Heloha!
I have setup a FreeBSD 4.2 box running ipfw/natd. I have run into two
seperate issues
as of late, and any help on either of them would be much appreciated.
1) Static NAT issues.
I don't consider myself a NAT expert by any means, but I have some
pretty fierce
rules setup to prohibit traffic in ipfw, and I think it is fighting with
natd.
I try to setup a static NAT for 192.168.1.4 to external IP
xxx.xxx.xxx.4, so
I have added the following line in /etc/natd.conf.
Like so:
# Interface on which NATd operates (external net)
interface dc0
# Enable Logging for natd to /var/log/alias.log
log yes
# Log denied incoming packets to /var/log/alias.log
log_denied yes
# Only alter outgoing packets with an RFC 1918 source address (10.,
etc...)
unregistered_only yes
# Allows NATd to allocate a port in order to establish an ftp data
connection
use_sockets yes
# Try to keep the same port number when altering outgoing packets
same_ports yes
# Detect any changes to dc0 just incase the IP ever changed
dynamic yes
#
redirect_address 192.168.1.4 xxx.xxx.xxx.4
And as soon as I restart natd with this configuration, I try to ping
out/in just
as before or try to go anywhere, It does't budge...
And the following message appears in the logs:
"firewall natd[8586]: failed to write packet back (Host is down)"
What have I configured wrong. I know it is something I did.
2) FTP Passive mode from Behind the very same firewall.
I started having these issues when I placed my machine/others behind the
firewall.
FTP Passive MODE will not work.
Session for ftp.cdrom.com:
Connected to wcarchive.cdrom.com. 220 wcarchive.cdrom.com FTP server
(Version DG-4.0.62 974200128) ready.
User (wcarchive.cdrom.com:(none)): 331 Guest login ok, send your email
address as password.
230-Welcome to ftp.cdrom.com, a service of Digital River, Inc.
230-There are currently 585 users out of 3000 possible.
230-
230-This machine is a Xeon/500 with 4GB of memory & 1/2 terabyte of RAID
5.
230-The operating system is FreeBSD. Should you wish to get your own
copy of
230-FreeBSD, please visit http://www.freebsd.org for more information.
230-
230-100Mbps colocation services provided by Applied Theory. Please visit
230-http://www.appliedtheory.com for more information.
230-
230-************************************************************************
*
230-Webmasters and Web Sites may not link to files in this archive
230-(FTP.CDROM.COM) without prior written permission by Digital River,
Inc.
230-If you are interested in linking to files in this archive, please
send
230-an e-mail to [EMAIL PROTECTED] for details. Digital River, Inc.
230-reserves the right to seek compensation for unauthorized use.
230-************************************************************************
*
230-
230-Please send mail to [EMAIL PROTECTED] if you experience any
problems.
230-Please also let us know if there is something we don't have that you
think
230-we should!
230 Guest login ok, access restrictions apply.
ftp> dir
ftp> 227 Entering Passive Mode (209,155,82,18,59,78)
ftp> 200 PORT command successful.
Then it hangs. This is via command promt on NT. I try from the FIREWALL
as well, via ftp console, and I get the same issue.
I know it has to do with the ruleset for ipfw, Is there a workaround for
this. my ipfw rules are as follows:
00100 359381 127977316 divert 8668 ip from any to any via dc0
00200 160732 10165384 allow ip from any to any out xmit dc0
00300 0 0 allow ip from any to any via lo0
00400 224059 119508086 allow ip from any to any via dc1
00500 127094 7661911 allow ip from any to any via dc2
00600 2 80 allow tcp from any 20 to any in recv dc0 established
00700 0 0 allow udp from any 20 to any in recv dc0
00800 825 82823 allow tcp from any 21 to any in recv dc0 established
00900 0 0 allow udp from any 21 to any in recv dc0
01000 10261 752195 allow tcp from any 22 to any in recv dc0 established
01100 0 0 allow udp from any 22 to any in recv dc0
01200 0 0 allow udp from any 25 to any in recv dc0
01300 45 2999 allow tcp from any 25 to any in recv dc0 established
01400 3319 688556 allow udp from any 53 to any in recv dc0
01500 0 0 allow tcp from any 53 to any in recv dc0 established
01600 0 0 allow udp from any 80 to any in recv dc0
01700 87424 107270628 allow tcp from any 80 to any in recv dc0 established
01800 0 0 allow udp from any 110 to any in recv dc0
01900 5149 1448301 allow tcp from any 110 to any in recv dc0 established
02000 0 0 allow udp from any 119 to any in recv dc0
02100 0 0 allow tcp from any 119 to any in recv dc0 established
02200 0 0 allow udp from any 443 to any in recv dc0
02300 618 208116 allow tcp from any 443 to any in recv dc0 established
02400 0 0 allow tcp from any 81 to any in recv dc0 established
02500 0 0 allow udp from any 81 to any in recv dc0
02600 0 0 allow udp from any 88 to any in recv dc0
02700 855 836865 allow tcp from any 88 to any in recv dc0 established
02800 0 0 allow udp from any 106 to any in recv dc0
02900 0 0 allow tcp from any 106 to any in recv dc0 established
03000 0 0 allow udp from any 911 to any in recv dc0
03100 394 243547 allow tcp from any 911 to any in recv dc0 established
03200 7019 1072459 allow tcp from any 5631 to any in recv dc0
03300 5 165 allow udp from any 5632 to any in recv dc0
03400 454 37057 allow tcp from any 5190 to any in recv dc0
established
03500 0 0 allow udp from any 8134 to any in recv dc0
03600 0 0 allow tcp from any 8134 to any in recv dc0
established
03700 0 0 allow udp from any 5142 to any in recv dc0
03800 0 0 allow tcp from any 5142 to any in recv dc0
established
03900 0 0 allow udp from any 7070 to any in recv dc0
04000 0 0 allow tcp from any 7070 to any in recv dc0
established
04100 0 0 allow udp from any 554 to any in recv dc0
04200 0 0 allow tcp from any 554 to any in recv dc0 established
04210 1 76 allow udp from any 123 to any in recv dc0
04220 0 0 allow tcp from any 123 to any in recv dc0 established
04300 10123 1050091 deny udp from any 135-139 to any in recv dc0
04400 0 0 deny tcp from any 135-139 to any in recv dc0
04500 0 0 deny log logamount 10000 ip from 192.168.0.0/16 to
any in recv dc0
04600 0 0 deny log logamount 10000 ip from 172.16.0.0/16 to any
in recv dc0
04700 0 0 deny log logamount 10000 ip from 10.0.0.0/8 to any in
recv dc0
04800 2 112 deny log logamount 10000 ip from 127.0.0.0/8 to any
in recv dc0
04900 0 0 deny log logamount 10000 ip from 127.0.0.0/8 to any
in recv dc1
05000 0 0 deny log logamount 10000 ip from 127.0.0.0/8 to any
in recv dc2
05100 0 0 allow icmp from any to any via dc1
05200 0 0 allow icmp from any to any via dc2
05300 71678 4096080 allow icmp from any to any in recv dc0 icmptype 0
05400 0 0 allow icmp from any to any out xmit dc0 icmptype 8
05500 0 0 allow icmp from any to any in recv dc0 icmptype 3
05600 0 0 allow icmp from any to any in recv dc0 icmptype 11
65534 471 21552 deny log logamount 10000 ip from any to any in recv
dc0
65535 109 12977 deny ip from any to any
Thanks for the help!
Matt Shine
(Title Unknown)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
