Date: Sun, 23 Feb 2014 16:11:37 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44037 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201402231611.s1NGBbd5012487@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Sun Feb 23 16:11:36 2014 New Revision: 44037 URL: http://svnweb.freebsd.org/changeset/doc/44037 Log: Initial shuffle to improve flow of IPF NAT section. Next commit will review actual content. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Sun Feb 23 12:37:32 2014 (r44036) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Sun Feb 23 16:11:36 2014 (r44037) @@ -226,6 +226,40 @@ advanced matching abilities capable of defending against the flood of different attack methods employed by attackers.</para> + <para><acronym>NAT</acronym> stands for <emphasis>Network + Address Translation</emphasis>. + <acronym>NAT</acronym> function enables the private LAN behind + the firewall to share a single ISP-assigned IP address, even + if that address is dynamically assigned. NAT allows each + computer in the LAN to have Internet access, without + having to pay the ISP for multiple Internet accounts or IP + addresses.</para> + + <para><acronym>NAT</acronym> will automatically translate the + private LAN IP address for each system on the LAN to the + single public IP address as packets exit the firewall bound + for the public Internet. It also performs the reverse + translation for returning packets.</para> + + <para>According to RFC 1918, the following IP address ranges are + reserved for private networks which will never be routed + directly to the public Internet, and therefore are available + for use with NAT:</para> + + <itemizedlist> + <listitem> + <para><literal>10.0.0.0/8</literal>.</para> + </listitem> + + <listitem> + <para><literal>172.16.0.0/12</literal>.</para> + </listitem> + + <listitem> + <para><literal>192.168.0.0/16</literal>.</para> + </listitem> + </itemizedlist> + <warning> <para>When working with the firewall rules, be <emphasis>very careful</emphasis>. Some configurations <emphasis>can @@ -2158,117 +2192,6 @@ pass in quick on dc0 proto tcp from any block in log first quick on dc0 all</programlisting> </sect2> - <sect2 xml:id="firewalls-ipf-rules-script"> - <title>Building the Rule Script with Symbolic - Substitution</title> - - <para>Some experienced IPF users create a file containing the - rules and code them in a manner compatible with running them - as a script with symbolic substitution. The major benefit - of doing this is that only the value associated with the - symbolic name needs to be changed, and when the script is - run all the rules containing the symbolic name will have the - value substituted in the rules. Being a script, symbolic - substitution can be used to code frequently used values and - substitute them in multiple rules. This can be seen in the - following example.</para> - - <para>The script syntax used here is compatible with the - &man.sh.1;, &man.csh.1;, and &man.tcsh.1; shells.</para> - - <para>Symbolic substitution fields are prefixed with a - <literal>$</literal>.</para> - - <para>Symbolic fields do not have the $ prefix.</para> - - <para>The value to populate the symbolic field must be enclosed - between double quotes (<literal>"</literal>).</para> - - <para>Start the rule file with something like this:</para> - - <programlisting>############# Start of IPF rules script ######################## - -oif="dc0" # name of the outbound interface -odns="192.0.2.11" # ISP's DNS server IP address -myip="192.0.2.7" # my static IP address from ISP -ks="keep state" -fks="flags S keep state" - -# You can choose between building /etc/ipf.rules file -# from this script or running this script "as is". -# -# Uncomment only one line and comment out another. -# -# 1) This can be used for building /etc/ipf.rules: -#cat > /etc/ipf.rules << EOF -# -# 2) This can be used to run script "as is": -/sbin/ipf -Fa -f - << EOF - -# Allow out access to my ISP's Domain name server. -pass out quick on $oif proto tcp from any to $odns port = 53 $fks -pass out quick on $oif proto udp from any to $odns port = 53 $ks - -# Allow out non-secure standard www function -pass out quick on $oif proto tcp from $myip to any port = 80 $fks - -# Allow out secure www function https over TLS SSL -pass out quick on $oif proto tcp from $myip to any port = 443 $fks -EOF -################## End of IPF rules script ########################</programlisting> - - <para>The rules are not important in this example as it instead - focuses on how the symbolic substitution fields are populated. - If this example was in a file named - <filename>/etc/ipf.rules.script</filename>, these rules could - be reloaded by running:</para> - - <screen>&prompt.root; <userinput>sh /etc/ipf.rules.script</userinput></screen> - - <para>There is one problem with using a rules file with embedded - symbolics: IPF does not understand symbolic substitution, and - cannot read such scripts directly.