From owner-freebsd-questions@FreeBSD.ORG Tue Jan 10 16:54:22 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 907E916A420 for ; Tue, 10 Jan 2006 16:54:22 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7927743D49 for ; Tue, 10 Jan 2006 16:54:21 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: by wproxy.gmail.com with SMTP id i20so3818943wra for ; Tue, 10 Jan 2006 08:54:20 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=qSDgrK1k+ooc24TFIGTxqycxkRsiaMq06ex1yeSkM98+awTBJW69TkUdRZHFwfKKOKC2hyPl7UyWZp/ySoZHlPB39YhLkW82B1Ep8O47mCaYZumTzNx7YvqoKePRvzK1BiF/IYG8GBu/DtJ9wXMTNYyezYSDWNaWMZr4sw4U9uQ= Received: by 10.54.110.19 with SMTP id i19mr9690390wrc; Tue, 10 Jan 2006 08:54:20 -0800 (PST) Received: from ?192.168.10.2? ( [67.102.60.210]) by mx.gmail.com with ESMTP id 27sm11821639wrl.2006.01.10.08.54.19; Tue, 10 Jan 2006 08:54:20 -0800 (PST) Message-ID: <43C3E684.5040204@gmail.com> Date: Tue, 10 Jan 2006 10:53:24 -0600 From: Dennis Olvany User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051129) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andrew Fremantle References: <43C3896A.7090704@skyhawk.ca> In-Reply-To: <43C3896A.7090704@skyhawk.ca> X-Enigmail-Version: 0.93.0.0 OpenPGP: id=D71A85AB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Advanced IPFW2 Forward rule problem / bug / misunderstanding X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2006 16:54:22 -0000 This should get you most of the way there or at least give you a good idea of what's required. > options IPFIREWALL_FORWARD_EXTENDED I'm pretty sure this will be required. > defaultrouter="24.85.92.1" > ifconfig_rl0="192.168.1.1" > ifconfig_vr0="142.179.109.xxx netmask 255.255.248.0" > ifconfig_vr1="216.232.85.xxx netmask 255.255.254.0" > ifconfig_rue0="24.85.9x.xxx netmask 255.255.252.0" > ifconfig_rue0_alias0="24.85.9x.xxx netmask 255.255.255.255" > Telus > ext1_ip="142.179.109.xxx" # IP Address > ext1_gw="142.179.104.254" # IP Gateway > ext2_ip="216.232.85.xxx" # IP Address > ext2_gw="216.232.84.254" # IP Gateway > Shaw Cable > shaw_ip="24.85.93.xxx" # IP Address > shaw_gw="24.85.92.1" # IP Gateway > srv2_ext="24.85.93.xxx" # External IP of server > INTERNAL > int_ip="192.168.1.1" # IP Address > # And run our new NATd > /sbin/natd -log_ipfw_denied -i ${nat_in} -o ${nat_out} -s -m -u -n > ${shaw} -punch_fw 36000:100 -redirect_port tcp ${ext1_srv}:22 > ${ext1_ip}:xxxx -redirect_port tcp ${ext1_srv}:53 ${ext1_ip}:53 > -redirect_port tcp ${ext1_srv}:80 ${ext1_ip}:80 -redirect_port tcp > ${ext1_srv}:443 ${ext1_ip}:443 -redirect_port udp ${ext1_srv}:53 > ${ext1_ip}:53 -redirect_port tcp ${ext2_srv}:80 ${ext2_ip}:80 > -redirect_port tcp ${ext2_srv}:443 ${ext2_ip}:443 -redirect_port tcp > ${srv1_int}:22 ${shaw_ip}:xxxx -redirect_port tcp ${srv1_int}:53 > ${shaw_ip}:53 -redirect_port udp ${srv1_int}:53 ${shaw_ip}:53 > -redirect_port tcp ${srv1_int}:80 ${shaw_ip}:80 -redirect_port tcp > ${srv1_int}:443 ${shaw_ip}:443 -redirect_port tcp ${srv2_int}:80 > ${srv2_ext}:80 -redirect_port tcp ${srv2_int}:443 ${srv2_ext}:443 That's a hefty nat command. Let's simplfy by putting it in a file. I leave the port forwarding to you. /etc/rc.conf natd_enable="yes" natd_flags="-f /etc/natd.conf" /etc/natd.conf instance default interface vr0 port 8668 instance telus2 interface vr1 port 8669 instance shaw1 alias_address 24.85.93.xxx port 8670 instance shaw2 alias_address 24.85.93.xxx port 8671 globalport 8672 I see that your firewall is based on rc.firewall. Forget rc.firewall, it is junk. Base your firewall on this structure. 1. Public Interface NAT Diversion 2. check-state 3. Public Interface Leak Prevention 3.1 deny egress from internal hosts 3.2 deny ingress to internal hosts 4. Antispoof 4.1 allow via loopback interface 4.2 deny ingress from router 4.3 deny ingress from internal hosts via public interface 5. Router 5.1 allow egress 5.2 deny egress 5.3 allow ingress 5.4 deny ingress 6. Internal Hosts 6.1 allow egress 6.2 deny egress 6.3 allow ingress 6.4 deny ingress 7. Default Deny /etc/rc.conf firewall_enable="yes" firewall_type="/etc/ipfw.rules" /etc/ipfw.rules -f flush add divert 8668 ip from any to any in via vr0 add divert 8669 ip from any to any in via vr1 add divert 8670 ip from any to 24.85.93.xxx in via rue0 add divert 8671 ip from any to 24.85.93.xxx in via rue0 #have never known the globalport to work on inbound add divert 8672 ip from any to any out via { vr0 or vr1 or rue0 } #not sure if that 'or' will work... may need to split it up check-state add deny ip from 192.168.1.1/24 to any via { vr0 or vr1 or rue0 } add allow ip from me to me via lo0 keep-state add deny ip from me to any in add allow ip from me to { me or 192.168.1.1/24 or 142.179.109.xxx/21 or 216.232.85.xxx/23 or 24.85.9x.xxx/22 } keep-state add forward 142.179.104.254 ip from 142.179.109.xxx to any keep-state add forward 216.232.84.254 ip from 216.232.85.xxx to any keep-state add forward 24.85.92.1 ip from 24.85.9x.xxx to any keep-state add forward 24.85.92.1 ip from 24.85.9x.xxx to any keep-state add allow ip from me to any keep-state add deny ip from me to any add allow icmp from any to me icmptypes 3,4,8,11 keep-state add deny ip from any to me add allow ip from 192.168.1.1/24 to any keep-state add deny ip from 192.168.1.1/24 to any add allow icmp from any to 192.168.1.1/24 icmptypes 3,4,11 keep-state add deny ip from any to 192.168.1.1/24