Hi,
Not just your address will change, but some times your interface
may also jump to sppp1 (I had this problem with S8 and pacbell DSL)
Here is my rigged ipfboot, and also my ipnat.conf.orig and
ipf.conf.orig.
The idea is : you edit ipnat.conf.orig and ipf.conf.orig, and the
ipfboot will automatically replace needed macros while creating
ipf.conf and ipnat.conf. Two macros are defined :
$EXTIF : interface name
$LOCALIP : my IP (on the $EXTIF)
Thanks,
Pawel.
On Sat, Sep 10, 2005 at 09:18:54PM +0200, Aleksander wrote:
>Hi Pawel,
>thanks for your help. I found the problem. The 0/32 alias dont work
>with rdr. It only works with map and bimap.
>Then I change the rules to:
>rdr sppp0 x.x.x.x port 4662 -> 192.168.1.2 port 4662 tcp
>rdr sppp0 x.x.x.x port 3620 -> 192.168.1.2 port 3620 udp
>everything works fine. But I get on every reconnection a new ip.
>Do you have an idea how to change this rule to "any ip", so that I
>dont have to update my ipnat.conf on every reconnect?
>
>Best regards,
>Aleksander
>
>
>PSV> Aleksander,
>
>PSV> this port checkers won't work all the time.
>PSV> The best way to debug this is to have a system outside,
>PSV> and just telnet to port 4662 to your ip, and check the packets flow.
>
>PSV> Set up tcpdump on both external and internal interfaces, and see
>PSV> if the incoming packets on both interfaces.
>
>PSV> Also I'm not familiar with '0/32' way of encoding the source/destination
>PSV> address for NAT, hopefully this means the actual interface address, or the
>PSV> way you scrambled your ip.
>
>PSV> Also, try telnetting to any outside ip, port 4662, and see if you
>PSV> can sniff those packets on internal/external interfaces.
>
>PSV> Also, since this is solaris, make sure your routing is actually
>PSV> turned on. Sometimes I got fooled by having the corresponding parameter
>PSV> being turned off :) 'ndd -get /dev/ip ip_forwarding' should reply '1'
>PSV> if it is on.
>
>PSV> Hope this helps,
>PSV> Pawel.
>
>PSV> On Wed, Sep 07, 2005 at 07:43:37PM +0200, Aleksander wrote:
>>>Hi Pawel,
>>>strange i have nearly the same ruleset. i changed the ports in the
>>>edonkey config file and changed the rules and added "flags S keep
>>>state keep frags" to the tcp rule but nothing changed.
>>>then i capture the traffic i see packets arriving on the specified
>>>ports, but on the connection tester
>>>http://www.preinheimer.com/cgi-bin/connectiontest/connectiontest2.cgi
>>>i always get an error.
>>>
>>>thanks for your help
>>>
>>>
>>>p.s.:
>>>actual config files:
>>>/etc/ipf/ipf.conf
>>>pass in quick on sppp0 proto tcp from any to 192.168.1.2/32 port
>>>= 4662 flags S keep state keep frags
>>>pass in quick on sppp0 proto udp from any to 192.168.1.2/32 port = 3620 keep
>>>state
>>>block in on sppp0 all
>>>pass out on sppp0 all keep state
>>>
>>>/etc/ipf/ipnat.conf
>>>map sppp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
>>>map sppp0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
>>>map sppp0 192.168.1.0/24 -> 0/32
>>>rdr sppp0 0/32 port 4662 -> 192.168.1.2 port 4662 tcp
>>>rdr sppp0 0/32 port 3620 -> 192.168.1.2 port 3620 udp
>>>
>>>
>>>
>>>PSV> Here are my [working] rules for eMule:
>>>>>> from ipf.conf (hme1 is external iface)
>>>PSV> pass in quick on hme1 proto tcp from any to 192.168.0.3/32
>>>PSV> port = 1082 flags S keep state keep frags
>>>PSV> pass in quick on hme1 proto udp from any to 192.168.0.3/32 port = 1081
>>>keep state
>>>>>> from ipnat.conf (xxxx'es is external IP)
>>>PSV> # emule
>>>PSV> rdr hme1 xx.x.xxx.xxx/32 port 1081 -> 192.168.0.3 port 1081 udp
>>>PSV> rdr hme1 xx.x.xxx.xxx/32 port 1082 -> 192.168.0.3 port 1082 tcp
>>>PSV> # actual nat
>>>PSV> map hme1 192.168.0.0/24 -> xx.x.xxx.xxx/32 portmap tcp/udp 10000:50000
>>>
>>>PSV> Obviously, I use different ports than the default.
