ipfilter & nat redirect
I have a web server on my private lan that I want to be accessible from the public internet. dc0 is the interface facing the public internet I added this rdr rule after the map rules at the end of my nat file. rdr dc0 0/0 port 80 -> 10.0.10.4 port 8080 also tried this rule rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.4 port 8080 My understanding of the documentation says the above rdr rule means, check all packets inbound on interface dc0, and no matter what the sending ip address of the packet may be, if the port number of the destination ip address of that packet matches port 80, then re-write the packet's destination ip address and port to 10.0.10.4 port 8080 and create the internal nat table to handle the translation of the outbound packets coming from 10.0.10.4. Then hand the re-written packet to the firewall to be processed against the firewall rules. My ipfilter firewall rules would need a pass rule like this pass in log quick on dc0 proto tcp from any to 10.0.10.4 port = 8080 flags S keep state to create the by-directional packet session. Problem is I cant get this to work. I see nothing in the log for the pass rule. Anybody have any idea what I am doing wrong or if my understanding of the re-direct process is in error. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter & nat redirect
"fbsd_user" <[EMAIL PROTECTED]> wrote: >I have a web server on my private lan that I want >to be accessible from the public internet. > >dc0 is the interface facing the public internet > >I added this rdr rule after the map rules at the end of my nat file. > > rdr dc0 0/0 port 80 -> 10.0.10.4 port 8080 > >also tried this rule > > rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.4 port 8080 I have 'tcpudp' after the port in my rdr rules, but see below. >My understanding of the documentation says the above rdr rule means, > >check all packets inbound on interface dc0, and >no matter what the sending ip address of the packet may be, >if the port number of the destination ip address of that packet >matches port 80, >then re-write the packet's destination ip address and port to >10.0.10.4 port 8080 and create the internal nat table to >handle the translation of the outbound packets coming from >10.0.10.4. >Then hand the re-written packet to the firewall to be processed >against the firewall rules. > >My ipfilter firewall rules would need a pass rule like this > >pass in log quick on dc0 proto tcp from any to 10.0.10.4 port = 8080 >flags S keep state I think the filter action occurs before NAT so you would need this: pass in log quick on dc0 proto tcp from any to port = 80 -- John. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter & nat redirect
fbsd_user wrote: I have a web server on my private lan that I want to be accessible from the public internet. dc0 is the interface facing the public internet I added this rdr rule after the map rules at the end of my nat file. ordering is extremely important, nat rules are first match while filter rules are last match unless you add the quick keyword. So, if you have eg a binat rule, then the rdr never takes place. rdr dc0 0/0 port 80 -> 10.0.10.4 port 8080 also tried this rule rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.4 port 8080 seems ok, but you may want to replace the 0/0 with your external ip/32 if it is fixed. My understanding of the documentation says the above rdr rule means, check all packets inbound on interface dc0, and no matter what the sending ip address of the packet may be, if the port number of the destination ip address of that packet matches port 80, then re-write the packet's destination ip address and port to 10.0.10.4 port 8080 and create the internal nat table to handle the translation of the outbound packets coming from 10.0.10.4. Then hand the re-written packet to the firewall to be processed against the firewall rules. My ipfilter firewall rules would need a pass rule like this pass in log quick on dc0 proto tcp from any to 10.0.10.4 port = 8080 flags S keep state to create the by-directional packet session. Problem is I cant get this to work. I see nothing in the log for the pass rule. Anybody have any idea what I am doing wrong or if my understanding of the re-direct process is in error. When using rdr, the rdr rule is applied _before_ the filtering, so filter rule above seems correct to me. Always, and in particular for debugging, create a rule that catches and logs anything you haven't thought of. Your log only catches successful passes, after that rule, add a log rule like: block in log quick on dc0 this should show you the packets that actually are filtered. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter & nat redirect
John Murphy wrote: I think the filter action occurs before NAT so you would need this: pass in log quick on dc0 proto tcp from any to port = 80 For ip-filter, if nat is done when the packet comes IN on an interface, like with rdr, then this takes place BEFORE filtering. If nat is done when the packet goes OUT on an interface then this takes place AFTER filtering. If you use binat then you can think of it as the combination of rdr and nat. The reason that binat is not really rdr+nat is that rdr requires a specific port. But for understanding where the nat'ing takes place for binat, thinking rdr+nat on the same interface works. This means that when nat is configured correctly then you can completely forget about it when writing the firewall rules and just think of all networks to be routable. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfilter nat redirect udp packets
Have this nat rule rdr rl0 0.0.0.0/0 port 6355 -> 10.0.10.3 port 6355 I can see in the log that tcp packets are being redirected but udp packets are not. Can not find any verbiage in man 5 0r 8 ipnat that states rdr rule only matches on tcp packets. I thought tcp/udp packets should be redirected? Can anyone clarify this? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ipfilter nat redirect udp packets
Have this nat rule rdr rl0 0.0.0.0/0 port 6355 -> 10.0.10.3 port 6355 I can see in the log that tcp packets are being redirected but udp packets are not. Can not find any verbiage in man 5 0r 8 ipnat that states rdr rule only matches on tcp packets. I thought tcp/udp packets should be redirected? Can anyone clarify this? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
FBSD 6.0 ipfilter nat redirect not working.
