natd and ipfw

natd and ipfw

Post by me » Thu, 14 Feb 2002 09:19:10



     Hi all.  I'm running freeBSD 4.4 as a gateway behind which is a windows
xp machine.  For some reason I can't get ping or traceroute working at all.
I've narrowed it down to some sort of problem with my firewall rules, but I
can't for the life of me figure out just what.  Here are my firewall rules:

add divert natd all from any to any via tun0
add pass icmp from any to any icmptypes 0,3,11
add pass icmp from any to any out
add pass icmp from any to any in
add pass udp from any to any 33434-34000 out
add allow ip from any to any via lo0
add allow ip from any to any via xl0
add allow ip from any to any via dc0
add allow tcp from any to any out xmit tun0 setup
add allow tcp from any to any via tun0 established
add allow tcp from any to any 22 setup
add allow tcp from any to any 21 setup
add reset log tcp from any to any 113 in recv tun0
add allow udp from any to 209.226.175.223 53 out xmit tun0
add allow udp from any to 198.235.216.134 53 out xmit tun0
add allow udp from 209.226.175.223 53 to any in recv tun0
add allow udp from 198.235.216.134 53 to any in recv tun0
add deny log ip from any to any

and the relevant parts of rc.conf are:

gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw/ipfwrules"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-u -dynamic"

   The icmp rules were originally just before the DNS rules at the end, but
that gave way to many 'natd[140]: failed to write packet back (permission
denied)' messages so I moved it as a test.  The weird thing is that i can
sometimes get ping working from inside the gateway.  Yeah, ping and
traceroute are not exactly important to me, but it would still be nice to
have them.  Any ideas?

 
 
 

natd and ipfw

Post by Hubert Cros » Thu, 14 Feb 2002 12:29:26


I've done nat with natd before, and I would recommend putting the
divert line right above that deny log ip from any to any line. having
divert first makes things after it behave nutty, afaik.

If that doesn't fix it, try building on top of this basic ipfw list:
allow ip from any to any via lo0
deny ip from any to 127.0.0.0/8
__This is for passive ftp stuff, btw:
allow tcp from any 1024-65535 to any 20 setup
allow tcp from any 20 to any 1024-65535 setup
__
divert 8668 ip from any to any via any
allow ip from any to any via any

Good luck
-Hubert


>     Hi all.  I'm running freeBSD 4.4 as a gateway behind which is a windows
>xp machine.  For some reason I can't get ping or traceroute working at all.
>I've narrowed it down to some sort of problem with my firewall rules, but I
>can't for the life of me figure out just what.  Here are my firewall rules:

>add divert natd all from any to any via tun0
>add pass icmp from any to any icmptypes 0,3,11
>add pass icmp from any to any out
>add pass icmp from any to any in
>add pass udp from any to any 33434-34000 out
>add allow ip from any to any via lo0
>add allow ip from any to any via xl0
>add allow ip from any to any via dc0
>add allow tcp from any to any out xmit tun0 setup
>add allow tcp from any to any via tun0 established
>add allow tcp from any to any 22 setup
>add allow tcp from any to any 21 setup
>add reset log tcp from any to any 113 in recv tun0
>add allow udp from any to 209.226.175.223 53 out xmit tun0
>add allow udp from any to 198.235.216.134 53 out xmit tun0
>add allow udp from 209.226.175.223 53 to any in recv tun0
>add allow udp from 198.235.216.134 53 to any in recv tun0
>add deny log ip from any to any

>and the relevant parts of rc.conf are:

>gateway_enable="YES"
>firewall_enable="YES"
>firewall_script="/etc/ipfw/ipfwrules"
>natd_enable="YES"
>natd_interface="tun0"
>natd_flags="-u -dynamic"

>   The icmp rules were originally just before the DNS rules at the end, but
>that gave way to many 'natd[140]: failed to write packet back (permission
>denied)' messages so I moved it as a test.  The weird thing is that i can
>sometimes get ping working from inside the gateway.  Yeah, ping and
>traceroute are not exactly important to me, but it would still be nice to
>have them.  Any ideas?


 
 
 

natd and ipfw

Post by Jed Clea » Thu, 14 Feb 2002 12:55:21


Did you config, make, and install a new kernel with the relevant
options?

