Do I need port redirection in my box running IPFW and NATD?

Do I need port redirection in my box running IPFW and NATD?

Post by aykat s » Fri, 16 Aug 2002 08:48:15



I have the DaemonNews 4CD set (4.6), willing to donate them to my
friend just to give him a taste of open source and stop wasting more
money and upgrade his NT4-Server and his Remote Management software
(App layer encrypted, one one UDP and three TCP (1667, ....)

Here is the scenario.  Internet browsing is working ok via a single
static IP provided by covad. (one public IP is NATed via the FreeBSD
4.6) The "HOST"
side ("Answering side-see diagram below") is behind the NATD/IPFW.
TelnetD will be running with TCP wrapper enabled and one host from the
inside lan will be allowed to telnet to the firewall/NATD box.
All other services will be turned off.

##
Remote Client is already running and coming from 4.168.0.0 NET, PPPoE.
(FreeBSD4.5 as the gateway) and NT4-Worksation with the client
software.

                                                     |---PC 192...
Provider CPE                           |4.6-FBSD|    |---PC 192...
                                                     |---PC 192...
198.167.167.101                    198.167.167.102   |
Fujitsu 1.5/384----198.167.167.100/30 ----NATD/----|--NT-Srvr(rmt mgt
Static IP                              | IPFW |        192.168.168.169
                                                     |---
                                                     |---PC 192...

                                        Inside NET=192.168.168.168/29

1. DO I need just the two rules in my rc.firewall.current
   below  -############################?

 $fwcmd add allow udp from 4.168.0.0/16 to $oip 222 setup
 $fwcmd add allow tcp from 4.168.0.0/16 to $oip 1667,1668,1669 setup

2. or do I need to set up  the ff.  "too" (/etc/natd.conf file.)  

redirect_port udp 192.168.168.169:222
redirect_port tcp 192.168.168.169:1667
redirect_port tcp 192.168.168.169:1668
redirect_port tcp 192.168.168.169:1669

----------------------------------------

snip

#       Divert all packets through natd
        $fwcmd add divert natd all from any to any via $oif
#
#       Allow all established connections to persist (setup required
#       for new connections).
        $fwcmd add allow tcp from any to any established
#
#       Allow incoming requests to reach the following services:
#       To allow multiple services you may list them separated
#       by a coma, for example ...to $oip 22,25,110,80 setup
#     ############################################################  
##     #$fwcmd add allow tcp from any to $oip 22 setup
  $fwcmd add allow udp from 4.168.0.0/16 to $oip 222 setup
  $fwcmd add allow tcp from 4.168.0.0/16 to $oip 1667,1668,1669 setup
##################################################################
#       NOTE: you may have to change your client to passive or active mode
#               to get ftp to work once enabled, only ssh enabled by default.
#       21:ftp
#       22:ssh          enabled by default
#       23:telnet
#       25:smtp
#       110:pop
#       143:imap
#       80:http
#       443:ssl
#
#       Allow icmp packets for diagnostic purposes (ping traceroute)
#       you may wish to leave commented out.
#       $fwcmd add allow icmp from any to any

snip

I cannot experiment with the FreeBSD box because it is too far (at
least 2Hr)
and very limited time to have this setup.

Thanks.
Aykat Sue

 
 
 

Do I need port redirection in my box running IPFW and NATD?

Post by Mike Tod » Fri, 16 Aug 2002 09:51:01


aykat sue,

You do not, necessarily, need to divert packets in your firewall.

You DO need to have "options IPDIVERT" and "options IPFIREWALL" compiled
into your kernel.

See Chapters 9, 10, and 18 in the FreeBSD Handbook at:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html

Between these three chapters, you should be able to determine what options,
features, and settings you need for your particular situation...

--

Mike Todd
President, Mike Todd Associates www.MikeTodd.com
Supporting the Digital Coast

President, Internet Society Los Angeles Chapter www.ISOC-LosAngeles.org

Center for Entrepreneurship and Technology Law
Pepperdine University Law School

  Voice:  714-846-7257
  FAX:    714-846-5716
  Cell:   714-222-3700


I have the DaemonNews 4CD set (4.6), willing to donate them to my
friend just to give him a taste of open source and stop wasting more
money and upgrade his NT4-Server and his Remote Management software
(App layer encrypted, one one UDP and three TCP (1667, ....)