>>>
>>>PSV> I think you don't need any 'pass out' rules in your ipnat.conf, as
>>>PSV> you have 'pass out on sppp0 all' at the end anyway. Also, servers will
>>>PSV> not necessarily listen on the default 466x port, since the time when
>>>PSV> ISPs started to filter that port out in an attempt to block ed2k
>>>traffic.
>>>
>>>PSV> Thanks,
>>>PSV> Pawel.
>>>
>>>PSV> On Tue, Sep 06, 2005 at 09:17:36AM -0700, bsdboy wrote:
>>>>> --- Aleksander <[EMAIL PROTECTED]> wrote:
>>>>> From: Aleksander <[EMAIL PROTECTED]>
>>>>> Date: Tue, 6 Sep 2005 13:41:56 +0200
>>>>> To: [email protected]
>>>>> Subject: edonkey
>>>>> Hi,
>>>>> i wanted to set up edonkey to run on a client(192.168.1.2). the
>>>>> router(192.168.1.1) on a solaris 10 box is firewalled with ipf. i cant
>>>>> figure out how to set up the rules properly. here is what i have done:
>>>>> /etc/ipf/ipf.conf
>>>>> pass in quick on sppp0 proto tcp from any to 192.168.1.2 port = 4662
>>>>> keep state
>>>>> pass in quick on sppp0 proto udp from any to 192.168.1.2 port = 3620
>>>>> keep state
>>>>> pass out quick on sppp0 proto tcp from 192.168.1.2 to any port = 4661
>>>>> keep state
>>>>> pass out quick on sppp0 proto tcp from 192.168.1.2 to any port = 4662
>>>>> keep state
>>>>> pass out quick on sppp0 proto udp from 192.168.1.2 to any port = 4665
>>>>> keep state
>>>>> block in on sppp0 all
>>>>> pass out on sppp0 all
>>>>> /etc/ipf/ipnat.conf
>>>>> map sppp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
>>>>> map sppp0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
>>>>> map sppp0 192.168.1.0/24 -> 0/32
>>>>> rdr sppp0 0/32 port 4662 -> 192.168.1.2 port 4662 tcp
>>>>> rdr sppp0 0/32 port 3620 -> 192.168.1.2 port 3620 udp
>>>>> i always get the message that the client(edonkeyclc) cant connect to
>>>>> the server. i use the default port configuration.
>>>>> has someone an idea what`s wrong here? or has someone a working
>>>>> configuration and can teach me how to set this up right.
>>>>> thanks for your help
>>>>> Hi Aleksander.
>>>>> Look before i have the same question, i have emule running on
>>>>> my home but i only use with emule ports TCP 4662 and UDP 4672 on
>>>>> Freebsd 4.11
>>>>>
>>>>> http://www.emule-project.net/home/perl/help.cgi?l=1&rm=show_topic&topi
>>>>> c_id=122
>>>>> My case:
>>>>> http://marc.theaimsgroup.com/?l=ipfilter&m=109824738619727&w=2
>>>>> Is in the maillist of ipfilter, but i dont know why my browser show
>>>>> me incorrect the message, i cannot see clear text, well hope this help
>>>>> you.
>>>>> Greetings.
>>>>>
>>>>> _________________________________________________________________
>>>>>
>>>>> Create tu cuenta webmail en http://www.starlinux.net
>>>
>>>
>
>
>
>--
>Mit freundlichen GrĂ¼ssen
>Aleksander mailto:[EMAIL PROTECTED]
>
#!/bin/sh
#
PIDFILE=/etc/opt/ipf/ipmon.pid
id=`/usr/sbin/modinfo 2>&1 | awk '/ipf/ { print $1 } ' - 2>/dev/null`
if [ -f $PIDFILE ] ; then
pid=`cat $PIDFILE 2>/dev/null`
else
pid=`/bin/ps -e 2>&1 | awk '/ipmon/ { print $1 } ' - 2>/dev/null`
fi
PATH=${PATH}:/sbin:/opt/ipf/bin
IPFILCONF=/etc/opt/ipf/ipf.conf
IP6FILCONF=/etc/opt/ipf/ipf6.conf
IPNATCONF=/etc/opt/ipf/ipnat.conf
block_default_workaround() {
ipf -F a
echo "constructing minimal name resolution rules..."
