Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 28 Oct 2001 14:14:36 +0200
From:      Johann Botha <joe@frogfoot.net>
To:        freebsd-isp@freebsd.org
Subject:   Re: punch_fw
Message-ID:  <20011028141436.A549@blue.frogfoot.net>
In-Reply-To: <20011028171031.A76033@ns.morning.ru>
References:  <20011028011245.A7860@blue.frogfoot.net> <20011028171031.A76033@ns.morning.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi

> > could anybody please point me to some docs on using punch_fw to get active
> > ftp working using natd.
> 
> Sorry, I coming with no ideas about `punch_fw' (what it is at all? :-) but
> ipnat (ipfilter's sister) does it okay.

man natd
------------< snip <------< snip <------< snip <------------
     -punch_fw basenumber:count
                 This option directs natd to `punch holes'' in an
                 ipfirewall(4) based firewall for FTP/IRC DCC connections.
                 This is done dynamically by installing temporary firewall
                 rules which allow a particular connection (and only that con-
                 nection) to go through the firewall.  The rules are removed
                 once the corresponding connection terminates.

                 A maximum of count rules starting from the rule number
                 basenumber will be used for punching firewall holes.  The
                 range will be cleared for all rules on startup.
------------< snip <------< snip <------< snip <------------

i've used ipfilter's nat for active ftp.. worked well, but i would really
like to keep this box a ipfw box.

some more info on what i would like to do (hoping somebody out there has a
working punch_fw setup)

i'm running FreeBSD 4.3 release,
all the kernel configs are fine.. the box has been doing transparent proxy,
logging etc. for some time now with no problems.

i would like to enable active ftp (allow ftp-data connections to get routed
back to my internal network).. but i dont want to do this:
------------< snip <------< snip <------< snip <------------
     #pass tcp from 66.8.28.48/29 1025-65535 to any 20,21 out xmit ed0
     #pass tcp from any 20,21 to 66.8.28.48/29 1025-65535 in recv ed0     
------------< snip <------< snip <------< snip <------------
this opens my network up to attacks coming from port 20,
like: nmap -g 20 -p 389 -sS 66.8.28.50

          ____________
          |           |
outside --|ed0     ed1|----- [66.8.28.48/29] --- (66.8.28.50)
          |___________|

ed0: 66.8.28.22
ed1: 66.8.28.54

i would like my firewall to divert an ftp connection initiated by 66.8.28.50
to natd:

/etc/ipfw.rules
------------< snip <------< snip <------< snip <------------
divert 8668 tcp from any to any 20,21 via ed0
------------< snip <------< snip <------< snip <------------

then it should alias this connection and send the traffic to the outside ftp
server as if it where initiated by 66.8.28.22:

root@pris:/# natd -punch_fw 0:16 -a 66.8.28.22 -v
------------< snip <------< snip <------< snip <------------
Out [TCP]  [TCP] 66.8.28.50:4125 -> 66.8.28.1:21 aliased to
           [TCP] 66.8.28.22:4125 -> 66.8.28.1:21
------------< snip <------< snip <------< snip <------------

then, the remote ftp server should respond to 66.8.28.22,
this gets diverted to natd, natd passes the response to 66.8.28.50
natd should now add a dynamic rule to allow ftp-data traffic to 66.8.28.22,
(i think so anyway)

i dont see these rules added ? should i be able to see them with a "ipfw
list" ?

my ipfw setup also contains:
pass tcp from 66.8.28.22/32 to any 20,21 out xmit ed0
to allow nat'd traffic to get out and:
pass tcp from any 20,21 to 66.8.28.22/32 in recv ed0
to allow traffic back to natd

in what order should these rules be ?
------------< snip <------< snip <------< snip <------------
   # FTP
     divert 8668 tcp from any to any 20,21 via ed0
     pass tcp from 66.8.28.22/32 to any 20,21 out xmit ed0
     pass tcp from any 20,21 to 66.8.28.22/32 in recv ed0     
------------< snip <------< snip <------< snip <------------

using tcpdump i can see that outgoing requests reach the remote ftp server
translated so they look as if they come from 66.8.28.22.. and traffic comes
back in to 66.8.28.22.. but the traffic never goes to 66.8.28.50..
i allow all traffic to via ed1

so i think natd is broken.. ?
it does not create the dynamic punch rules and it does not route traffic
back to the box initiating a connection

i've been looking at my ipfw logs, i dont see any deny/drop's relating to
what natd should be doing.

some example configs using natd/punch_fw with the ipfw rules to go with it
would be great! thanks.

-- 
Regards
Johann

  "They mostly come at night, mostly" - Newt
______________________________________________________
 Johann L. Botha       Debian GNU Jedi: joe@debian.org
 +27.82.5626.167                          PO Box 3472 
 joe@frogfoot.net                         Matieland
 workpage: http://www.frogfoot.net        Stellenbosch
 homepage: http://blue.frogfoot.net       7602
      ham: ZR1JOE                         South Africa

Copyright (c) 2001. The Sovereigns of Frogfoot. All rights reserved.
Disclaimer available upon request.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011028141436.A549>