Date: Sat, 25 Jun 2005 21:00:55 -0400 From: Andy Sutcliffe <andy.sutcliffe@gmail.com> To: freebsd-questions@freebsd.org Subject: IPNAT / IPF / rdr issue Message-ID: <9d124e1c0506251800635f8cf7@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I am having problems accessing internal resources (such as a web server) from other internal clients when going from internal client -> public address -> internal resource. For example, when I attempt to reach 'mydomain.com' from client machine X, the connection is refused (I am of course, able to reach the web server through the internal IP), however, I am able to access the web server via that URL from an external network. I have 'mydomain.com' pointed towards the external IP of my gateway which in turn relays it to the internal web server.=20 I have included the pertinent contents of /etc/ipnat.rules as well as my /etc/ipf.conf file. I am at a loss at this point...can anyone point me in the right direction ? Thanks in advance, - andy ( andy dot sutcliffe at gmail dot com) Gateway: OS:FreeBSD 5.4 Firewall: IPFilter Port Forwarding: IPNAT External eth: dc0 Internal eth: ed0 (10.0.0.0) Web Server OS: FreeBSD 5.4 WWW: Apache 2.0 Client Machine(s) OS: Windows XP, FreeBSD, Linux I have the following in /etc/ipnat.rules: # innernet map dc0 10.0.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 40000:65000 map dc0 10.0.0.0/16 -> 0.0.0.0/32 # www rdr dc0 0.0.0.0/0 port 80 -> 10.0.0.3 port 80 I have the following in /etc/ipf.conf: ################################################################# # No restrictions on Inside LAN Interface for private network # Not needed unless you have LAN ################################################################# pass out quick on ed0 all pass in quick on ed0 all ################################################################# # No restrictions on Loopback Interface ################################################################# pass in quick on lo0 all pass out quick on lo0 all ################################################################# # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network # or from this gateway server destine for the public Internet. ################################################################# # Allow out access to my ISP's Domain name server. # xxx must be the IP address of your ISP's DNS. # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file pass out quick on dc0 proto tcp from any to 67.43.192.6 port =3D 53 flags S keep state pass out quick on dc0 proto udp from any to 67.43.192.6 port =3D 53 keep st= ate pass out quick on dc0 proto tcp from any to 137.118.1.33 port =3D 53 flags S keep state pass out quick on dc0 proto udp from any to 137.118.1.33 port =3D 53 keep s= tate # Allow out access to my ISP's DHCP server for cable or DSL networks. # This rule is not needed for 'user ppp' type connection to the # public Internet, so you can delete this whole group. # Use the following rule and check log for IP address. # Then put IP address in commented out rule & delete first rule pass out quick on dc0 proto udp from any to 67.43.192.6 port =3D 67 keep st= ate # Allow out non-secure standard www function pass out quick on dc0 proto tcp from any to any port =3D 80 flags S keep st= ate pass out quick on dc0 proto tcp from any to any port =3D 81 flags S keep st= ate # Allow out secure www function https over TLS SSL pass out quick on dc0 proto tcp from any to any port =3D 443 flags S keep s= tate # Allow out send & get email function pass out quick on dc0 proto tcp from any to any port =3D 110 flags S keep s= tate pass out quick on dc0 proto tcp from any to any port =3D 25 flags S keep st= ate # Allow out Time pass out quick on dc0 proto tcp from any to any port =3D 37 flags S keep st= ate # Allow out nntp news pass out quick on dc0 proto tcp from any to any port =3D 119 flags S keep s= tate # Allow out gateway & LAN users non-secure FTP ( both passive & active mode= s) # This function uses the IPNAT built in FTP proxy function coded in # the nat rules file to make this single rule function correctly. # If you want to use the pkg_add command to install application packages # on your gateway system you need this rule. pass out quick on dc0 proto tcp from any to any port =3D 21 flags S keep st= ate # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) pass out quick on dc0 proto tcp from any to any port =3D 22 flags S keep st= ate # Allow out non-secure Telnet pass out quick on dc0 proto tcp from any to any port =3D 23 flags S keep st= ate # Allow out FBSD CVSUP function pass out quick on dc0 proto tcp from any to any port =3D 5999 flags S keep = state # Allow out ping to public Internet pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state # Allow out whois for LAN PC to public Internet pass out quick on dc0 proto tcp from any to any port =3D 43 flags S keep st= ate # Block and log only the first occurrence of everything # else that's trying to get out. # This rule enforces the block all by default logic. block out log first quick on dc0 all ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# # Block all inbound traffic from non-routable or reserved address spaces block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 private IP block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 private IP # block in quick on dc0 from 10.0.0.0/8 to any #RFC 1918 private IP block in quick on dc0 from 127.0.0.0/8 to any #loopback block in quick on dc0 from 0.0.0.0/8 to any #loopback block in quick on dc0 from 169.254.0.0/16 to any #DHCP auto-config block in quick on dc0 from 192.0.2.0/24 to any #reserved for docs block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconne= ct block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast ##### Block a bunch of different nasty things. ############ # That I do not want to see in the log # Block frags block in quick on dc0 all with frags # Block short tcp packets block in quick on dc0 proto tcp all with short # block source routed packets block in quick on dc0 all with opt lsrr block in quick on dc0 all with opt ssrr # Block nmap OS fingerprint attempts # Log first occurrence of these so I can get their IP address block in log first quick on dc0 proto tcp from any to any flags FUP # Block anything with special options block in quick on dc0 all with ipopts # Block public pings block in quick on dc0 proto icmp all icmp-type 8 # Block ident block in quick on dc0 proto tcp from any to any port =3D 113 # Block all Netbios service. 137=3Dname, 138=3Ddatagram, 139=3Dsession # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 block in log first quick on dc0 proto tcp/udp from any to any port =3D 137 block in log first quick on dc0 proto tcp/udp from any to any port =3D 138 block in log first quick on dc0 proto tcp/udp from any to any port =3D 139 block in log first quick on dc0 proto tcp/udp from any to any port =3D 81 # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. Only necessary for # cable or DSL configurations. This rule is not needed for # 'user ppp' type connection to the public Internet. # This is the same IP address you captured and # used in the outbound section. pass in quick on dc0 proto udp from 67.43.192.6 to any port =3D 68 keep sta= te # Allow in standard www function because I have apache server pass in quick on dc0 proto tcp from any to any port =3D 80 flags S keep sta= te pass in quick on dc0 proto tcp from any to any port =3D 81 flags S keep sta= te # Allow in secure FTP, Telnet, and SCP from public Internet # This function is using SSH (secure shell) pass in quick on dc0 proto tcp from any to any port =3D 22 flags S keep sta= te # Allow in non-scure FTP access to file server (bombadil) pass in quick on dc0 proto ftp from any to 10.0.0.2 port =3D 21 flags S kee= p state pass in quick on dc0 proto ftp from any to 10.0.0.2 port =3D 20 flags S kee= p state pass out quick on dc0 proto ftp from 10.0.0.2 to any port =3D 20 flags S keep state # Block and log only first occurrence of all remaining traffic # coming into the firewall. The logging of only the first # occurrence stops a .denial of service. attack targeted # at filling up your log file space. # This rule enforces the block all by default logic. block in log first quick on dc0 all ################### End of rules file #####################################
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9d124e1c0506251800635f8cf7>