Try adding an "add pass ip from any to any via tun0" and see if that
helps.  Your outside interface is tun0, not the normal Ethernet I/F (xl0
or dc0), if you're using PPPoE (or regular PPP).

I'm assuming you realize that your firewall is pretty well open at the
moment.  Or will be when you add the above.


>      Hi all.  I'm running freeBSD 4.4 as a gateway behind which is a windows
> xp machine.  For some reason I can't get ping or traceroute working at all.
> I've narrowed it down to some sort of problem with my firewall rules, but I
> can't for the life of me figure out just what.  Here are my firewall rules:

> add divert natd all from any to any via tun0
> add pass icmp from any to any icmptypes 0,3,11
> add pass icmp from any to any out
> add pass icmp from any to any in
> add pass udp from any to any 33434-34000 out
> add allow ip from any to any via lo0
> add allow ip from any to any via xl0
> add allow ip from any to any via dc0
> add allow tcp from any to any out xmit tun0 setup
> add allow tcp from any to any via tun0 established
> add allow tcp from any to any 22 setup
> add allow tcp from any to any 21 setup
> add reset log tcp from any to any 113 in recv tun0
> add allow udp from any to 209.226.175.223 53 out xmit tun0
> add allow udp from any to 198.235.216.134 53 out xmit tun0
> add allow udp from 209.226.175.223 53 to any in recv tun0
> add allow udp from 198.235.216.134 53 to any in recv tun0
> add deny log ip from any to any

> and the relevant parts of rc.conf are:

> gateway_enable="YES"
> firewall_enable="YES"
> firewall_script="/etc/ipfw/ipfwrules"
> natd_enable="YES"
> natd_interface="tun0"
> natd_flags="-u -dynamic"

>    The icmp rules were originally just before the DNS rules at the end, but
> that gave way to many 'natd[140]: failed to write packet back (permission
> denied)' messages so I moved it as a test.  The weird thing is that i can
> sometimes get ping working from inside the gateway.  Yeah, ping and
> traceroute are not exactly important to me, but it would still be nice to
> have them.  Any ideas?

 
 
 

natd and ipfw

Post by me » Fri, 15 Feb 2002 09:58:17



Quote:> Did you config, make, and install a new kernel with the relevant
> options?

   Yup, I did all that.

Quote:> Try adding an "add pass ip from any to any via tun0" and see if that
> helps.  Your outside interface is tun0, not the normal Ethernet I/F (xl0
> or dc0), if you're using PPPoE (or regular PPP).

   Yeah, using an open firewall allows everything to work properly.  I just
can't figure out what is blocking icmp stuff.  I've shuffled around all the
rules and that doesn't seem to help.  I have noticed though that if the
divert natd line is at the end, all sorts of weird things happen (sometimes
i can't do anything over the internet for example).  With the way I have
things now (as specified in the above post) everything works perfectly
except for icmp stuff.  As I said, it's weird.  The web is singularly
unhelpful, since everything i've found says to use the rules the way I
already have them.

> I'm assuming you realize that your firewall is pretty well open at the
> moment.  Or will be when you add the above.


> >      Hi all.  I'm running freeBSD 4.4 as a gateway behind which is a
windows
> > xp machine.  For some reason I can't get ping or traceroute working at
all.
> > I've narrowed it down to some sort of problem with my firewall rules,
but I
> > can't for the life of me figure out just what.  Here are my firewall
rules:

> > add divert natd all from any to any via tun0
> > add pass icmp from any to any icmptypes 0,3,11
> > add pass icmp from any to any out
> > add pass icmp from any to any in
> > add pass udp from any to any 33434-34000 out
> > add allow ip from any to any via lo0
> > add allow ip from any to any via xl0
> > add allow ip from any to any via dc0
> > add allow tcp from any to any out xmit tun0 setup
> > add allow tcp from any to any via tun0 established
> > add allow tcp from any to any 22 setup
> > add allow tcp from any to any 21 setup
> > add reset log tcp from any to any 113 in recv tun0
> > add allow udp from any to 209.226.175.223 53 out xmit tun0
> > add allow udp from any to 198.235.216.134 53 out xmit tun0
> > add allow udp from 209.226.175.223 53 to any in recv tun0
> > add allow udp from 198.235.216.134 53 to any in recv tun0
> > add deny log ip from any to any

> > and the relevant parts of rc.conf are:

> > gateway_enable="YES"
> > firewall_enable="YES"
> > firewall_script="/etc/ipfw/ipfwrules"
> > natd_enable="YES"
> > natd_interface="tun0"
> > natd_flags="-u -dynamic"

> >    The icmp rules were originally just before the DNS rules at the end,
but
> > that gave way to many 'natd[140]: failed to write packet back
(permission
> > denied)' messages so I moved it as a test.  The weird thing is that i
can
> > sometimes get ping working from inside the gateway.  Yeah, ping and
> > traceroute are not exactly important to me, but it would still be nice
to
> > have them.  Any ideas?

