Re: Transparent Firewall with NAT
Hummm maybe I misunderstand but that look more like a proxy no? FranC'ois Rousseau On 10/15/07, CC)dric THIBAULT [EMAIL PROTECTED] wrote: Firstly, thanks for your comments, 2007/10/12, ropers [EMAIL PROTECTED]: I don't fully understand your email, because some of your sentences aren't really gramatically correct, and some of them don't seem to me to be technologically correct (ie. the technology questions in them don't seem to make sense to me). From reading this thread, I suspect others are having similar problems. Yes, it's true i'm not a native english. Sorry for my sentences which smell good french pronunciation... I will do my best for avoid this mistakes.. Let me look at what you wrote: On 10/10/2007, Cidric THIBAULT [EMAIL PROTECTED] wrote: Hello everybody, I work on BSD 4.1, with i386 hardware. I'm searching a way to enable a transparent firewall (without ip adress), probably in bridge mode.., with a capability of NAT. Let me stop you there. Normally, you would EITHER use your OpenBSD box to do NAT, OR you would set your OpenBSD box up as a bridge. Let's take a step back and instead of talking about things in the abstract, let's make plain what you're trying to do: - Do you have a network w/ multiple hosts on the same physical network segment? - Do these hosts have private or public IP addresses? - Are these hosts' IP addresses in the same (logical) subnet? I.e. are they using the same network address and subnet mask, e.g. xxx.yyy.zzz.0/24? - You've mentioned bridging. Which hosts do you want to separate with a bridge? Are these hosts on the same logical subnet (and possibly already on the same physical network segment)? If they aren't, then how is what you're trying to do bridging? - You've mentioned NATing. Normally this involves translating between two DIFFERENT logical networks. What do you mean by enable a transparent firewall (...) in bridge mode.., with a capability of NAT? Do you want to set up a bridge NOW and only possibly separate your network LATER, and then change your OpenBSD bridge to an OpenBSD NAT router? I ve got 2 physical network which are on the same IP subnet with the same netmask. The openBSD is in middle of this networks. For exemple : LAN1- OPEN BSD --- LAN 2 192.168.0.1-10 INET1 - INET2 192.168.0.15-20 255.255.255.0 255.255.255.0 I know the interest is not evident to nat some computers on the same IP lan, but it's for a client, so! Hm. Forgive my skepticism, but has the client asked you to put in a bridge that does NAT? Do you understand what they want? Do they? I don't know precisely why he wants that, but for information i know cisco offers this possibilitie. It seems that PF doesn't have this capability. Perhaps, it could be possible with an another package ? OpenBSD/PF can do NAT while filtering the NATted traffic. OpenBSD/PF can also be used to set up a transparent bridge that is invisible to users, yet filters traffic. This can be done out of the box; no extra packages are required. I have personally in the past set up such an OpenBSD bridge. In my case, this was a physical network segment with multiple hosts, only some of which were under my control. The foreign and my own hosts were also on the same (logical) subnet. I needed to protect one of the hosts from the others (especially the ones I didn't control). That sensitive host was a Windows Server 2003 box ((which by default comes w/o a firewall and the Windows Firewall, while available in a service pack, cannot be enabled on Domain Controllers without serious hacking; really; it boggles the mind)). So I connected stuff thus: W2K3 Srv --- OpenBSD bridge --- rest of network, incl. Internet gateway I set up the bridge and configured pf.conf so that those boxes that needed to talk to the server could do so. It was NOT a totally bulletproof solution, but it was the best I could come up with, given the constraints I was operating within. Your description is very interesting and i'm agree with your opinion. But my question is : Can i NAT an IP adress wich is not assign to my network interface, and configure arp for be able to receive an IP data destined to the IP i NAT ? If i keep my precedent exemple : LAN1- OPEN BSD --- LAN 2 192.168.0.1-10 INET1 - INET2 192.168.0.15-20 255.255.255.0 255.255.255.0 With INET1 and INET2 in promiscious mode without IP adress assigned, i would know if i could NAT the LAN1 with an arbitrary adress (192.168.0.11 for exemple) and capture the answers to forward them to LAN1 (with a specific ARP configuration perhaps..). With this configuration, LAN2 uses only 1 address to communicate with LAN1, but can't ping or touch the Firewall which is totally
Re: Transparent Firewall with NAT
