Re: netbsd-5 and NFS-booted ipfilter firewall

To: Hauke Fath <hauke%Espresso.Rhein-Neckar.DE@localhost>
Subject: Re: netbsd-5 and NFS-booted ipfilter firewall
From: Louis Guillaume <lguillaume%berklee.edu@localhost>
Date: Thu, 26 Feb 2009 23:59:25 -0500



Hauke Fath wrote:

At 1:10 Uhr -0500 22.2.2009, Louis Guillaume wrote:

On netbsd-5, my firewall hangs after installing NAT rules for ipfilter.
The firewall is netbooted.


Uhh... Sit on branch, have saw?

Good metaphor! I just always thought that the "internal" network was onthe tree side, since I have all the rules (ipf and ipnat) on theexternal interface and also "pass out proto tcp/udp all keep state" asthe last rule.

Turn ipfilter off and the machine boots
without interruption. Revert to netbsd-4 and everything works properly.


And the rule sets are?


[ipf.conf]
# sip2 = external interface

pass  in all
pass  out all

block in    on sip2
block in    quick on sip2 from 192.168.0.0/16 to any
block in    quick on sip2 from 172.16.0.0/12 to any
block in    quick on sip2 from 10.0.0.0/8 to any
block in    quick on sip2 from 127.0.0.0/8 to any
block in    quick on sip2 from 0.0.0.0/8 to any
block in    quick on sip2 from 169.254.0.0/16 to any
block in    quick on sip2 from 192.0.2.0/16 to any
block in    quick on sip2 from 204.152.64.0/23 to any
block in    quick on sip2 from 224.0.0.0/3 to any

pass out    quick on sip2 proto tcp/udp from any to any keep state
pass out    quick on sip2 proto icmp from any to any keep state

pass in quick on sip2 proto tcp from any to any port = 80 flags Skeep state


pass in     quick on sip2 proto udp from any to any port = 53 keep state
pass in     quick on sip2 proto icmp from any to any

pass out proto tcp all keep state


[ipnat.conf]
rdr sip2 0/0 port 80    -> 192.168.1.100 port 80

map sip2 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map sip2 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map sip2 192.168.1.0/24 -> 0/32

After reading a few threads that seem similar, I experimented with
setting nfsd to run udp-only, but that didn't help.


Like any RPC, nfs is tricky to pass through a packet filter, in that you
need to enable something like ports [512,1024] in addition to rpc and nfs -
or ask the nfs server rpcbind for the ports used by nfs.


I figure that on the internal network all things are allowed. There
should be no firewall between the internal interface on the gateway and
the internal machines. And according to the rules, there isn't.

The ruleset has been working for many years. Since netbsd 1.5 IIRC.

Thanks for looking.

Louis

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Re: netbsd-5 and NFS-booted ipfilter firewall
  - From: Hauke Fath

Prev by Date: Re: some missing xdm config files
Next by Date: OpenJDK binaries
Previous by Thread: Re: netbsd-5 and NFS-booted ipfilter firewall
Next by Thread: files in DESTDIR but on in flist
Indexes:

Home | Main Index | Thread Index | Old Index