Date: Thu, 21 Jan 1999 10:08:44 -0500 From: Mark Thomas <thomas@pmpro.com> To: freebsd-security@FreeBSD.ORG Subject: ipfw/natd configuration Message-ID: <3.0.6.32.19990121100844.007c8ba0@pmpro.com>
next in thread | raw e-mail | index | archive | help
Hello, I'm in the process of setting up a firewall using ipfw and natd. My intention is to use a FreeBSD (soon to be 3.0-stable) machine with three interfaces. IP addresses altered. fxp0 - Interface to private network (192.168.1.1/16). fxp1 - Interface to the world (555.12.12.230/29). fxp2 - Interface to visible machines (555.12.12.233/29). The public machine is: 555.12.12.234/29 I'm a bit confused about setting up natd/ipfw. Here's where I am right now: Custom kernel with IPFIREWALL and IPDIVERT enabled. In rc.conf: gateway_enable="YES" firewall_enable="YES" firewall_type="/etc/firewall.rules" # My own rule set will be applied firewall_quiet="NO" natd_enable="YES" natd_interface="fxp1" natd_flags="-f /etc/natd.rules" network_interfaces="fxp0 fxp1 fxp2 lo0" # Does order matter? gateway_enable="YES" In /etc/services: natd 8668/divert The above combination should also add the ipfw rule to divert packets to natd correctly via rc.firewall, right? First problem is setting up the actual natd rules. To allow the public machine to be seen, it would appear I need this to pass its address unchanged: redirect_address 555.12.12.234 555.12.12.234 Since all other internal addresses are unregistered, it would then appear that this would do the trick: unregistered_only yes This leaves the firewall's own public address visible, reveals the public machine behind the wall, and remaps all private network addresses to that of the firewall, right? Now for ipfw. My fundamental confusion is ipfw's idea of exactly where 'it' is, and of in vs. out. How does the natd interface specification affect this, or does it? Do the following seem like reasonable example rules (obviously a subset of actual rules): Allow http connections from the world to 555.12.12.234 port 80: add 500 allow tcp from any to 555.12.12.234 80 in via fxp1 add 501 allow tcp from 555.12.12.234 80 to any out via fxp1 established Allow http connections from the private network to the world: add 525 allow tcp from 555.12.12.230 to any 80 out via fxp1 add 526 allow tcp from any 80 to any in via fxp1 established Allow http connections from the private network to the public machine: add 550 allow tcp from any to 555.12.12.234 80 in via fxp0 add 551 allow tcp from 555.12.12.234 80 to any out via fxp0 established Any pointers or comments appreciated. Thanks, ----- Mark Mark Thomas -- pmpro, inc. -- thomas@pmpro.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.6.32.19990121100844.007c8ba0>