</para> - - <para>This script can be used in one of two ways:</para> - - <itemizedlist> - <listitem> - <para>Uncomment the line that begins with - <literal>cat</literal>, and comment out the line that - begins with <literal>/sbin/ipf</literal>. Place - <literal>ipfilter_enable="YES"</literal> into - <filename>/etc/rc.conf</filename>, and run the script - once after each modification to create or update - <filename>/etc/ipf.rules</filename>.</para> - </listitem> - - <listitem> - <para>Disable <application>IPFILTER</application> in the - system startup scripts by adding - <literal>ipfilter_enable="NO"</literal>to - <filename>/etc/rc.conf</filename>.</para> - - <para>Then, add a script like the following to - <filename>/usr/local/etc/rc.d/</filename>. The script - should have an obvious name like - <filename>ipf.loadrules.sh</filename>, where the - <filename>.sh</filename> extension is mandatory.</para> - - <programlisting>#!/bin/sh -sh /etc/ipf.rules.script</programlisting> - - <para>The permissions on this script file must be read, - write, execute for owner - <systemitem class="username">root</systemitem>:</para> - - <screen>&prompt.root; <userinput>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</userinput></screen> - </listitem> - </itemizedlist> - - <para>Now, when the system boots, the IPF rules will be - loaded.</para> - </sect2> - <sect2> <title>Configuring <acronym>NAT</acronym></title> @@ -2286,144 +2209,57 @@ sh /etc/ipf.rules.script</programlisting <see>NAT</see> </indexterm> - <para><acronym>NAT</acronym> stands for <emphasis>Network - Address Translation</emphasis>. The IPF - <acronym>NAT</acronym> function enables the private LAN behind - the firewall to share a single ISP-assigned IP address, even - if that address is dynamically assigned. NAT allows each - computer in the LAN to have Internet access, without - having to pay the ISP for multiple Internet accounts or IP - addresses.</para> - - <para>In IPF, when a packet arrives at the firewall from the LAN - with a public destination, it passes through the outbound - filter rules. <acronym>NAT</acronym> gets its turn at the - packet and applies its rules top down, where the first - matching rule wins. <acronym>NAT</acronym> tests each of its - rules against the packet's interface name and source IP - address. When a packet's interface name matches a - <acronym>NAT</acronym> rule, the packet's source IP address in - the private LAN is checked to see if it falls within the IP - address range specified to the left of the arrow symbol on the - <acronym>NAT</acronym> rule. On a match, the packet has its - source IP address rewritten with the public IP address - obtained by the <literal>0/32</literal> keyword. - <acronym>NAT</acronym> posts an entry in its internal - <acronym>NAT</acronym> table so when the packet returns from - the public Internet it can be mapped back to its original - private IP address and then passed to the filter rules for - processing.</para> - - <para><acronym>NAT</acronym> will automatically translate the - private LAN IP address for each system on the LAN to the - single public IP address as packets exit the firewall bound - for the public Internet. It also performs the reverse - translation for returning packets.</para> - - <para>According to RFC 1918, the following IP address ranges are - reserved for private networks which will never be routed - directly to the public Internet, and therefore are available - for use with NAT:</para> - - <itemizedlist> - <listitem> - <para><literal>10.0.0.0/8</literal>.</para> - </listitem> - - <listitem> - <para><literal>172.16.0.0/12</literal>.</para> - </listitem> - - <listitem> - <para><literal>192.168.0.0/16</literal>.</para> - </listitem> - </itemizedlist> - <indexterm><primary><command>ipnat</command></primary></indexterm> - <para>To enable IP<acronym>NAT</acronym>, add these statements - to <filename>/etc/rc.conf</filename>.</para> - - <para>To enable the machine to route traffic between - interfaces:</para> - - <programlisting>gateway_enable="YES"</programlisting> - - <para>To start IP<acronym>NAT</acronym> automatically each - time:</para> - - <programlisting>ipnat_enable="YES"</programlisting> - - <para>To specify where to load the IP<acronym>NAT</acronym> - rules from:</para> - - <programlisting>ipnat_rules="/etc/ipnat.rules"</programlisting> - - <para><acronym>NAT</acronym> rules are loaded using - <command>ipnat</command>. Typically, the - <acronym>NAT</acronym> rules are stored in - <filename>/etc/ipnat.rules</filename>. See &man.ipnat.8; for - details.</para> - - <para>When the file containing the <acronym>NAT</acronym> rules - is edited after <acronym>NAT</acronym> has been started, run - <command>ipnat</command> with <option>-CF</option> to delete - the internal in use <acronym>NAT</acronym> rules and flush the - contents of the translation table of all active - entries.