Firstly, thanks for your comments, 2007/10/12, ropers [EMAIL PROTECTED]: I don't fully understand your email, because some of your sentences aren't really gramatically correct, and some of them don't seem to me to be technologically correct (ie. the technology questions in them don't seem to make sense to me). From reading this thread, I suspect others are having similar problems. Yes, it's true i'm not a native english. Sorry for my sentences which smell good french pronunciation... I will do my best for avoid this mistakes.. Let me look at what you wrote: On 10/10/2007, Cidric THIBAULT [EMAIL PROTECTED] wrote: Hello everybody, I work on BSD 4.1, with i386 hardware. I'm searching a way to enable a transparent firewall (without ip adress), probably in bridge mode.., with a capability of NAT. Let me stop you there. Normally, you would EITHER use your OpenBSD box to do NAT, OR you would set your OpenBSD box up as a bridge. Let's take a step back and instead of talking about things in the abstract, let's make plain what you're trying to do: - Do you have a network w/ multiple hosts on the same physical network segment? - Do these hosts have private or public IP addresses? - Are these hosts' IP addresses in the same (logical) subnet? I.e. are they using the same network address and subnet mask, e.g. xxx.yyy.zzz.0/24? - You've mentioned bridging. Which hosts do you want to separate with a bridge? Are these hosts on the same logical subnet (and possibly already on the same physical network segment)? If they aren't, then how is what you're trying to do bridging? - You've mentioned NATing. Normally this involves translating between two DIFFERENT logical networks. What do you mean by enable a transparent firewall (...) in bridge mode.., with a capability of NAT? Do you want to set up a bridge NOW and only possibly separate your network LATER, and then change your OpenBSD bridge to an OpenBSD NAT router? I ve got 2 physical network which are on the same IP subnet with the same netmask. The openBSD is in middle of this networks. For exemple : LAN1- OPEN BSD --- LAN 2 192.168.0.1-10 INET1 - INET2 192.168.0.15-20 255.255.255.0 255.255.255.0 I know the interest is not evident to nat some computers on the same IP lan, but it's for a client, so! Hm. Forgive my skepticism, but has the client asked you to put in a bridge that does NAT? Do you understand what they want? Do they? I don't know precisely why he wants that, but for information i know cisco offers this possibilitie. It seems that PF doesn't have this capability. Perhaps, it could be possible with an another package ? OpenBSD/PF can do NAT while filtering the NATted traffic. OpenBSD/PF can also be used to set up a transparent bridge that is invisible to users, yet filters traffic. This can be done out of the box; no extra packages are required. I have personally in the past set up such an OpenBSD bridge. In my case, this was a physical network segment with multiple hosts, only some of which were under my control. The foreign and my own hosts were also on the same (logical) subnet. I needed to protect one of the hosts from the others (especially the ones I didn't control). That sensitive host was a Windows Server 2003 box ((which by default comes w/o a firewall and the Windows Firewall, while available in a service pack, cannot be enabled on Domain Controllers without serious hacking; really; it boggles the mind)). So I connected stuff thus: W2K3 Srv --- OpenBSD bridge --- rest of network, incl. Internet gateway I set up the bridge and configured pf.conf so that those boxes that needed to talk to the server could do so. It was NOT a totally bulletproof solution, but it was the best I could come up with, given the constraints I was operating within. Your description is very interesting and i'm agree with your opinion. But my question is : Can i NAT an IP adress wich is not assign to my network interface, and configure arp for be able to receive an IP data destined to the IP i NAT ? If i keep my precedent exemple : LAN1- OPEN BSD --- LAN 2 192.168.0.1-10 INET1 - INET2 192.168.0.15-20 255.255.255.0 255.255.255.0 With INET1 and INET2 in promiscious mode without IP adress assigned, i would know if i could NAT the LAN1 with an arbitrary adress (192.168.0.11 for exemple) and capture the answers to forward them to LAN1 (with a specific ARP configuration perhaps..). With this configuration, LAN2 uses only 1 address to communicate with LAN1, but can't ping or touch the Firewall which is totally transparent.. Maybe you could describe your network like I did above. I think that would help me and possibly others to understand you better. Please be specific. So, i hope that my problem is more clear now. I don't know if it's realistic
Re: Transparent Firewall with NAT
On 10/10/2007, Cidric THIBAULT [EMAIL PROTECTED] wrote:
Thank's for your comment. Unfortunately, i well understand the Nat
process.
Huh? If you understand NAT very well, then how is that unfortunate?
I'm not trying to be a prick here; I honestly have trouble
understanding you.
I's right it's not seems to be interesting to nat some machine in the same
IP lan, but that is what i want.
Is this what you are trying to say?:
It's true that it would not seem to make sense to do Network Address
Translation between machines that are on the same physical network
segment, but this is what I want.
I'll give you an example of what I understood. Please tell me if this
describes what you are trying to do:
- You have multiple hosts on a single physical network segment.
- An OpenBSD box is also connected to the same network segment,
possibly intercalated between two parts of that network, where one
part of that network is connected to its 1st NIC and the other to a
2nd NIC.
- There are hosts on both sides that are on the same logical subnet.
Therefore bridging is required.