NAMESERVERS=`cat /etc/resolv.conf 2>/dev/null| \
nawk '/nameserver/ {printf "%s ", $2}' 2>/dev/null`
if [ -z "$NAMESERVERS" ] ; then
return
fi
for NS in $NAMESERVERS ; do
IF_TO_NS=`/usr/sbin/route -n get $NS 2>/dev/null| \
nawk '$1 == "interface:" { print $NF ; exit }' \
2>/dev/null`
if [ -z "$IF_TO_NS" ] ; then
continue
fi
IP_TO_NS=`ifconfig $IF_TO_NS 2>/dev/null| \
nawk 'NR == "2" { print $2 ; exit }' 2>/dev/null`
if [ -z "$IP_TO_NS" ] ; then
continue
fi
echo "pass out quick on $IF_TO_NS proto udp from $IP_TO_NS to
$NS port = 53 keep state" | \
ipf -f -
done
}
make_configs() {
PPPIF=`ifconfig -a |grep '^sppp' | /usr/xpg4/bin/awk -F ':' '{print $1}'`
[ "$PPPIF" = "" ] || LOCALIP=`ifconfig $PPPIF |grep inet|awk '{print $2}'`
[ -f $IPFILCONF.orig ] && cat $IPFILCONF.orig | sed
"s/\$LOCALIP/$LOCALIP/g;s/\$EXTIF/$PPPIF/g" > $IPFILCONF
[ -f $IPNATCONF.orig ] && cat $IPNATCONF.orig | sed
"s/\$LOCALIP/$LOCALIP/g;s/\$EXTIF/$PPPIF/g" > $IPNATCONF
echo "Configuration files updated"
}
load_ipf_config() {
bad=0
if [ -r ${IPFILCONF} ]; then
if `/sbin/ipf -V | \
nawk '$1 == "Default:" && $2 == "pass" { exit 1 }'` ; then
block_default_workaround
fi
ipf -IFa -f ${IPFILCONF}
if [ $? != 0 ]; then
echo "$0: load of ${IPFILCONF} into alternate set
failed"
bad=1
fi
fi
if [ -r ${IP6FILCONF} ]; then
ipf -6IFa -f ${IP6FILCONF}
if [ $? != 0 ]; then
echo "$0: load of ${IPFILCONF} into alternate set
failed"
bad=1
fi
fi
if [ $bad -eq 0 ] ; then
ipf -s -y
else
echo Not switching config due to load error.
fi
}
load_ipnat_config() {
if [ -r ${IPNATCONF} ]; then
ipnat -CF -f ${IPNATCONF}
if [ $? != 0 ]; then
echo "$0: load of ${IPNATCONF} failed"
else
ipf -y
fi
fi
}
case "$1" in
start)
if [ x"$pid" != x ] ; then
kill -TERM $pid 2>/dev/null
fi
if [ x$id != x ] ; then
sleep 2
modunload -i $id 2>/dev/null
fi
modload /usr/kernel/drv/ipf
ipf -y
make_configs
load_ipf_config
load_ipnat_config
ipmon -Ds
;;
stop)
if [ x"$pid" != x ] ; then
kill -TERM $pid
fi
if [ x$id != x ] ; then
sleep 2
modunload -i $id
fi
;;
reconf)
make_configs
;;
reload)
make_configs
load_ipf_config
load_ipnat_config
;;
reipf)
load_ipf_config
;;
reipnat)
load_ipnat_config
;;
*)
echo "Usage: $0 (start|stop|reload|reipf|reipnat|reconf)" >&2
exit 1
;;