</para> - - <para>To reload the <acronym>NAT</acronym> rules, issue a - command like this:</para> - - <screen>&prompt.root; <userinput>ipnat -CF -f - /etc/ipnat.rules</userinput></screen> - - <para>To display some <acronym>NAT</acronym> statistics, use - this command:</para> - - <screen>&prompt.root; <userinput>ipnat -s</userinput></screen> - - <para>To list the <acronym>NAT</acronym> table's current - mappings, use this command:</para> - - <screen>&prompt.root; <userinput>ipnat -l</userinput></screen> - - <para>To turn verbose mode on and display information relating - to rule processing and active rules/table entries:</para> - - <screen>&prompt.root; <userinput>ipnat -v</userinput></screen> + <para>To enable <acronym>NAT</acronym>, add these statements + to <filename>/etc/rc.conf</filename> and specify the name of + the file containing the <acronym>NAT</acronym> rules:</para> + + <programlisting>gateway_enable="YES" +ipnat_enable="YES" +ipnat_rules="/etc/ipnat.rules"</programlisting> <para><acronym>NAT</acronym> rules are flexible and can accomplish many different things to fit the needs of - commercial and home users.</para> - - <para>The rule syntax presented here has been simplified to - what is most commonly used in a non-commercial environment. + commercial and home users. The rule syntax presented here has been simplified to + demonstrate common usage. For a complete rule syntax description, refer to &man.ipnat.5;.</para> <para>The syntax for a <acronym>NAT</acronym> rule looks like - this:</para> + this, where <literal>map</literal> starts the rule and + <replaceable>IF</replaceable> should be replaced with the + name of the external + interface:</para> <programlisting>map <replaceable>IF</replaceable> <replaceable>LAN_IP_RANGE</replaceable> -> <replaceable>PUBLIC_ADDRESS</replaceable></programlisting> - <para>The keyword <literal>map</literal> starts the rule.</para> - - <para>Replace <replaceable>IF</replaceable> with the external - interface.</para> - <para>The <replaceable>LAN_IP_RANGE</replaceable> is used by the internal clients use for IP Addressing. Usually, this is something like <systemitem - class="ipaddress">192.168.1.0/24</systemitem>.</para> - - <para>The <replaceable>PUBLIC_ADDRESS</replaceable> can either + class="ipaddress">192.168.1.0/24</systemitem>. The <replaceable>PUBLIC_ADDRESS</replaceable> can either be the static external IP address or the special keyword <literal>0/32</literal> which uses the IP address assigned to <replaceable>IF</replaceable>.</para> - <sect3> - <title><acronym>NAT</acronym> for a Large LAN</title> + <para>In IPF, when a packet arrives at the firewall from the LAN + with a public destination, it passes through the outbound + filter rules. <acronym>NAT</acronym> gets its turn at the + packet and applies its rules top down, where the first + matching rule wins. <acronym>NAT</acronym> tests each of its + rules against the packet's interface name and source IP + address. When a packet's interface name matches a + <acronym>NAT</acronym> rule, the packet's source IP address in + the private LAN is checked to see if it falls within the IP + address range specified to the left of the arrow symbol on the + <acronym>NAT</acronym> rule. On a match, the packet has its + source IP address rewritten with the public IP address + obtained by the <literal>0/32</literal> keyword. + <acronym>NAT</acronym> posts an entry in its internal + <acronym>NAT</acronym> table so when the packet returns from + the public Internet it can be mapped back to its original + private IP address and then passed to the filter rules for + processing.</para> <para>For networks that have large numbers of systems on the LAN or networks with more than a single LAN, the process of @@ -2476,16 +2312,12 @@ sh /etc/ipf.rules.script</programlisting <para>or using CIDR notation:</para> <programlisting>map dc0 192.168.1.0/24 -> 204.134.75.0/24</programlisting> - </sect3> - - <sect3> - <title>Port Redirection</title> <para>A common practice is to have a web server, email server, database server, and DNS server each segregated to a different system on the LAN. In this case, the traffic from these servers still has to undergo <acronym>NAT</acronym>, - but there has to be some way to direct the inbound traffic + but port redirection is also needed to direct the inbound traffic to the correct server. For example, a web server operating on LAN address <systemitem class="ipaddress">10.0.10.25</systemitem> and using a @@ -2504,10 +2336,6 @@ sh /etc/ipf.rules.script</programlisting needs to receive public DNS requests:</para> <programlisting>rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp</programlisting> - </sect3> - - <sect3> - <title>FTP and <acronym>NAT</acronym></title> <para>FTP has two modes: active mode and passive mode. The difference is in how the data channel is acquired. Passive @@ -2564,7 +2392,145 @@ pass out quick on rl0 proto tcp from any # Active mode let data channel in from FTP server pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</programlisting> - </sect3> + + <para>When the file containing the <acronym>NAT</acronym> rules + is edited after <acronym>NAT</acronym> has been started, run + <command>ipnat</command> with <option>-CF</option> to delete + the internal in use <acronym>NAT</acronym> rules and flush the + contents of the translation table of all active + entries.