- There are other hosts connected to that same physical network
segement that are configured with IP addresses and subnet masks so
that they are in a second different logical subnet. They need NAT in
order to talk to the hosts in the first logical subnet.
Is this what you need?
The problem, you said it very well, it's the firewall can't assign it's own
IP adress because is in bridge mode.
You can assign an IP address to a NIC that's part of a bridge. This is
frequently done, so the bridge can be remotely administered with SSH.
In this scenario you put both NICs in promiscuous mode (so they listen
to all traffic and bridge whatever is allowed in pf.conf), but you
assign an IP address to one of the NICs anyway. Most users will never
see/know that IP. It doesn't appear in their network settings. It's
strictly for when you want to talk directly to the OpenBSD box.
So, the idea is to set a particular IP on all trafic outgoing from the
firewall.
I have no idea what you're trying to say here.
The rule could be this one :
nat pass on bridge0 inet tagged LAN1 - 192.168.2.3 (it's an example of an
ip pick in the LAN...)
pass in inet proto {tcp,udp, icmp} on $lan1_if http://10.0.0.0/24 tag
LAN1
I don't know if this syntax is ok, because i never tested it.
I have no idea what you're trying to do here. I'm missing contextual
information.
Transparent Firewall with NAT
I don't fully understand your email, because some of your sentences aren't really gramatically correct, and some of them don't seem to me to be technologically correct (ie. the technology questions in them don't seem to make sense to me). From reading this thread, I suspect others are having similar problems. Let me look at what you wrote: On 10/10/2007, Cidric THIBAULT [EMAIL PROTECTED] wrote: Hello everybody, I work on BSD 4.1, with i386 hardware. I'm searching a way to enable a transparent firewall (without ip adress), probably in bridge mode.., with a capability of NAT. Let me stop you there. Normally, you would EITHER use your OpenBSD box to do NAT, OR you would set your OpenBSD box up as a bridge. Let's take a step back and instead of talking about things in the abstract, let's make plain what you're trying to do: - Do you have a network w/ multiple hosts on the same physical network segment? - Do these hosts have private or public IP addresses? - Are these hosts' IP addresses in the same (logical) subnet? I.e. are they using the same network address and subnet mask, e.g. xxx.yyy.zzz.0/24? - You've mentioned bridging. Which hosts do you want to separate with a bridge? Are these hosts on the same logical subnet (and possibly already on the same physical network segment)? If they aren't, then how is what you're trying to do bridging? - You've mentioned NATing. Normally this involves translating between two DIFFERENT logical networks. What do you mean by enable a transparent firewall (...) in bridge mode.., with a capability of NAT? Do you want to set up a bridge NOW and only possibly separate your network LATER, and then change your OpenBSD bridge to an OpenBSD NAT router? I know the interest is not evident to nat some computers on the same IP lan, but it's for a client, so! Hm. Forgive my skepticism, but has the client asked you to put in a bridge that does NAT? Do you understand what they want? Do they? It seems that PF doesn't have this capability. Perhaps, it could be possible with an another package ? OpenBSD/PF can do NAT while filtering the NATted traffic. OpenBSD/PF can also be used to set up a transparent bridge that is invisible to users, yet filters traffic. This can be done out of the box; no extra packages are required. I have personally in the past set up such an OpenBSD bridge. In my case, this was a physical network segment with multiple hosts, only some of which were under my control. The foreign and my own hosts were also on the same (logical) subnet. I needed to protect one of the hosts from the others (especially the ones I didn't control). That sensitive host was a Windows Server 2003 box ((which by default comes w/o a firewall and the Windows Firewall, while available in a service pack, cannot be enabled on Domain Controllers without serious hacking; really; it boggles the mind)). So I connected stuff thus: W2K3 Srv --- OpenBSD bridge --- rest of network, incl. Internet gateway I set up the bridge and configured pf.conf so that those boxes that needed to talk to the server could do so. It was NOT a totally bulletproof solution, but it was the best I could come up with, given the constraints I was operating within. Maybe you could describe your network like I did above. I think that would help me and possibly others to understand you better. Please be specific. Thanks and regards, --ropers
Transparent Firewall with NAT
Hello everybody, I work on BSD 4.1, with i386 hardware. I'm searching a way to enable a transparent firewall (without ip adress), probably in bridge mode.., with a capability of NAT. I know the interest is not evident to nat some computers on the same IP lan, but it's for a client, so! It seems that PF doesn't have this capability. Perhaps, it could be possible with an another package ? Thank's for your comments... Cidric.
