Subject: Tricky ipf/ipnat question (longish)
To: None <netbsd-users@netbsd.org>
From: Martijn Bakker <m.p.bakker@student.utwente.nl>
List: current-users
Date: 03/26/2000 01:24:14
Hi all,

I have four IP adresses, a network of about 15 machines and want to use
one firewall. Hence I want machines on the local net to be accessible by
externally valid IP numbers as well as by a local IP. Ideally, this
would allow these machines to be accessible from outside (but subject to
restrictions by the firewall), as well as be able to function as a
perfectly normal machine on the local net. There is one problem. The
whole setup is behind a cable modem, and of course the cable router
doesn't know where to find the two machines if I don't tell it that the
route to these goes through the firewall. (i.e. all I get is 'arp
who-has' messages from the router, these don't go past the firewall/nat
and hence never get answered).

My current solution is to define the two extra adresses as IP aliases
for the firewall machine, define routes to these machines as routes to
'localhost' there, so they get to be passed through the firewall,
'bimap' these adresses to the internal adresses with ipnat. The result,
however, appears 'quirky'. Simple operations like ping, telnet, http
work  most of the time, but occasionally get responses from the firewall
instead of the intended machine. Dirtier/complexer protocols never seem
to work however. Ftp will only function in passive mode, ICQ doesn't
work at all (I can live with that), ntalk never even gets an invitation
to the other party (same when instigated from either side of the fw).

Any of you know an alternative solution?

Thanks,

Martijn

/* Less talk, more numbers version starts here */

The great beyond <-- Cable modem --> Firewall (i586, NetBSD 1.4.1) <--
Local net --> Local machine (Sparc Classic, NetBSD 1.4(p?))

The great beyond: 0.0.0.0/0, Gateway: 130.89.1.1, Firewall:
130.89.65.13, Local machine (through NAT): 130.89.65.11
Local network: 192.168.4.0/24, Firewall: 192.168.4.1, Local machine (in
this case): 192.168.4.201

/etc/ipnat.conf
#!/sbin/ipnat -f -
#
bimap ne0 192.168.4.201/32 -> 130.89.65.11/32
map ne0 192.168.4.0/24 -> 130.89.65.13/32 proxy port ftp ftp/tcp
map ne0 192.168.4.0/24 -> 130.89.65.13/32 portmap tcp/udp 40000:60000
map ne0 192.168.4.0/24 -> 130.89.65.13/32

/etc/ipf.conf
#!/sbin/ipf -f -
#
block in all
block out all
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
# Default rules, nobody enters or leaves, invalid packets get dropped.
#
block out quick on ne0 from any             to 130.89.65.13/32
block out quick on ne0 from any             to 127.0.0.0/24
block out quick on ne0 from any             to 10.0.0.0/8
block out quick on ne0 from any             to 172.16.0.0/16
block out quick on ne0 from any             to 192.168.0.0/16
pass  out       on ne0 from 192.168.4.0/24  to any
pass  out       on ne0 from 130.89.65.10/32 to any
pass  out       on ne0 from 130.89.65.11/32 to any
pass  out       on ne0 from 130.89.65.12/32 to any
pass  out       on ne0 from 130.89.65.13/32 to any
# We can send anything not addressed to a non-routable network
# or myself.
#
block in  quick on ne0 from 130.89.65.13/32 to any
block in  quick on ne0 from 127.0.0.0/8     to any
block in  quick on ne0 from 10.0.0.0/8      to any
block in  quick on ne0 from 172.16.0.0/16   to any
block in  quick on ne0 from 192.168.0.0/16  to any
pass  in        on ne0 from any             to 192.168.4.0/24
pass  in        on ne0 from any             to 130.89.65.10/32
pass  in        on ne0 from any             to 130.89.65.11/32
pass  in        on ne0 from any             to 130.89.65.12/32
pass  in        on ne0 from any             to 130.89.65.13/32
# We also receive anything addressed to us and not from a non-routable
# network or ourselves on the global interface.
#
block out quick on rl0 from any             to 192.168.4.1/32
block out quick on rl0 from 127.0.0.0/8     to any
block out quick on rl0 from 10.0.0.0/8      to any
block out quick on rl0 from 172.16.0.0/16   to any
block out       on rl0 from 192.168.0.0/16  to any
pass  out       on rl0 from any             to 192.168.4.0/24
# We send everything addressed to the local network and not to ourselves

# out on the local network.
#
block in  quick on rl0 from 192.168.4.1/32 to any
block in  quick on rl0 from any            to 127.0.0.0/8
block in  quick on rl0 from any            to 10.0.0.0/8
block in  quick on rl0 from any            to 172.16.0.0/16
block in        on rl0 from any            to 192.168.0.0/16
pass  in        on rl0 from 192.168.4.0/24 to any
# We can accept anything orriginating from a valid address in the local
# network and addressed to a valid address for us or any outsider.
#
pass  in  quick on lo0 from any            to any
pass  out quick on lo0 from any            to any
# The local network must keep functioning too

route table (simplified, numbers substituted for names):

Routing tables

Internet:
Destination      Gateway            Flags
default          130.89.1.1         UG
localhost        127.0.0.1          UH
130.89.0.0       link#2             U
130.89.1.1  0:60:3e:c5:e5:a2   UH
130.89.65.11      127.0.0.1          UGH
130.89.65.13     127.0.0.1          UGH
130.89.255.255   link#2             UH
192.168.4.0      link#1             U
192.168.4.1  127.0.0.1          UGH
192.168.4.201    8:0:2b:37:62:cb    UH

/*                                                                    */