Port redirection troubles with natd/ipwf
Hello, I have set myself up a nice FreeBSD router, but im having trouble getting my firewall and NAT configured. I have a basic setup at the moment that is working well, using IPFW for a firewall and also running natd because i have a few computers here on my LAN that want Internet access. However i cannot seem to work out how to get port redirection through NAT working correctly. Currently i have it setup (as i hope my configs bellow show) that all incoming traffic from the web is blocked, unless it was initiated by a host on the LAN; then the check-state and keep-state rules allow the traffic through for that session. My problem comes when i want to so say, its ok for traffic to pass through this port to a target on the LAN. As far as i can make out that is done with the redirect_port setting in natd.conf -- my conf has ports 113 and 3002 redirected to 10.0.0.11. 113 for IDENT, and 3002 as a custom port for a windows ftp server. Take an IDENT request for example, i can see the traffic coming in on port 113, getting nat'd to the correct LAN ip, and even mIRC registering the IDENT request. But it never gets back out. The same with FTP on 3002, if someone attempts to connect they get a message in their client that the request timed out, but i can see a login attempt in the server logs. I have a feeling there is a simple answer to this, but im stuck. Any help is appreciated. My config is bellow, i can provide logs of the behavior if a fix is not obvious. Thank you. ifconfig re0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=18VLAN_MTU,VLAN_HWTAGGING inet6 fe80::214:*** prefixlen 64 scopeid 0x1 ether 00:14:bf:59:be:84 media: Ethernet autoselect (none) status: no carrier re1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=18VLAN_MTU,VLAN_HWTAGGING inet6 fe80::214:*** prefixlen 64 scopeid 0x2 ether 00:14:bf:59:be:8b media: Ethernet autoselect (100baseTX full-duplex) status: active re2: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=18VLAN_MTU,VLAN_HWTAGGING inet6 fe80::214:*** prefixlen 64 scopeid 0x3 ether 00:14:bf:59:c1:26 media: Ethernet autoselect (100baseTX full-duplex) status: active vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::211:*** prefixlen 64 scopeid 0x4 inet ***.***.***.*** netmask 0xfc00 broadcast 255.255.255.255 ether 00:11:d8:a1:22:13 media: Ethernet autoselect (100baseTX full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 bridge0: flags=8043UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 ether ac:de:48:30:8d:de priority 32768 hellotime 2 fwddelay 15 maxage 20 member: re2 flags=7LEARNING,DISCOVER,STP port 3 priority 128 path cost 55 forwarding member: re1 flags=7LEARNING,DISCOVER,STP port 2 priority 128 path cost 55 forwarding member: re0 flags=7LEARNING,DISCOVER,STP port 1 priority 128 path cost 55 disabled cat /etc/natd.conf dynamic yes use_sockets yes same_ports yes unregistered_only redirect_port tcp 10.0.0.11:113 113 redirect_port udp 10.0.0.11:113 113 redirect_port tcp 10.0.0.11:3002 3002 redirect_port udp 10.0.0.11:3002 3002 cat /etc/rc.firewall.test (these rules were made mainly using the NAT stateful ruleset here http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html ) #!/bin/sh ## # Default variables ## cmd=ipfw -q add# Rule prefix wan=vr0# Inbound interface (Public WAN) lan=bridge0# Outbound interfaces (Private LAN) nat=skipto 600# Skipto location for outgoing packets that need NAT ks=keep-state# Adds rule to dynamic rules table ## # Ruleset ## ipfw -q -f flush ### # Allowed Loopback and LAN traffic ### $cmd 5 allow all from any to any via $lan $cmd 6 allow all from any to any via lo0 ### # NAT inbound traffic and check all traffic against rules in dynamic rules table ### $cmd 00010 divert natd ip from any to any in via $wan $cmd 00011 check-state ### # Rejected outbound traffic ### ### # Allowed outbound traffic ### # Allow all outbound traffic $cmd 00205 $nat icmp from any to any out via $wan $ks $cmd 00210 $nat tcp from any to any out via $wan setup $ks $cmd 00211 $nat udp from any to any out via $wan $ks ### # Rejected inbound traffic ### # Late arriving packets $cmd 00315 deny all from any to any frag in via $wan # ACK packets that did not match the dynamic rule table $cmd 00320 deny tcp from any to any established in via $wan ### # Allowed inbound traffic ### # ISP's DNS and DHCP $cmd 00404 allow all from ***.***.4.100 to any 53 in via
