Subject: Firewalling made difficult
To: None <tech-net@netbsd.org>
From: Paul B Dokas <dokas@cs.umn.edu>
List: tech-net
Date: 08/03/1999 18:53:27
[ Let me preface this with a disclaimer: my knowledge of networking
and IP filtering is about a 2 or 3 on a scale of 1 to 10. I know
just enough to be dangerous and not much more. So, if you scratch
your head in amazement that someone might actually try to do what I've
layed out here, then please let me know. I could very easily be
approaching this problem from a completely wrong angle. ]
I've got a few applications for an apparently non-standard type of
firewall (ok, I consider it non-standard since I've yet to see an
example anywhere).
I've completely read all of the man pages for ipf, ipnat, ipfstat, etc
and the IP Filter web pages (http://cheops.anu.edu.au/~avalon/ip-filter.html)
as well as the examples and how-to's linked from there. So I've got a
pretty good understanding of building a normal many-hosts-behind-a-single-
IP style firewall. Basically, I've built the following, common setup:
The Internet
|
|
+============+
| ADSL Modem |
+============+
|
|
|
|A.B.C.D
+====+=====+
| Firewall |
+====+=====+
|10.0.0.254
|
|
---------------------------------+
| | |
| | |
|10.0.0.1 |10.0.0.2 |10.0.0.3
+=====+ +=====+ +=====+
| A | | B | | C |
+=====+ +=====+ +=====+
That is, I've got a Firewall with 2 NICS attached to a cable modem. The
external NIC has a static IP and the internal has a non-routable IP.
There are many machines on the internal LAN, I've simply shown only
3.
And this works just fine. As each host makes outbound connects, they
get mapped to the firewall's IP address. The filtering rules are also
very adequate for my needs (only allow a few outbound ports, like www,
ftp, ssh, icmp and don't allow *any* inbound traffic that doesn't have
a matching "keep state").
But, I've now got a block of IP addresses (8 to be exact) and I've got
to make a few changes. With 8 addresses, I've got 5 usable for machines,
one of which gets assigned to the firewall, leaving 4 more. This is where
it gets sticky.
I've got to map these spare IP addresses to *internal* machines such that
the firewall will allow *bi*directional traffic. That is, packets created
at an internal machine go through the firewall and always appear as if they
came from the same machine. And in-bound packets from the Internet, need
to be passed through the firewall and aways get routed to the same internal
machine.
Basically, a few machines need to be mapped to static external IP addresses
and allow inbound traffic. In essence, they need to both "map" and "rdr" at
the same time.
Just in case you're wondering, I plan to set up highly selective filters at
the firewall so that these statically mapped internal machines will only talk
to a very few select computers on the Internet. And then only a few ports on
each internal machine will be visible. Yea, yea, I know, "Yuck!".
Unfortunately, I don't have a choice. :-( I would create VPNish tunnels to
accomplish this, but that's also not an option.
Now, as I said earlier, I've rtfm'd everything that I could find. About the
only small lead that I've seen is a reference to the undocumented ipnat
keyword called "bimap" (section 3.3 in http://www.swcp.com/~synk/ipf-howto.txt)
which looks hopeful.
Before I dig even further, has anyone done this? Or am I completely off my
rocker for even thinking that this can be done?
Paul
--
Paul Dokas dokas@cs.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."