tech-security: Re: NAT & IPFilter

Subject: Re: NAT & IPFilter
To: <>
From: Sam Carleton <scarleton@miltonstreet.com>
List: tech-security
Date: 07/22/2001 15:32:28
Cy Schubert - ITSD Open Systems Group wrote:

> In message <3B5B21E5.75FB8503@miltonstreet.com>, Sam Carleton writes:
>
> [ipf.conf  among other stuff edited out]
> > ---------ipnat.conf---------
> > map iy0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp
> > map iy0 192.168.0.1/24 -> 0/32 portmap tcp/udp 40000:60000
> > map iy0 192.168.0.1/24 -> 0/32
> >
> > rdr iy0 0.0.0.0/32 port 22 -> 192.168.0.5 port 22
> > rdr iy0 0.0.0.0/32 port 25 -> 192.168.0.5 port 25
> > rdr iy0 0.0.0.0/32 port 80 -> 192.168.0.5 port 80
> > rdr iy0 0.0.0.0/32 port 443 -> 192.168.0.5 port 443
> > ---------ipnat.conf---------
>
> Your internal interface is tun0 and external interface is iy0.  Do I
> understand this correctly?  If so, your map and rdr statements should
> reference tun0 not iy0.

Ok, my mind is totally fried at this point.  iy0 is my outside NIC and ex0 is
my inside NIC.  The three map commands seem to be working just fine
considering the fact that I have been able to get and receive all these
emails, and hit the web from 192.168.0.20.  I relay mail through 192.168.0.5
and I know that is working because both you and I are getting my posting to
the mailing list.  I also have a conversation going on using one of the chat
programs, too.  But you are saying that it should read like this:

map ex0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp
map ex0 192.168.0.1/24 -> 0/32 portmap tcp/udp 40000:60000
map ex0 192.168.0.1/24 -> 0/32

rdr ex0 0.0.0.0/32 port 22 -> 192.168.0.5 port 22
rdr ex0 0.0.0.0/32 port 25 -> 192.168.0.5 port 25
rdr ex0 0.0.0.0/32 port 80 -> 192.168.0.5 port 80
rdr ex0 0.0.0.0/32 port 443 -> 192.168.0.5 port 443

> > Another question:  It is my understanding that when I get a new IP
> > address for my ISP, I need to have NAT update itself.  What is the best
> > way to do this considering the machine never disconnect?
>
> When the status of an interface changes you'll need resynchronise IPF
> (ipf -y) or reload your rules (ipf -Fa -f ipf.conf).  Both are equally
> effective, though ipf -y is the proper way to do it.

Ok, but how do I go about getting ipf -y to run whenever the machine gets a
new IP address?

Sam Carleton