Re: Port redirection troubles with natd/ipwf
On 10/18/06, Chris [EMAIL PROTECTED] wrote: Hello, I have set myself up a nice FreeBSD router, but im having trouble getting my firewall and NAT configured. I have a basic setup at the moment that is working well, using IPFW for a firewall and also running natd because i have a few computers here on my LAN that want Internet access. However i cannot seem to work out how to get port redirection through NAT working correctly. Currently i have it setup (as i hope my configs bellow show) that all incoming traffic from the web is blocked, unless it was initiated by a host on the LAN; then the check-state and keep-state rules allow the traffic through for that session. My problem comes when i want to so say, its ok for traffic to pass through this port to a target on the LAN. As far as i can make out that is done with the redirect_port setting in natd.conf -- my conf has ports 113 and 3002 redirected to 10.0.0.11. 113 for IDENT, and 3002 as a custom port for a windows ftp server. Take an IDENT request for example, i can see the traffic coming in on port 113, getting nat'd to the correct LAN ip, and even mIRC registering the IDENT request. But it never gets back out. The same with FTP on 3002, if someone attempts to connect they get a message in their client that the request timed out, but i can see a login attempt in the server logs. I have a feeling there is a simple answer to this, but im stuck. Any help is appreciated. My config is bellow, i can provide logs of the behavior if a fix is not obvious. Thank you. ifconfig re0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=18VLAN_MTU,VLAN_HWTAGGING inet6 fe80::214:*** prefixlen 64 scopeid 0x1 ether 00:14:bf:59:be:84 media: Ethernet autoselect (none) status: no carrier re1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=18VLAN_MTU,VLAN_HWTAGGING inet6 fe80::214:*** prefixlen 64 scopeid 0x2 ether 00:14:bf:59:be:8b media: Ethernet autoselect (100baseTX full-duplex) status: active re2: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=18VLAN_MTU,VLAN_HWTAGGING inet6 fe80::214:*** prefixlen 64 scopeid 0x3 ether 00:14:bf:59:c1:26 media: Ethernet autoselect (100baseTX full-duplex) status: active vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::211:*** prefixlen 64 scopeid 0x4 inet ***.***.***.*** netmask 0xfc00 broadcast 255.255.255.255 ether 00:11:d8:a1:22:13 media: Ethernet autoselect (100baseTX full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 bridge0: flags=8043UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 ether ac:de:48:30:8d:de priority 32768 hellotime 2 fwddelay 15 maxage 20 member: re2 flags=7LEARNING,DISCOVER,STP port 3 priority 128 path cost 55 forwarding member: re1 flags=7LEARNING,DISCOVER,STP port 2 priority 128 path cost 55 forwarding member: re0 flags=7LEARNING,DISCOVER,STP port 1 priority 128 path cost 55 disabled cat /etc/natd.conf dynamic yes use_sockets yes same_ports yes unregistered_only redirect_port tcp 10.0.0.11:113 113 redirect_port udp 10.0.0.11:113 113 redirect_port tcp 10.0.0.11:3002 3002 redirect_port udp 10.0.0.11:3002 3002 cat /etc/rc.firewall.test (these rules were made mainly using the NAT stateful ruleset here http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html ) #!/bin/sh ## # Default variables ## cmd=ipfw -q add# Rule prefix wan=vr0# Inbound interface (Public WAN) lan=bridge0# Outbound interfaces (Private LAN) nat=skipto 600# Skipto location for outgoing packets that need NAT ks=keep-state# Adds rule to dynamic rules table ## # Ruleset ## ipfw -q -f flush ### # Allowed Loopback and LAN traffic ### $cmd 5 allow all from any to any via $lan $cmd 6 allow all from any to any via lo0 ### # NAT inbound traffic and check all traffic against rules in dynamic rules table ### $cmd 00010 divert natd ip from any to any in via $wan $cmd 00011 check-state ### # Rejected outbound traffic ### ### # Allowed outbound traffic ### # Allow all outbound traffic $cmd 00205 $nat icmp from any to any out via $wan $ks $cmd 00210 $nat tcp from any to any out via $wan setup $ks $cmd 00211 $nat udp from any to any out via $wan $ks ### # Rejected inbound traffic ### # Late arriving packets $cmd 00315 deny all from any to any frag in via $wan # ACK packets that did not match the dynamic rule table $cmd 00320 deny tcp from any to any established in via $wan ### # Allowed inbound traffic ### #