Been running ipfilter long time. Now with FBSD 6.0 having no joy at getting redirect to web server on LAN to work. This is first time trying this. rl0 is NIC facing the public internet. 10.0.10.4 is the LAN ip address of the web server. Have friend uses http://79.69.59.49:6188/index.htm to target me. The ip address is fake for this posting. # /root >ipnat -l List of active MAP/Redirect filters: map rl0 10.0.10.0/29 -> 0.0.0.0/32 proxy port ftp ftp/tcp map rl0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp map rl0 10.0.10.0/29 -> 0.0.0.0/32 rdr rl0 0.0.0.0/0 port 6188 -> 10.0.10.4 port 80 tcp List of active sessions: RDR 10.0.10.4 80<- -> 79.69.59.49 6188 [65.45.227.95 2698] MAP 10.0.10.6 1857 <- -> 79.69.59.49 1857 [216.155.193.144 5050] Nothing happens. No ipf.log records on gateway box and no ipf.log records on the LAN web server box. There is firewall rule to log & pass from any to 10.0.10.4 port = 80 keep state And any packet that does not match a firewall rule get logged and dropped. Gateway box has these sysctl nobs set net.inet.ip.forwarding=1 net.inet.ip.sourceroute=0 net.ip.accept_sourceroute=0 >From the active session list, it looks like the rdr command was executed but no packet showed up at the firewall. My question is, does any one have ipfilter nat redirect working on Freebsd 6.0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FBSD 6.0 ipfilter nat redirect not working.
fbsd_user wrote: # /root >ipnat -l List of active MAP/Redirect filters: map rl0 10.0.10.0/29 -> 0.0.0.0/32 proxy port ftp ftp/tcp map rl0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp map rl0 10.0.10.0/29 -> 0.0.0.0/32 rdr rl0 0.0.0.0/0 port 6188 -> 10.0.10.4 port 80 tcp List of active sessions: RDR 10.0.10.4 80<- -> 79.69.59.49 6188 [65.45.227.95 2698] MAP 10.0.10.6 1857 <- -> 79.69.59.49 1857 [216.155.193.144 5050] Nothing happens. No ipf.log records on gateway box and no ipf.log records on the LAN web server box. There is firewall rule to log & pass from any to 10.0.10.4 port = 80 keep state And any packet that does not match a firewall rule get logged and dropped. Please post your filter ruleset also. Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: FBSD 6.0 ipfilter nat redirect not working.
cp/udp from any to any port = 138 block in quick on rl0 proto tcp/udp from any to any port = 139 block in quick on rl0 proto tcp/udp from any to any port = 81 # Block all ftp attempts to login so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port = 21 # Block all SSH attempts to login so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port = 22 # Block all telnet attempts to login so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port = 23 # Block all www attempts so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port = 80 # Block all secure www attempts so count will show in daily cron rpt block in quick on rl0 proto tcp from any to any port = 443 # Block all smtp email server attempts so count will show in daily cron rpt block in quick on rl0 proto tcp from any to any port = 25 # block range of Trojan udp ports 1021 thru 1039 # so count will show in daily cron rpt block in quick on rl0 proto udp from any to any port 1020 >< 1040 # block Trojan scan port block in quick on rl0 proto tcp from any port = 6000 to any # Allow traffic in from ISP's DHCP server. pass in quick on rl0 proto udp from xx.173.0.1 port = 67 to any keep state pass in quick on rl0 proto udp from xx.39.64.1 port = 67 to any keep state # Allow traffic in from ISP's DNS server. pass in quick on rl0 proto udp from xx.168.240.5 port = 53 to any keep state pass in quick on rl0 proto udp from xx.168.240.2 port = 53 to any keep state # Allow in testing www function because I have apache server on lan pass in log quick on rl0 proto tcp from any to any port = 6188 flags S keep state pass in log quick on rl0 proto tcp from any to 10.0.10.4 port = 80 flags S keep state # Block all upd traffic block in log quick on rl0 proto udp all #block in quick on rl0 proto udp all # Block and log only first occurrence of all remaining traffic # coming into the firewall. # This rule enforces the block all by default logic. #block in quick on rl0 all block in log quick on rl0 all -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Erik Norgaard Sent: Wednesday, March 29, 2006 2:54 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] ORG Subject: Re: FBSD 6.0 ipfilter nat redirect not working. fbsd_user wrote: > # /root >ipnat -l > List of active MAP/Redirect filters: > map rl0 10.0.10.0/29 -> 0.0.0.0/32 proxy port ftp ftp/tcp > map rl0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp > map rl0 10.0.10.0/29 -> 0.0.0.0/32 > rdr rl0 0.0.0.0/0 port 6188 -> 10.0.10.4 port 80 tcp > > List of active sessions: > RDR 10.0.10.4 80<- -> 79.69.59.49 6188 [65.45.227.95 > 2698] > MAP 10.0.10.6 1857 <- -> 79.69.59.49 1857 > [216.155.193.144 5050] > > Nothing happens. No ipf.log records on gateway box and > no ipf.log records on the LAN web server box. > There is firewall rule to log & pass from any to 10.0.10.4 port = 80 > keep state > And any packet that does not match a firewall rule get logged and > dropped. Please post your filter ruleset also. Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FBSD 6.0 ipfilter nat redirect not working.
