=2>fwcmd="/sbin/ipfw"</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>$fwcmd -f flush<BR>$fwcmd add 20 pass all from any to any via lo0<BR>$fwcmd add 30 pass all from any to any via rl0<BR>$fwcmd add 40 pass all from any to any via xl0</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>$fwcmd add 50 deny log all from 192.168.0.0/16 to any in via tun0<BR>$fwcmd add 60 deny log all from 172.16.0.0/12 to any in via tun0<BR>$fwcmd add 70 deny log all from 10.0.0.0/8 to any in via tun0<BR>$fwcmd add 80 deny log all from 127.0.0.0/8 to any in via tun0<BR>$fwcmd add 90 deny log all from 0.0.0.0/8 to any in via tun0<BR>$fwcmd add 100 deny log all from 169.254.0.0/16 to any in via tun0<BR>$fwcmd add 110 deny log all from 192.0.2.0/24 to any in via tun0<BR>$fwcmd add 120 deny log all from 204.152.64.0/23 to any in via tun0<BR>$fwcmd add 130 deny log all from 224.0.0.0/3 to any in via tun0</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>$fwcmd add 131 count tcp from any to any via tun0<BR>$fwcmd add 132 count udp from any to any 27000-28000 out via tun0 <BR>$fwcmd add 133 count tcp from any 1024-65535 to any 21 in via tun0<BR>$fwcmd add 134 count tcp from any 20 to any 1024-65535 out via tun0 <BR>$fwcmd add 135 count tcp from any 49153-65535 to any 1024-65535 out via tun0 <BR>$fwcmd add 136 count tcp from any to any 80 in via tun0 <BR>$fwcmd add 136 count tcp from any to any 80 out via tun0</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>$fwcmd add 140 pipe 1 tcp from any to any 22,1494 via tun0 <BR>$fwcmd add 141 pipe 2 udp from any to any 27000-28000 out via tun0<BR>$fwcmd add 142 pipe 3 tcp from any to any in via tun0<BR>$fwcmd add 143 pipe 4 tcp from any to any out via tun0 <BR>$fwcmd pipe 1 config bandwidth 0 queue 10Kbyte<BR>$fwcmd pipe 2 config bandwidth 0 queue 20Kbyte<BR>$fwcmd pipe 3 config bandwidth 728Kbit/s queue 50Kbyte<BR>$fwcmd pipe 4 config bandwidth 96Kbit/s queue 10Kbyte </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>$fwcmd add 149 divert natd ip from any to any via tun0 <BR>$fwcmd add 160 check-state</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>$fwcmd add 200 pass icmp from any to any in via tun0 icmptypes 0,11<BR>$fwcmd add 210 pass tcp from any to any 22 in via tun0 keep-state tcpflags syn <BR>$fwcmd add 220 pass tcp from any to any 80 in via tun0 keep-state tcpflags syn <BR>$fwcmd add 230 pass tcp from any to any 443 in via tun0 keep-state tcpflags syn <BR>$fwcmd add 240 pass tcp from any to any 21 in via tun0 keep-state tcpflags syn<BR>$fwcmd add 250 pass tcp from any 1024-65535 to any 49153-65535 in via tun0 keep-state tcpflags syn<BR>$fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0 <BR>$fwcmd add 270 deny log tcp from any to any 6666-6669 out via tun0 <BR>$fwcmd add 280 pass tcp from any to any out via tun0 setup keep-state <BR>$fwcmd add 290 pass udp from any to any out via tun0 keep-state <BR>$fwcmd add 300 pass icmp from any to any out via tun0 keep-state <BR>$fwcmd add 65530 deny log all from any to any </FONT></DIV> <DIV><FONT face=Arial size=2>-------------------------------------------------------------------</FONT></DIV> <DIV><FONT face=Arial size=2>and the following natd.cf</FONT></DIV> <DIV><FONT face=Arial size=2>--------------------------------------</FONT></DIV> <DIV><FONT face=Arial size=2>redirect_port udp 127.0.0.1:27952 192.246.40.56:27952<BR>use_sockets yes<BR>unregistered_only no<BR>interface tun0<BR>dynamic yes<BR>same_ports yes<BR>punch_fw 500:100</FONT></DIV> <DIV><FONT face=Arial size=2>--------------------------------------</FONT></DIV> <DIV><FONT face=Arial size=2>Ok when a packet tries to go out it passes the divert rule and gets rewitten now it passes rewritten with my external IP the keep-state rule. This rule add a dynamic rule like this </FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>00280 2 96 (T 6, # 49) ty 0 tcp, 213.23.32.173 4264 <-> 216.239.35.100 80</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>thats ok. now the packet from externalhost come back with source ip 216.239.35.100 and destination IP 213.32.23.173 which is my EXTERNAL ip. it passes the ruleset and gets rewritten by the divert rule to source-IP 216.239.35.100 and Destination-IP 172.16.1.101(this is my client on LAN). But let us remeber which was the dynamic rule created by the keep-state one. So the packet rewritten by the divert rule CAN'T pass the dynamic rule created by the keep-state rule.</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>Aug 2 00:31:38 Nipsi /kernel: ipfw: 65530 Deny TCP 216.136.35.100:80 172.16.1.101:4262 in via tun0</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>How could I fix this, or which is the clean implementation of keep-state rules in combination with divert rules ?</FONT></DIV> <DIV> </DIV> <DIV> </DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801c11adb$29da7ff0$650110ac>