Subject: RE: IPNat, IPF, and webservers...
To: 'Mike Pelley' <mike@pelley.com>
From: David Woyciesjes <DAW@yalepress3.unipress.yale.edu>
List: tech-net
Date: 10/23/2000 13:32:06
Also forgot to mention one thing... When I try to ping the IP address of the
firewall from the outside world, 64.252.X.Y, the request times out... I'm
not sure where it's getting swallowed up....
--- David A Woyciesjes
--- C & IS Support Specialist
--- Yale University Press
--- mailto:david.woyciesjes@yale.edu
--- (203) 432-0953
--- ICQ # - 905818
-> -----Original Message-----
-> From: David Woyciesjes [mailto:david.woyciesjes@yale.edu]
-> Sent: Monday, October 23, 2000 12:20 PM
-> To: 'Mike Pelley'; 'NetBSD Tech-Net'; 'brucea@spacestar.net'
-> Cc: David Woyciesjes
-> Subject: RE: IPNat, IPF, and webservers...
->
->
-> Thanks to everybody for thier help. But I have a wierd
-> problem left.
-> When I browse to my webserver, xxx.10, it's fine. When I try
-> my cjb.net
-> redirection service from my LAN, I get "Connection could not be
-> established". But when I try it from work, it works fine. I
-> want to be able
-> to check that the redirection works right, and if any
-> firewall rules updates
-> work properly too. Or will this just never work?
->
-> Here's what I ended up up with, I didn't miss anything
-> important, did I?...
-> *****Not counting what Manuel suggested, which I'll add tonight...
-> >> pass in quick on ppp0 proto tcp from any to
-> 10.10.10.10/32 port = 80
-> >I think you also need:
-> > --- pass in quick on ppp0 proto tcp from any to any flags S/SA
-> >to allow outgoing connections to work.
-> >> block in quick all with short
-> >Should be
-> > --- block in quick on ppp0 all with short
-> >otherwise you may block traffic on internal interfaces too.
-> *****
->
-> *****IPF.CONF*****
-> #!/sbin/ipf -f -
-> #
-> # Prevent IP spoofing.
-> pass in quick on ppp0 proto tcp from any to 10.10.10.10/32 port = 80
-> #
-> block in quick all with short
-> # Bruce
-> #block in quick all with ipopts
-> #
-> # drop shorts
-> block in quick all with short
-> #
-> # block bad traffic on ppp0 from private networks and throw it away
-> # we should never see any packets like this unless something is wrong
-> block in quick on ppp0 from 127.0.0.0/8 to any
-> block in quick on ppp0 from 10.0.0.0/8 to any
-> block in quick on ppp0 from 192.168.0.0/16 to any
-> block in quick on ppp0 from 172.16.0.0/12 to any
-> #
-> # block bad cookie bot traffic and throw it away
-> block in quick on ppp0 from 216.30.17.160/32 to any
-> block out quick on ppp0 from any to 216.30.17.160/32
-> #
-> # Provisionaly block all traffic comming from ppp0
-> block in on ppp0 from any to any
-> #
-> # don't block loopback device (I could move this somewhere else)
-> pass in quick on lo0 all
-> pass out quick on lo0 all
-> #
-> # Use keep state to allow replies to outbound traffic
-> pass out on ppp0 proto tcp/udp from any to any keep state
-> #
-> # Use keep state to allow replies to outbound icmp (from ping)
-> pass out on ppp0 proto icmp from any to any keep state
-> #
->
-> *****IPNAT.CONF*****
-> #!/sbin/ipnat -f -
-> #
-> # THIS IS WRITTEN FOR IP FILTER 3.2
-> #
-> # ex0 - (old ext.) connection to ISP, address 10.10.10.20/32
-> # ppp0- (new ext.) connection to SNET, DHCP address - 0/32
-> # ep0 - (internal) network interface, address 192.168.1.250/32
-> #
-> rdr ppp0 0/0 port 80 -> 10.10.10.10 port 80 tcp
-> rdr ppp0 0/0 port 80 -> 10.10.10.10 port 80 udp
-> #
-> map ppp0 10.10.10.0/24 -> 0/32 portmap tcp/udp 40000:60000
-> map ppp0 10.10.10.0/24 -> 0/32
-> #
-> #To make ftp work, using the internal ftp proxy, use:
-> map ppp0 10.10.10.0/24 -> 0/32 proxy port ftp ftp/tcp
-> #
->
-> --- David A Woyciesjes
-> --- C & IS Support Specialist
-> --- Yale University Press
-> --- mailto:david.woyciesjes@yale.edu
-> --- (203) 432-0953
-> --- ICQ # - 905818
->
->
-> -> -----Original Message-----
-> -> From: David Woyciesjes
-> -> Sent: Friday, October 20, 2000 3:02 PM
-> -> To: 'Mike Pelley'; David Woyciesjes
-> -> Cc: NetBSD Tech-Net
-> -> Subject: RE: IPNat, IPF, and webservers...
-> ->
-> ->
-> -> Yes, the firewall is set as the gateway. And thanks for the
-> -> commands...
-> ->
-> -> --- David A Woyciesjes
-> -> --- C & IS Support Specialist
-> -> --- Yale University Press
-> -> --- mailto:david.woyciesjes@yale.edu
-> -> --- (203) 432-0953
-> -> --- ICQ # - 905818
-> ->
-> ->
-> -> -> -----Original Message-----
-> -> -> From: Mike Pelley [mailto:mike@pelley.com]
-> -> -> Sent: Friday, October 20, 2000 2:46 PM
-> -> -> To: David Woyciesjes
-> -> -> Cc: NetBSD Tech-Net
-> -> -> Subject: Re: IPNat, IPF, and webservers...
-> -> ->
-> -> ->
-> -> -> I haven't looked at the stuff at dubbele.com but here are
-> -> -> some thoughts.
-> -> ->
-> -> -> > Now, all I want is to allow http (port 80) traffic thru
-> -> to machine
-> -> -> > 10.10.10.10.
-> -> -> [stuff deleted]
-> -> -> > rdr ppp0 0/32 port 80 -> 10.10.10.10 port 80 tcp
-> -> ->
-> -> -> One thing to check - the default gateway for 10.10.10.10
-> -> -> must be the NetBSD
-> -> -> machine so ipnat can rewrite the reply packets. I imagine
-> -> -> you would have
-> -> -> set it that way but maybe not.
-> -> ->
-> -> -> > BTW, aren't there command to renew the ipf and ipnat rules
-> -> -> w/o rebooting?
-> -> ->
-> -> -> To renew ipnat rules without disconnecting current sessions
-> -> -> you can use
-> -> -> "ipnat -C -f /etc/ipnat.conf", and to renew ipfilter rules
-> -> -> you can use
-> -> -> "ipf -Fa -f /etc/ipf.conf".
-> -> ->
-> -> ->
-> -> ->
-> ->
->