Subject: Re: Tricky ipf/ipnat question (longish)
To: Martijn Bakker <m.p.bakker@student.utwente.nl>
From: Wes Zuber <wes@uia.net>
List: netbsd-users
Date: 03/27/2000 10:24:09
On Sat, 25 Mar 2000, you wrote:
> Hi all,
>
> I have four IP adresses, a network of about 15 machines and want to use
> one firewall. Hence I want machines on the local net to be accessible by
> externally valid IP numbers as well as by a local IP. Ideally, this
> would allow these machines to be accessible from outside (but subject to
> restrictions by the firewall), as well as be able to function as a
> perfectly normal machine on the local net. There is one problem. The
> whole setup is behind a cable modem, and of course the cable router
> doesn't know where to find the two machines if I don't tell it that the
> route to these goes through the firewall. (i.e. all I get is 'arp
> who-has' messages from the router, these don't go past the firewall/nat
> and hence never get answered).
>
> My current solution is to define the two extra adresses as IP aliases
> for the firewall machine, define routes to these machines as routes to
> 'localhost' there, so they get to be passed through the firewall,
> 'bimap' these adresses to the internal adresses with ipnat. The result,
> however, appears 'quirky'. Simple operations like ping, telnet, http
> work most of the time, but occasionally get responses from the firewall
> instead of the intended machine. Dirtier/complexer protocols never seem
> to work however. Ftp will only function in passive mode, ICQ doesn't
Do you mean that FTP only works in passive for everyone? Or just the BIMAP
machines. You need an FTP Proxy statment for anything that is mapped.
> work at all (I can live with that), ntalk never even gets an invitation
> to the other party (same when instigated from either side of the fw).
Couldn't you just use NAT and IP aliases to redirect to the correct machine?
I'm not sure from your example of what services you want availible from the
outside to each individual machine. BIMAP's are not always a good idea since
you open everything up to those machines. I don't see where you handle
individual services in the filter rules.
So for instance you could do something like:
rdr ne0 130.89.65.11/32 port 80 -> 192.168.4.2/32 port 80 tcp
This redirects traffice destined to 130.89.65.11 to an inside address of
192.168.4.2 on port 80 only. This could be a typical set up for a web server.
Martin, I don't see where much firewalling is going on here, other than keeping
out some spoofed stuff. Are you just primarily interested in the NAT features?
--Wes
> > /* Less talk, more numbers version
starts here */ >
> The great beyond <-- Cable modem --> Firewall (i586, NetBSD 1.4.1) <--
> Local net --> Local machine (Sparc Classic, NetBSD 1.4(p?))
>
> The great beyond: 0.0.0.0/0, Gateway: 130.89.1.1, Firewall:
> 130.89.65.13, Local machine (through NAT): 130.89.65.11
> Local network: 192.168.4.0/24, Firewall: 192.168.4.1, Local machine (in
> this case): 192.168.4.201
>
> /etc/ipnat.conf
> #!/sbin/ipnat -f -
> #
> bimap ne0 192.168.4.201/32 -> 130.89.65.11/32
> map ne0 192.168.4.0/24 -> 130.89.65.13/32 proxy port ftp ftp/tcp
> map ne0 192.168.4.0/24 -> 130.89.65.13/32 portmap tcp/udp 40000:60000
> map ne0 192.168.4.0/24 -> 130.89.65.13/32
>
> /etc/ipf.conf
> #!/sbin/ipf -f -
> #
> block in all
> block out all
> block in log quick from any to any with ipopts
> block in log quick proto tcp from any to any with short
> # Default rules, nobody enters or leaves, invalid packets get dropped.
> #
> block out quick on ne0 from any to 130.89.65.13/32
> block out quick on ne0 from any to 127.0.0.0/24
> block out quick on ne0 from any to 10.0.0.0/8
> block out quick on ne0 from any to 172.16.0.0/16
> block out quick on ne0 from any to 192.168.0.0/16
> pass out on ne0 from 192.168.4.0/24 to any
> pass out on ne0 from 130.89.65.10/32 to any
> pass out on ne0 from 130.89.65.11/32 to any
> pass out on ne0 from 130.89.65.12/32 to any
> pass out on ne0 from 130.89.65.13/32 to any
> # We can send anything not addressed to a non-routable network
> # or myself.
> #
> block in quick on ne0 from 130.89.65.13/32 to any
> block in quick on ne0 from 127.0.0.0/8 to any
> block in quick on ne0 from 10.0.0.0/8 to any
> block in quick on ne0 from 172.16.0.0/16 to any
> block in quick on ne0 from 192.168.0.0/16 to any
> pass in on ne0 from any to 192.168.4.0/24
> pass in on ne0 from any to 130.89.65.10/32
> pass in on ne0 from any to 130.89.65.11/32
> pass in on ne0 from any to 130.89.65.12/32
> pass in on ne0 from any to 130.89.65.13/32
> # We also receive anything addressed to us and not from a non-routable
> # network or ourselves on the global interface.
> #
> block out quick on rl0 from any to 192.168.4.1/32
> block out quick on rl0 from 127.0.0.0/8 to any
> block out quick on rl0 from 10.0.0.0/8 to any
> block out quick on rl0 from 172.16.0.0/16 to any
> block out on rl0 from 192.168.0.0/16 to any
> pass out on rl0 from any to 192.168.4.0/24
> # We send everything addressed to the local network and not to ourselves
>
> # out on the local network.
> #
> block in quick on rl0 from 192.168.4.1/32 to any
> block in quick on rl0 from any to 127.0.0.0/8
> block in quick on rl0 from any to 10.0.0.0/8
> block in quick on rl0 from any to 172.16.0.0/16
> block in on rl0 from any to 192.168.0.0/16
> pass in on rl0 from 192.168.4.0/24 to any
> # We can accept anything orriginating from a valid address in the local
> # network and addressed to a valid address for us or any outsider.
> #
> pass in quick on lo0 from any to any
> pass out quick on lo0 from any to any
> # The local network must keep functioning too
>
> route table (simplified, numbers substituted for names):
>
> Routing tables
>
> Internet:
> Destination Gateway Flags
> default 130.89.1.1 UG
> localhost 127.0.0.1 UH
> 130.89.0.0 link#2 U
> 130.89.1.1 0:60:3e:c5:e5:a2 UH
> 130.89.65.11 127.0.0.1 UGH
> 130.89.65.13 127.0.0.1 UGH
> 130.89.255.255 link#2 UH
> 192.168.4.0 link#1 U
> 192.168.4.1 127.0.0.1 UGH
> 192.168.4.201 8:0:2b:37:62:cb UH
>
> /* */