is ok when you use keep state because connections out from your LAN will then not be evaluated against this rule when response packets come back. # Block a bunch of different nasty things. # That I don't want to see in the log # Block frags #block in log quick on rl0 all with frags block in quick on rl0 all with frags # Block short tcp packets #block in log quick on rl0 proto tcp all with short block in quick on rl0 proto tcp all with short # block source routed packets #block in log quick on rl0 all with opt lsrr #block in log quick on rl0 all with opt ssrr block in quick on rl0 all with opt lsrr block in quick on rl0 all with opt ssrr # Block nmap OS fingerprint attempts block in quick on rl0 proto tcp from any to any flags FUP # Block anything with special options #block in log quick on rl0 all with ipopts block in quick on rl0 all with ipopts # Block public pings block in quick on rl0 proto icmp all icmp-type 8 # Block ident block in quick on rl0 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 block in quick on rl0 proto tcp/udp from any to any port = 137 block in quick on rl0 proto tcp/udp from any to any port = 138 block in quick on rl0 proto tcp/udp from any to any port = 139 block in quick on rl0 proto tcp/udp from any to any port = 81 # Block all ftp attempts to login so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port = 21 # Block all SSH attempts to login so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port = 22 # Block all telnet attempts to login so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port = 23 # Block all www attempts so count will show in daily cron rpt block in quick on rl0 proto tcp/udp from any to any port = 80 Here you go! You have the nat rule rdr rl0 0.0.0.0/0 port 6188 -> 10.0.10.4 port 80 tcp for rdr, this takes place on the incoming interface before the packet traverses the in-rules for that interface. So the packets on rl0 you redirect to port 80 are blocked here. # Block all secure www attempts so count will show in daily cron rpt block in quick on rl0 proto tcp from any to any port = 443 # Block all smtp email server attempts so count will show in daily cron rpt block in quick on rl0 proto tcp from any to any port = 25 # block range of Trojan udp ports 1021 thru 1039 # so count will show in daily cron rpt block in quick on rl0 proto udp from any to any port 1020 >< 1040 # block Trojan scan port block in quick on rl0 proto tcp from any port = 6000 to any # Allow traffic in from ISP's DHCP server. pass in quick on rl0 proto udp from xx.173.0.1 port = 67 to any keep state pass in quick on rl0 proto udp from xx.39.64.1 port = 67 to any keep state # Allow traffic in from ISP's DNS server. pass in quick on rl0 proto udp from xx.168.240.5 port = 53 to any keep state pass in quick on rl0 proto udp from xx.168.240.2 port = 53 to any keep state # Allow in testing www function because I have apache server on lan pass in log quick on rl0 proto tcp from any to any port = 6188 flags S keep state pass in log quick on rl0 proto tcp from any to 10.0.10.4 port = 80 flags S keep state These two rules never apply, the rdr takes place as mentioned before filtering, so the first won't ever match, and the second is blocked above. Remember with nat: if rules applies on the way in, the are applied _before_ the packet is filtered. If rules applies on the way out, they are applied _after_ the packet is filtered. And this is great, because when you write the filter rules, you can simply think of all your ip's being routeable. Cheers, Erik # Block all upd traffic block in log quick on rl0 proto udp all #block in quick on rl0 proto udp all # Block and log only first occurrence of all remaining traffic # coming into the firewall. # This rule enforces the block all by default logic. #block in quick on rl0 all block in log quick on rl0 all -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Erik Norgaard Sent: Wednesday, March 29, 2006 2:54 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] ORG Subject: Re: FBSD 6.0 ipfilter nat redirect not working. fbsd_user wrote: # /root >ipnat -l List of active MAP/Redirect filters: map rl0 10.0.10.0/29 -> 0.0.0.0/32 proxy port ftp ftp/tcp map rl0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp map rl0 10.0.10.0/29 -> 0.0.0.0/32 rdr rl0 0.0.0.0/0 port 6188 -> 10.0.10.4 port 80 tcp List of active sessions: RDR 10.0.10.4 80<- -> 79.69.59.49 6188 [65.45.227.95 2698] MAP 10.0.10.6 1857 <- -> 79.69.59.49 1857 [216.155.193.144 5050] Nothing happens. No ipf.log records on gateway box and no ip
Re: FBSD 6.0 ipfilter nat redirect not working.
Just a quick question. How are you connecting to the Internet, by that I mean are you using aDSL? If you are, I can help you. Don ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"