Here is the scenario.  Internet browsing is working ok via a single
static IP provided by covad. (one public IP is NATed via the FreeBSD
4.6) The "HOST"
side ("Answering side-see diagram below") is behind the NATD/IPFW.
TelnetD will be running with TCP wrapper enabled and one host from the
inside lan will be allowed to telnet to the firewall/NATD box.
All other services will be turned off.

##
Remote Client is already running and coming from 4.168.0.0 NET, PPPoE.
(FreeBSD4.5 as the gateway) and NT4-Worksation with the client
software.

                                                     |---PC 192...
Provider CPE                           |4.6-FBSD|    |---PC 192...
                                                     |---PC 192...
198.167.167.101                    198.167.167.102   |
Fujitsu 1.5/384----198.167.167.100/30 ----NATD/----|--NT-Srvr(rmt mgt
Static IP                              | IPFW |        192.168.168.169
                                                     |---
                                                     |---PC 192...

                                        Inside NET=192.168.168.168/29

1. DO I need just the two rules in my rc.firewall.current
   below  -############################?

 $fwcmd add allow udp from 4.168.0.0/16 to $oip 222 setup
 $fwcmd add allow tcp from 4.168.0.0/16 to $oip 1667,1668,1669 setup

2. or do I need to set up  the ff.  "too" (/etc/natd.conf file.)

redirect_port udp 192.168.168.169:222
redirect_port tcp 192.168.168.169:1667
redirect_port tcp 192.168.168.169:1668
redirect_port tcp 192.168.168.169:1669

----------------------------------------

snip

# Divert all packets through natd
$fwcmd add divert natd all from any to any via $oif
#
# Allow all established connections to persist (setup required
# for new connections).
$fwcmd add allow tcp from any to any established
#
# Allow incoming requests to reach the following services:
# To allow multiple services you may list them separated
# by a coma, for example ...to $oip 22,25,110,80 setup
#     ############################################################
##     #$fwcmd add allow tcp from any to $oip 22 setup
  $fwcmd add allow udp from 4.168.0.0/16 to $oip 222 setup
  $fwcmd add allow tcp from 4.168.0.0/16 to $oip 1667,1668,1669 setup
##################################################################
# NOTE: you may have to change your client to passive or active mode
# to get ftp to work once enabled, only ssh enabled by default.
# 21:ftp
# 22:ssh enabled by default
# 23:telnet
# 25:smtp
# 110:pop
# 143:imap
# 80:http
# 443:ssl
#
# Allow icmp packets for diagnostic purposes (ping traceroute)
# you may wish to leave commented out.
# $fwcmd add allow icmp from any to any

snip

I cannot experiment with the FreeBSD box because it is too far (at
least 2Hr)
and very limited time to have this setup.

Thanks.
Aykat Sue

 
 
 

Do I need port redirection in my box running IPFW and NATD?

Post by aykat s » Sat, 17 Aug 2002 09:01:58



> aykat sue,

> You do not, necessarily, need to divert packets in your firewall.

> You DO need to have "options IPDIVERT" and "options IPFIREWALL" compiled
> into your kernel.

> See Chapters 9, 10, and 18 in the FreeBSD Handbook at:

> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html

> Between these three chapters, you should be able to determine what options,
> features, and settings you need for your particular situation...

> --

> Mike Todd
> President, Mike Todd Associates www.MikeTodd.com
> Supporting the Digital Coast

> President, Internet Society Los Angeles Chapter www.ISOC-LosAngeles.org

> Center for Entrepreneurship and Technology Law
> Pepperdine University Law School

>   Voice:  714-846-7257
>   FAX:    714-846-5716
>   Cell:   714-222-3700

Thank you Todd.

I believe I do need the "options IPDIVERT" and "options IPFIREWALL"
in my kernel config (HOST side - see diagram), since covad gave me
only one routable IP (slash 30) and I have 5 machines inside the
firewall

I am just worried about the redirect_port since I've never tried them
before.