esac
exit 0
#emule
rdr $EXTIF $LOCALIP/32 port 1081 -> 192.168.0.3 port 1081 udp
rdr $EXTIF $LOCALIP/32 port 1082 -> 192.168.0.3 port 1082 tcp
rdr $EXTIF $LOCALIP/32 port 8008 -> 192.168.0.3 port 8008 tcp
# win http
# rdr $EXTIF $LOCALIP/32 port 98 -> 192.168.0.3 port 80
# win telnet
# rdr $EXTIF $LOCALIP/32 port 23 -> 192.168.0.3 port 23
# rdr $EXTIF $LOCALIP/32 port 8080 -> 192.168.0.3 port 80
# rdr $EXTIF $LOCALIP/32 port 122 -> 192.168.1.2 port 22 tcp
map $EXTIF 192.168.0.0/16 -> $LOCALIP/32 portmap tcp/udp 10000:50000
map $EXTIF 192.168.0.0/16 -> $LOCALIP/32
# map $EXTIF from OBJECT to OBJECT
########################################################################
# Now. This is really simple. And it would've really helped me, if this
# was just placed on top of every configuration file. It's really simple.
# the ipf, as oppose to ipfw, doesn't stop at first matched rule. na-ah.
# It goes through all the list, and executes ALL rules that match the packet.
# And rule can say yay or nay. So, if packet comes in, traverses through ten
# blocks, and gets matched to a pass rule at the end, it will pass. Well, I
# hope I've made this clear enough for myself :)
#
# Now, to make ipf stop at a given rule, and take the specified action
# immediately, use 'quick'.
########################################################################
########################################################################
# I've definer no groups here so far. If performance bothers me (dunno if
# I notice that), but. The idea of a group is : Any rule, at any time
# can define to place the packet it matches into a group. Use 'head'
# for that. So : "block in all head 1" will put all packets into group 1
# (which doesn't make no sense at all). Better this : "block in on xl0 head 1"
# then all packets coming through xl0 go to group 1. Then only non-grouped,
# or correctly grouped rules will be checked for this packet.
########################################################################
# let's block everything that doesn't match
block in on $EXTIF all
# but let's block TCP with return-rst. I just think it's cool that way
block return-rst in on $EXTIF proto tcp from any to any
# and return icmp unreachable for the udp, too
block return-icmp-as-dest(port-unr) in on $EXTIF proto udp from any to any
# let's disallow all special networks from coming in
# they call it spoof/smurf.
# there are not just 10, and 192.168, but other evil as well !
# that also includes multicast.
# Also, let's make sure I never, ever, get packets from myself :)
block in quick on $EXTIF from 192.168.0.0/16 to any
block in quick on $EXTIF from 127.0.0.0/8 to any
block in quick on $EXTIF from 10.0.0.0/8 to any
block in quick on $EXTIF from 0.0.0.0/8 to any
block in quick on $EXTIF from 169.254.0.0/16 to any
block in quick on $EXTIF from 192.0.2.0/24 to any
block in quick on $EXTIF from 204.152.64.0/23 to any
block in quick on $EXTIF from 224.0.0.0/3 to any
block in quick on $EXTIF from $LOCALIP/32 to any
# Now, we don't want traffic to the above list of addresses to ever
# leaving our external interface. That means that my systems are behaving
# bad, or are attempting spoofing, or something. And I don't send packets
# to myself
block out quick on $EXTIF from any to 192.168.0.0/16
block out quick on $EXTIF from any to 127.0.0.0/8
block out quick on $EXTIF from any to 10.0.0.0/8
block out quick on $EXTIF from any to 0.0.0.0/8
block out quick on $EXTIF from any to 169.254.0.0/16
block out quick on $EXTIF from any to 192.0.2.0/24
block out quick on $EXTIF from any to 204.152.64.0/23
block out quick on $EXTIF from any to 224.0.0.0/3
block out quick on $EXTIF from any to $LOCALIP/32
# ICMP
# 0 - echo request
pass in quick on $EXTIF proto icmp from any to $LOCALIP/32 icmp-type 0
# 8 - echo reply
pass in quick on $EXTIF proto icmp from any to $LOCALIP/32 icmp-type 8
# 11 - time exceeded
pass in quick on $EXTIF proto icmp from any to $LOCALIP/32 icmp-type 11
# let's allow everythning to leave our premises, and we shall
# keep the state of this
pass out quick on $EXTIF proto tcp from any to any keep state
pass out quick on $EXTIF proto udp from any to any keep state
pass out quick on $EXTIF proto icmp from any to any keep state
########################################################################
# let's allow stuff we do allow here to pass in, and keep the state of it
# the big fuss with hashes is : here go the input rules !
########################################################################
# SMTP
pass in quick on $EXTIF proto tcp from any to $LOCALIP/32 port = 25 flags S
keep state keep frags
# NNTP
# pass in quick on $EXTIF proto tcp from any to $LOCALIP/32 port = 119 flags S
keep state keep frags
# IMAP[SSL]
pass in quick on $EXTIF proto tcp from any to $LOCALIP/32 port = 993 flags S
keep state keep frags
# SSH
pass in quick on $EXTIF proto tcp from any to $LOCALIP/32 port = 22 flags S
keep state keep frags
# HTTP
pass in quick on $EXTIF proto tcp from any to $LOCALIP/32 port = 80 flags S
keep state keep frags
# BitKeeper
#pass in quick on $EXTIF proto tcp from any to $LOCALIP/32 port = 7101 flags S
keep state keep frags
# eMule TCP, UDP
pass in quick on $EXTIF proto tcp from any to 192.168.0.3/32 port = 1082 flags
S keep state keep frags
pass in quick on $EXTIF proto udp from any to 192.168.0.3/32 port = 1081 keep
state
# eMule web control
pass in quick on $EXTIF proto tcp from any to 192.168.0.3/32 port = 8008 flags
S keep state keep frags
# mldonkey
pass in quick on $EXTIF proto tcp from any to $LOCALIP/32 port = 1293 flags S
keep state keep frags
# my forward
# pass in quick on $EXTIF proto tcp from any to $LOCALIP/32 port = 8080 flags S
keep state keep frags
# Jakarta
#pass in quick on $EXTIF proto tcp from 192.18.0.0/16 to $LOCALIP/32 port 8000
>< 8999 flags S keep state keep frags
pass out on $EXTIF all
