Help: Using ipfw/natd to connect+control an unregistered net to the Internet

Help: Using ipfw/natd to connect+control an unregistered net to the Internet

Post by Dr K J Drylleraki » Wed, 26 May 1999 04:00:00



I have lately come across the following problem which I have been unable to
resolve. If someone can give me some hint(s) it would be greatly
appreciated.

Imagine a company network with unregistered addresses (say 192.168.0.0)
which connects to the Internet via a multi-homed FreeBSD box and a permanent
connection. It is quite apparent how you can set up the FreeBSD machine to
divert packets from the internal net to natd for translation as well as
impose filtering rules to incoming packets from the internet. However it is
not apparent how to control packets from internal machines accessing the
internet. Since the divert rules appear first in the ipfw ruleset, all the
following rules apply to the _translated_ packets (i.e. with the alias IP
address) once re-injected in the rule stream by natd. I.e. all internal
machines have the same "permissions" as the gateway/firewall machine.
Supossing telnet access is generally forbiden but for host 192.168.2.1 while
(of course) masking the host's virtual IP address, how is this achieved?

Thanks in advance,

Dr. K. J. Dryllerakis

 
 
 

Help: Using ipfw/natd to connect+control an unregistered net to the Internet

Post by Kenneth Furg » Fri, 28 May 1999 04:00:00



Quote:

> Imagine a company network with unregistered addresses (say 192.168.0.0)
> which connects to the Internet via a multi-homed FreeBSD box and a permanent
> connection. It is quite apparent how you can set up the FreeBSD machine to
> divert packets from the internal net to natd for translation as well as
> impose filtering rules to incoming packets from the internet. However it is
> not apparent how to control packets from internal machines accessing the
> internet. Since the divert rules appear first in the ipfw ruleset, all the
> following rules apply to the _translated_ packets (i.e. with the alias IP
> address) once re-injected in the rule stream by natd. I.e. all internal
> machines have the same "permissions" as the gateway/firewall machine.
> Supossing telnet access is generally forbiden but for host 192.168.2.1 while
> (of course) masking the host's virtual IP address, how is this achieved?

I would suggest modifying the /etc/rc.firewall script to put the divert
rule after the filtering rules for your network.  That way you can apply
any filtering you want before the translation occurs.

- K.C.

 
 
 

Help: Using ipfw/natd to connect+control an unregistered net to the Internet

Post by Dr K J Drylleraki » Fri, 28 May 1999 04:00:00



>> Imagine a company network with unregistered addresses (say 192.168.0.0)
>> ....
>> (of course) masking the host's virtual IP address, how is this achieved?

>I would suggest modifying the /etc/rc.firewall script to put the divert
>rule after the filtering rules for your network.  That way you can apply
>any filtering you want before the translation occurs.

    Unfortunatelly, only "deny" rules will have any effect before the
"divert" rule since a succesful "allow" rule will terminate the search
without diverting the packet. There must be another method to control were
the packets are re-injected in the rules for filtering. I just can't figure
out what it is...

KD

 
 
 

1. ipfw/natd settings for home network connected to cable internet via FreeBSD gateway?

(please correct me if I'm wrong)

natd should take care of this.  What natd does is remap port numbers, so
it is impossible for an outside machine to access your internal network
(this breaks some things, i.e., RTSP Quicktime Streaming, active mode
FTP, some SNMP).  Take this diagram.

internal port out 80 in 1000  <----> natd port out 80 in 1024 <---> www
server port out 1024 in 80

  When your internal opens a TCP connection to the www server, it flows
over the natd box.  natd then transparently remashes the connection to
come from another port on its self, but remembers that when packets flow
in this port, they should be regurgitated on the internal network on the
port your machine is using.  It will not open connections the other way
around since it has no way of knowing where to put the packets (packet
forwarders??).

But its a good idea to secure the natd machine, if someone breaks into
that, then they get on the internal network.

Yann

--

--------------------------------------------------------------------

Atrus Trivalie Productions      www.redshift.com/~yramin
Monterey High IT                www.montereyhigh.com
ICQ                             46805627
AIM                             oddatrus
Marina, CA

IRM Developer                   Network Toaster Developer
SNTS Developer                  * Developer

"All cats die.  Socrates is dead.  Therefore Socrates is a cat."
        - The Logician
--------------------------------------------------------------------

2. will host open source sites free!

3. need help with port redirects using natd/ipfw

4. Where Is libXpm.so.3?

5. ipfw, natd, and the internet

6. wlan networking error

7. Firewall Using IPFW NATD and DHCP

8. More confusion :-- Re: Escape character

9. Problem with addressing using ipfw and natd.

10. Help with Natd/ipfw

11. NATD, IPFW, and port_redirection help

12. help with natd or ipfw

13. help with NATD and ipfw script