----------------------------------------------
redirect_port udp 192.168.168.169:222  222
redirect_port tcp 192.168.168.169:1667  1667
redirect_port tcp 192.168.168.169:1668  1668
redirect_port tcp 192.168.168.169:1669  1669
----------------------------------------------

Rgds,
Aykat Sue

 
 
 

1. ipfw + natd; port redirection problem

Hello

I run ipfw + natd on a FreeBSD 4.7p6-release gateway.  I wish to redirect
ports
for ssh, vnc, web, and mail to boxes inside the LAN.  SSH connections are
being
redirected properly, but vnc and web are not.  httpd is running and
listening on
10.0.0.10:8080, and TightVNC is configured correctly.
I'd like to know what I need to tweak, either in my ruleset or conf files.

Thanks in advance.

-------------------------------------------
from /etc/rc.conf

network_interfaces="lo0 ed1 rl0"
hostname="churgeon.joshualokken.com"
ifconfig_ed1="DHCP"
ifconfig_rl0="inet 10.0.0.1  netmask 255.0.0.0"

[snip]

gateway_enable="YES"
firewall_enable="YES"
natd_enable="YES"
natd_interface="ed1"
natd_flags="-f /etc/natd.conf"
firewall_script="/etc/firewall.conf"

tcp_extensions="YES"
icmp_drop_redirect="YES"
-----------------------------------------------
from /etc/natd.conf
# natd.conf
# flags

interface ed1
dynamic yes
unregistered_only yes
same_ports yes
use_sockets yes

# Web and mail

redirect_port tcp 10.0.0.10:8080 80
redirect_port udp 10.0.0.10:8080 80
redirect_port tcp 10.0.0.10:443 443
redirect_port udp 10.0.0.10:443 443

redirect_port tcp 10.0.0.2:22 22002
redirect_port udp 10.0.0.2:22 22002
redirect_port tcp 10.0.0.3:22 22003
redirect_port udp 10.0.0.3:22 22003
redirect_port tcp 10.0.0.10:22 22010
redirect_port udp 10.0.0.10:22 22010

redirect_port tcp 10.0.0.2:5900-5910 5900-5910
redirect_port udp 10.0.0.2:5900-5910 5900-5910
-------------------------------------------------------
from /etc/firewall.conf

fwcmd="/sbin/ipfw"
oif="ed1"
oip="me"

iif="rl0"
inwr="10.0.0.0/8"
iip="10.0.0.1"

# ISPs name servers
ns1="204.127.198.4"
ns2="216.148.227.68"

# zoneedit name servers
ns3="207.228.252.107"
ns4="64.246.26.64"

$fwcmd -q flush

$fwcmd add allow all from any to any via lo0
$fwcmd add deny ip from any to 127.0.0.0/8

$fwcmd add divert natd all from any to any via $oif

$fwcmd add allow icmp from any to any icmptypes 3,4,11,12

$fwcmd add allow udp from $ns1 53 to any in via $oif
$fwcmd add allow udp from $ns2 53 to any in via $oif
$fwcmd add allow udp from $ns3 to any in via $oif
$fwcmd add allow udp from any to any out

$fwcmd add check-state

$fwcmd add allow tcp from any to any
22,25,80,110,443,5901,5902,6346,22002,22003,22010 setup via $oif keep-state

$fwcmd add allow ip from $oip to any keep-state out via $oif

$fwcmd add allow ip from $inwr to any keep-state via $iif

$fwcmd add 65435 deny log ip from any to any

--
Best Regards,

Joshua Lokken
OMIC Portland Branch

503 807 6538

2. Trademark status of Linux

3. need help with port redirects using natd/ipfw

4. Answerbook for users

5. freebsd 4.5-release ipfw/natd box with punch_fw problems

6. Compiling University of Michigan LDAP on Solaris

7. NATD/ IPFW - How can I get Secure Web Conenctions on my Win2k BOX?

8. Changes to "Unix - Frequently Asked Questions" [Frequent posting]

9. PLS-Major Problem in LAN (natd, IP alias, Port and IP redirections)

10. ipfw, freebsd 4.6, natd redirected ports (NOT)

11. HELP - IPFW with NATD for port forwarding

12. Port redirection in NATd

13. Port Forwarding, ipfw + natd