 
 
 

natd and ipfw

Post by Michael Sierchi » Fri, 15 Feb 2002 11:36:38



> rules:

>>>add divert natd all from any to any via tun0
>>>add pass icmp from any to any icmptypes 0,3,11
>>>add pass icmp from any to any out
>>>add pass icmp from any to any in
>>>add pass udp from any to any 33434-34000 out
>>>add allow ip from any to any via lo0
>>>add allow ip from any to any via xl0
>>>add allow ip from any to any via dc0
>>>add allow tcp from any to any out xmit tun0 setup
>>>add allow tcp from any to any via tun0 established
>>>add allow tcp from any to any 22 setup
>>>add allow tcp from any to any 21 setup
>>>add reset log tcp from any to any 113 in recv tun0
>>>add allow udp from any to 209.226.175.223 53 out xmit tun0
>>>add allow udp from any to 198.235.216.134 53 out xmit tun0
>>>add allow udp from 209.226.175.223 53 to any in recv tun0
>>>add allow udp from 198.235.216.134 53 to any in recv tun0
>>>add deny log ip from any to any

I would put rules for packets that don't require natd to do
work on them at the beginning.

# I see these rules as problematic, because inbound packets from
# outside, after NAT, won't pass, since they're via tun0

add allow ip from any to any via xl0
add allow ip from any to any via dc0

You also don't need explicit DNS rules if you are making queries to
the servers and not providing authoritative DNS for outside hosts

Assuming that I understand what you intend, I'd write something like
the following.  It allows DNS, traceroute, and any other UDP out
with replies handled properly.  It responds to traceroute queries on
behalf of all inbound traces properly.  It allows all outbound TCP
traffic and return packets.  It prevents all inbound connections and
other packets except ICMP (I've shown this as allowing echo requests,
but you could disable inbound and make a special rule for outbound
echo requests)

########################################################################
# e.g.

dc0_net=A.B.C.0/24
xl0_net=X.Y.Z.192/29

ipfw add allow ip from any to any via lo0

# anti-spoofing rules

ipfw add deny ip from any to dc0_net in via tun0
ipfw add deny ip from dc0_net to any in via tun0
ipfw add deny ip from any to xl0_net in via tun0
ipfw add deny ip from xl0_net to any in via tun0

# the following allows you to respond to traceroute requests from
# the outside for all nat'd hosts and 'me', if you like

ipfw add unreach 13 udp from any to me 33434-33500 in recv tun0

# nat

ipfw add divert natd all from any to any via tun0

ipfw add check-state

ipfw add allow icmp from any to any icmptypes 0,3,8,11

# allow traffic to and from local nets
# these are stateful rules, with state kept by natd

ipfw add allow ip from any to dc0_net
ipfw add allow ip from dc0_net to any
ipfw add allow ip from any to xl0_net
ipfw add allow ip from xl0_net to any

ipfw add allow tcp from me to any setup keep-state
ipfw add allow udp from me to any keep-state

ipfw deny log ip from any to any

 
 
 

natd and ipfw

Post by Gregory Bon » Thu, 21 Feb 2002 10:09:50



>    Yeah, using an open firewall allows everything to work properly.  I just
> can't figure out what is blocking icmp stuff.

If you are using tun0, then you are probably using ppp and should use
"-nat" rather than natd with ipfw.

A couple of things to remember:
 - Packets through the gateway machine pass through the ipfw rules
   twice, once on the way in to the gateway and once on the way out.
 - Packets will have the external IP address before the divert rule,
   and the internal IP after the divert rule.

Helpful debugging hints:
 - On a reasonably idle system, run "ipfw show", then try whatever is
   failing, then run "ipfw show" again.  See which deny rules have
   their packet/byte counts increased.
 - look at the -v, -log_denied and -log_ipfw_denied options to natd