Date: Sun, 28 Oct 2001 14:14:36 +0200 From: Johann Botha <joe@frogfoot.net> To: freebsd-isp@freebsd.org Subject: Re: punch_fw Message-ID: <20011028141436.A549@blue.frogfoot.net> In-Reply-To: <20011028171031.A76033@ns.morning.ru> References: <20011028011245.A7860@blue.frogfoot.net> <20011028171031.A76033@ns.morning.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi
> > could anybody please point me to some docs on using punch_fw to get active
> > ftp working using natd.
>
> Sorry, I coming with no ideas about `punch_fw' (what it is at all? :-) but
> ipnat (ipfilter's sister) does it okay.
man natd
------------< snip <------< snip <------< snip <------------
-punch_fw basenumber:count
This option directs natd to `punch holes'' in an
ipfirewall(4) based firewall for FTP/IRC DCC connections.
This is done dynamically by installing temporary firewall
rules which allow a particular connection (and only that con-
nection) to go through the firewall. The rules are removed
once the corresponding connection terminates.
A maximum of count rules starting from the rule number
basenumber will be used for punching firewall holes. The
range will be cleared for all rules on startup.
------------< snip <------< snip <------< snip <------------
i've used ipfilter's nat for active ftp.. worked well, but i would really
like to keep this box a ipfw box.
some more info on what i would like to do (hoping somebody out there has a
working punch_fw setup)
i'm running FreeBSD 4.3 release,
all the kernel configs are fine.. the box has been doing transparent proxy,
logging etc. for some time now with no problems.
i would like to enable active ftp (allow ftp-data connections to get routed
back to my internal network).. but i dont want to do this:
------------< snip <------< snip <------< snip <------------
#pass tcp from 66.8.28.48/29 1025-65535 to any 20,21 out xmit ed0
#pass tcp from any 20,21 to 66.8.28.48/29 1025-65535 in recv ed0
------------< snip <------< snip <------< snip <------------
this opens my network up to attacks coming from port 20,
like: nmap -g 20 -p 389 -sS 66.8.28.50
____________
| |
outside --|ed0 ed1|----- [66.8.28.48/29] --- (66.8.28.50)
|___________|
ed0: 66.8.28.22
ed1: 66.8.28.54
i would like my firewall to divert an ftp connection initiated by 66.8.28.50
to natd:
/etc/ipfw.rules
------------< snip <------< snip <------< snip <------------
divert 8668 tcp from any to any 20,21 via ed0
------------< snip <------< snip <------< snip <------------
then it should alias this connection and send the traffic to the outside ftp
server as if it where initiated by 66.8.28.22:
root@pris:/# natd -punch_fw 0:16 -a 66.8.28.22 -v
------------< snip <------< snip <------< snip <------------
Out [TCP] [TCP] 66.8.28.50:4125 -> 66.8.28.1:21 aliased to
[TCP] 66.8.28.22:4125 -> 66.8.28.1:21
------------< snip <------< snip <------< snip <------------
then, the remote ftp server should respond to 66.8.28.22,
this gets diverted to natd, natd passes the response to 66.8.28.50
natd should now add a dynamic rule to allow ftp-data traffic to 66.8.28.22,
(i think so anyway)
i dont see these rules added ? should i be able to see them with a "ipfw
list" ?
my ipfw setup also contains:
pass tcp from 66.8.28.22/32 to any 20,21 out xmit ed0
to allow nat'd traffic to get out and:
pass tcp from any 20,21 to 66.8.28.22/32 in recv ed0
to allow traffic back to natd
in what order should these rules be ?
------------< snip <------< snip <------< snip <------------
# FTP
divert 8668 tcp from any to any 20,21 via ed0
pass tcp from 66.8.28.22/32 to any 20,21 out xmit ed0
pass tcp from any 20,21 to 66.8.28.22/32 in recv ed0
------------< snip <------< snip <------< snip <------------
using tcpdump i can see that outgoing requests reach the remote ftp server
translated so they look as if they come from 66.8.28.22.. and traffic comes
back in to 66.8.28.22.. but the traffic never goes to 66.8.28.50..
i allow all traffic to via ed1
so i think natd is broken.. ?
it does not create the dynamic punch rules and it does not route traffic
back to the box initiating a connection
i've been looking at my ipfw logs, i dont see any deny/drop's relating to
what natd should be doing.
some example configs using natd/punch_fw with the ipfw rules to go with it
would be great! thanks.
--
Regards
Johann
"They mostly come at night, mostly" - Newt
______________________________________________________
Johann L. Botha Debian GNU Jedi: joe@debian.org
+27.82.5626.167 PO Box 3472
joe@frogfoot.net Matieland
workpage: http://www.frogfoot.net Stellenbosch
homepage: http://blue.frogfoot.net 7602
ham: ZR1JOE South Africa
Copyright (c) 2001. The Sovereigns of Frogfoot. All rights reserved.
Disclaimer available upon request.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011028141436.A549>