Re: Transparent Firewall with NAT
On Wed, 10 Oct 2007, Cidric THIBAULT wrote: I'm searching a way to enable a transparent firewall (without ip adress), probably in bridge mode.., with a capability of NAT. I know the interest is Hum... bridge and NAT aren't working at the same level. I think you'd need to set an @ip address and enable forwarding for this to work. But then of course, it won't be a transparent bridge anymore. Or you could use 2 different boxen, one for bridge, and one for nat. Or maybe I'm just talking bull... I'm no bridge guru. -- Antoine
Re: Transparent Firewall with NAT
From: Cedric THIBAULT Hello everybody, I work on BSD 4.1, with i386 hardware. I'm searching a way to enable a transparent firewall (without ip adress), probably in bridge mode.., with a capability of NAT. I know the interest is not evident to nat some computers on the same IP lan, but it's for a client, so! It seems that PF doesn't have this capability. Perhaps, it could be possible with an another package ? Thank's for your comments... Cidric. I am not sure you understand what NAT is. When you use NAT to allow a system on one network to access another network, the traffic is NATted to the IP of the box doing the NAT. In the case of a firewall like device, the traffic would be given the IP address of the outer interface of the firewall. inside box (1) firewall/bridge doing nat (2)- Internet etc. (1) network traffic leaves the inside box, it has the source IP of the inside box. (2) The network traffic is NATted by the firewall, when it leaves the outer interface of the firewall it now has the source IP address of the outer interface of the firewall. Any return traffic would simply take the same steps in reverse. If the firewall/bridge does not have any IP addresses, there is no way that NAT can occur, It has no IP address to change the source IP to. If I have this wrong somehow, please let me know. s
Re: Transparent Firewall with NAT
2007/10/10, stuart van Zee [EMAIL PROTECTED]:
From:
Hello everybody,
I work on BSD 4.1, with i386 hardware.
I'm searching a way to enable a transparent firewall (without ip
adress),
probably in bridge mode.., with a capability of NAT. I know the
interest is
not evident to nat some computers on the same IP lan, but it's
for a client,
so!
It seems that PF doesn't have this capability. Perhaps, it could
be possible
with an another package ?
Thank's for your comments...
Cidric.
I am not sure you understand what NAT is. When you use NAT to allow a
system on one network to access another network, the traffic is NATted
to the IP of the box doing the NAT. In the case of a firewall like
device, the traffic would be given the IP address of the outer interface
of the firewall.
inside box (1) firewall/bridge doing nat (2)- Internet etc.
(1) network traffic leaves the inside box, it has the source IP of the
inside box.
(2) The network traffic is NATted by the firewall, when it leaves the
outer interface of the firewall it now has the source IP address of the
outer interface of the firewall.
Any return traffic would simply take the same steps in reverse.
If the firewall/bridge does not have any IP addresses, there is no way
that NAT can occur, It has no IP address to change the source IP to.
If I have this wrong somehow, please let me know.
s
Thank's for your comment. Unfortunately, i well understand the Nat
process.
I's right it's not seems to be interesting to nat some machine in the same
IP lan, but that is what i want.
The problem, you said it very well, it's the firewall can't assign it's own
IP adress because is in bridge mode.
So, the idea is to set a particular IP on all trafic outgoing from the
firewall.
The rule could be this one :
nat pass on bridge0 inet tagged LAN1 - 192.168.2.3 (it's an example of an
ip pick in the LAN...)
pass in inet proto {tcp,udp, icmp} on $lan1_if http://10.0.0.0/24 tag LAN1
I don't know if this syntax is ok, because i never tested it.
Someone knows ?
Re: Transparent Firewall with NAT
You _may_ be able to apply the following setup (borrowing from someone else's design :-) : inside box (1) firewall/bridge doing nat (2)- default gateway internet if1 if2 Let's just suppose that if2 has the ip address IP2 configured. 1 - set interface if1 to brigde interface if2. 2 - your fw/bridge computer has a default route to a gateway that can forward packets to the net 3 - do not assign an IP address to if1 4 - do your pf home lesson to NAT computers from the inside network, using external IP2 address 5 - somehow, the computers from your inside network should be set to use IP2 as default gateway. 5 a) This implies that IP2 lies in the same net address you're using on your inside network. 5 b) Or you have a static route pointing to IP2 on each inside network computer. This implies that each computer on this net segment can talk directly to your default gateway that handles internet connections. To limit this communication and enforce all clients to set your bridge/fw host as default gateway, you should create a working filter ruleset. 6 - optionally, you may want the bridge to replicate only the IP protocol
Re: Transparent Firewall with NAT
Cidric THIBAULT wrote: I'm searching a way to enable a transparent firewall (without ip adress), probably in bridge mode.., with a capability of NAT. I know the interest is not evident to nat some computers on the same IP lan, but it's for a client, so! You want to have a bridge that does NAT without an IP adderss... so what address would the packets from behind the bridge be NATed to? I've set up machines as transparent spamd firewalls to put in front of Exchange servers. Maybe that's what you want to do, but that doesn't involve NAT.