</para> + + <para>To reload the <acronym>NAT</acronym> rules, issue a + command like this:</para> + + <screen>&prompt.root; <userinput>ipnat -CF -f + /etc/ipnat.rules</userinput></screen> + + <para>To display some <acronym>NAT</acronym> statistics, use + this command:</para> + + <screen>&prompt.root; <userinput>ipnat -s</userinput></screen> + + <para>To list the <acronym>NAT</acronym> table's current + mappings, use this command:</para> + + <screen>&prompt.root; <userinput>ipnat -l</userinput></screen> + + <para>To turn verbose mode on and display information relating + to rule processing and active rules/table entries:</para> + + <screen>&prompt.root; <userinput>ipnat -v</userinput></screen> + </sect2> + + <sect2 xml:id="firewalls-ipf-rules-script"> + <title>Building the Rule Script with Symbolic + Substitution</title> + + <para>Some experienced IPF users create a file containing the + rules and code them in a manner compatible with running them + as a script with symbolic substitution. The major benefit + of doing this is that only the value associated with the + symbolic name needs to be changed, and when the script is + run all the rules containing the symbolic name will have the + value substituted in the rules. Being a script, symbolic + substitution can be used to code frequently used values and + substitute them in multiple rules. This can be seen in the + following example.</para> + + <para>The script syntax used here is compatible with the + &man.sh.1;, &man.csh.1;, and &man.tcsh.1; shells.</para> + + <para>Symbolic substitution fields are prefixed with a + <literal>$</literal>.</para> + + <para>Symbolic fields do not have the $ prefix.</para> + + <para>The value to populate the symbolic field must be enclosed + between double quotes (<literal>"</literal>).</para> + + <para>Start the rule file with something like this:</para> + + <programlisting>############# Start of IPF rules script ######################## + +oif="dc0" # name of the outbound interface +odns="192.0.2.11" # ISP's DNS server IP address +myip="192.0.2.7" # my static IP address from ISP +ks="keep state" +fks="flags S keep state" + +# You can choose between building /etc/ipf.rules file +# from this script or running this script "as is". +# +# Uncomment only one line and comment out another. +# +# 1) This can be used for building /etc/ipf.rules: +#cat > /etc/ipf.rules << EOF +# +# 2) This can be used to run script "as is": +/sbin/ipf -Fa -f - << EOF + +# Allow out access to my ISP's Domain name server. +pass out quick on $oif proto tcp from any to $odns port = 53 $fks +pass out quick on $oif proto udp from any to $odns port = 53 $ks + +# Allow out non-secure standard www function +pass out quick on $oif proto tcp from $myip to any port = 80 $fks + +# Allow out secure www function https over TLS SSL +pass out quick on $oif proto tcp from $myip to any port = 443 $fks +EOF +################## End of IPF rules script ########################</programlisting> + + <para>The rules are not important in this example as it instead + focuses on how the symbolic substitution fields are populated. + If this example was in a file named + <filename>/etc/ipf.rules.script</filename>, these rules could + be reloaded by running:</para> + + <screen>&prompt.root; <userinput>sh /etc/ipf.rules.script</userinput></screen> + + <para>There is one problem with using a rules file with embedded + symbolics: IPF does not understand symbolic substitution, and + cannot read such scripts directly.</para> + + <para>This script can be used in one of two ways:</para> + + <itemizedlist> + <listitem> + <para>Uncomment the line that begins with + <literal>cat</literal>, and comment out the line that + begins with <literal>/sbin/ipf</literal>. Place + <literal>ipfilter_enable="YES"</literal> into + <filename>/etc/rc.conf</filename>, and run the script + once after each modification to create or update + <filename>/etc/ipf.rules</filename>.</para> + </listitem> + + <listitem> + <para>Disable <application>IPFILTER</application> in the + system startup scripts by adding + <literal>ipfilter_enable="NO"</literal>to + <filename>/etc/rc.conf</filename>.</para> + + <para>Then, add a script like the following to + <filename>/usr/local/etc/rc.d/</filename>. The script + should have an obvious name like + <filename>ipf.loadrules.sh</filename>, where the + <filename>.sh</filename> extension is mandatory.</para> + + <programlisting>#!/bin/sh +sh /etc/ipf.rules.script</programlisting> + + <para>The permissions on this script file must be read, + write, execute for owner + <systemitem class="username">root</systemitem>:</para> + + <screen>&prompt.root; <userinput>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</userinput></screen> + </listitem> + </itemizedlist> + + <para>Now, when the system boots, the IPF rules will be + loaded.</para> </sect2> <sect2>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402231611.s1NGBbd5012487>