Re: ipfw problems using divert and fwd at the same time with 6.3-release

2009-02-18 Thread Paul Thornton

I have found the error of my ways...

For the purposes of the archives, I'm posting what actually made this 
work. It is a very simple fix and I don't quite know how I missed trying 
this out during my frustrations.


Before the ipfw fwd... line you need one or more ipfw skipto... 
lines to ensure that you don't accidentally match the more specific 
addresses on the fwd.


What's interesting is that I'd had ipfw allow... lines before the 
ipfe fwd... line doing a similar thing to skipto, and it didn't work.


So I amended the ruleset to the following (other rules stay the same):


06000   515  153945 divert 8668 ip from any to me via em0
07000485472 skipto 32000 ip from 10.81.0.0/16 to 217.65.161.4 dst-port 
80
07100 0   0 skipto 32000 ip from 10.81.129.0/24 to any
0800094   10434 fwd 127.0.0.1,8000 tcp from 10.81.0.0/16 to any dst-port 80
32000   499  230890 allow ip from any to any


Paul.
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org


ipfw problems using divert and fwd at the same time with 6.3-release

2009-02-16 Thread Paul Thornton

Hi folks,

I'm having trouble using NAT and forward in the same ipfw ruleset.  It 
appears that the forward wins over the NAT regardless of ordering in 
the ipwf ruleset.  I'm hoping that I'm missing something obvious; but is 
there a way to use these two together?


Some background - I'm testing in the lab a potential setup to provide 
limited network access to a few subnets in 10.X address space, but if 
you aren't going to an approved address then you get forwarded to a 
web page running on port 8000 on the same box.  This box is running 
6.3-RELEASE-p9 and has two em interfaces.


In this setup, 10.81.0.0/16 are my subnets.  They are presented to the 
machine as a bunch of VLANs physically on em1, one /24 subnet per VLAN. 
 The machine also does DHCP and DNS for each of these VLANs, and is the 
default gateway.


em0 is the external IP address for the machine, currently 192.91.199.5
The machine has no problem accessing the 'net.  If I remove the clever 
divert rules and the fwd rule, and make it a vanilla NAT setup, the 
client has no problem accessing the 'net.


In this setup, I expect to be able to browse to www.prt.org (on 
217.65.161.4) and that a machine in the 10.81.129.0/24 subnet has 
unrestricted NATted access to the 'net.  Any other attempt at browsing 
should hit the forward and display the no access page from the server 
on the gateway machine.


Using the following ruleset:


[r...@xrg1 /var/tmp]# ipfw show
00010 0   0 allow ip from any to any via lo0
00020 0   0 deny ip from any to 127.0.0.1
00022 0   0 deny ip from 127.0.0.1 to any
00050 0   0 allow udp from any 67-68 to 255.255.255.255 dst-port 67-68
00052 0   0 allow udp from 10.81.0.0/16 67-68 to me dst-port 67-68
00054 0   0 allow udp from me 67-68 to 10.81.0.0/16 dst-port 67-68
00056 0   0 allow udp from 10.81.0.0/16 to me dst-port 53
00058 0   0 allow udp from me 53 to 10.81.0.0/16
00060 0   0 allow icmp from 10.81.0.0/16 to me
00062 0   0 allow icmp from me to 10.81.0.0/16
00100 0   0 allow ip from 192.91.199.5 to any
02000 0   0 divert 8668 ip from 10.81.0.0/16 to 217.65.161.4 dst-port 
80 via em0
05000 0   0 divert 8668 ip from 10.81.129.0/24 to any via em0
06000 0   0 divert 8668 ip from any to me via em0
08000 0   0 fwd 127.0.0.1,8000 tcp from 10.81.0.0/16 to any dst-port 80
32000 0   0 allow ip from any to any


If I browse www.prt.org on the client machine (10.81.2.246) I hit the 
fwd rule and I get my Sorry you can't view this webpage from the local 
server, and neither of the NAT rules are hit.

(DNS on the client correctly resolves to 217.65.161.4) :


[r...@xrg1 /var/tmp]# ipfw show
00010 0   0 allow ip from any to any via lo0
00020 0   0 deny ip from any to 127.0.0.1
00022 0   0 deny ip from 127.0.0.1 to any
00050 0   0 allow udp from any 67-68 to 255.255.255.255 dst-port 67-68
00052 0   0 allow udp from 10.81.0.0/16 67-68 to me dst-port 67-68
00054 0   0 allow udp from me 67-68 to 10.81.0.0/16 dst-port 67-68
00056 2 119 allow udp from 10.81.0.0/16 to me dst-port 53
00058 2 356 allow udp from me 53 to 10.81.0.0/16
00060 0   0 allow icmp from 10.81.0.0/16 to me
00062 0   0 allow icmp from me to 10.81.0.0/16
00100 3 214 allow ip from 192.91.199.5 to any
02000 0   0 divert 8668 ip from 10.81.0.0/16 to 217.65.161.4 dst-port 
80 via em0
05000 0   0 divert 8668 ip from 10.81.129.0/24 to any via em0
06000 3 601 divert 8668 ip from any to me via em0
08000434796 fwd 127.0.0.1,8000 tcp from 10.81.0.0/16 to any dst-port 80
3200058   55935 allow ip from any to any


If I remove rule 8000, then I can browse to www.prt.org as expected, and 
I hit the divert rules:



00010 0   0 allow ip from any to any via lo0
00020 0   0 deny ip from any to 127.0.0.1
00022 0   0 deny ip from 127.0.0.1 to any
00050 0   0 allow udp from any 67-68 to 255.255.255.255 dst-port 67-68
00052 0   0 allow udp from 10.81.0.0/16 67-68 to me dst-port 67-68
00054 0   0 allow udp from me 67-68 to 10.81.0.0/16 dst-port 67-68
00056 7 460 allow udp from 10.81.0.0/16 to me dst-port 53
00058 71247 allow udp from me 53 to 10.81.0.0/16
00060 0   0 allow icmp from 10.81.0.0/16 to me
00062 0   0 allow icmp from me to 10.81.0.0/16
00100453375 allow ip from 192.91.199.5 to any
02000385096 divert 8668 ip from 10.81.0.0/16 to 217.65.161.4 dst-port 
80 via em0
05000 0   0 divert 8668 ip from 10.81.129.0/24 to any via em0
0600075   37498 divert 8668 ip from any to me via em0
32000   273  142906 allow ip from any to any


The natd config is trivial - I'm just launching it with:
 natd -port 8668 -same_ports -verbose interface em0

Does anyone have any ideas?  I've spent the whole weekend trying various 
things (like extra