Board index Freebsd

HELP - IPFW with NATD for port forwarding

HELP - IPFW with NATD for port forwarding

Post by Rob » Mon, 01 Oct 2001 01:08:24



I am having a problem getting my FreeBSD 4.3 IPFW firewall to forward
incoming FTP requests to a server on a private network.  I have scoured
dejanews and the like and all the previous post seem to say the same thing.
NATD redirect_port entries in NATD.CONF and a ADD ALLOW statement in the
firewall script as noted in the script below.

Natd.conf entries ar as follows:

use_sockets yes
redirect_port tcp 192.168.1.3:21 21
redirect_port udp 192.168.1.3:21 21

natd.conf is of course called in rc.conf via natd_flags="-f /etc/natd.conf"

And here is my firewall script:

fwcmd="/sbin/ipfw" #leave as is if using ipfw
oif="oifx"  #set to outside interface name
onwr="a.b.c.d/24" #set to outside network range
oip="a.b.c.d"  #set to outside ip address

iif="ifx"  #set to internal interface name
inwr="x.y.z.x/24" #set to internal network range
iip="x.y.z.x"  #set to internal ip address

ns1="e.f.g.h"  #set to primary name server best if = oif
#ntp="i.j.k.l"  #set to ip of NTP server or leave as is

 $fwcmd -f flush

 $fwcmd add allow all from any to any via lo0
 $fwcmd add deny log all from any to 127.0.0.0/8

 $fwcmd add deny log ip from $inwr to any in via $oif

 $fwcmd add deny log ip from not $inwr to any in via $iif

 $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
 $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
 $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
 $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
 $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
 $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif

 $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
 $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
 $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
 $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
 $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
 $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
 $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
 $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
 $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
 $fwcmd add deny all from any to 240.0.0.0/4 in via $oif

 $fwcmd add divert natd all from any to any via $oif

 $fwcmd add allow tcp from any to any established
 $fwcmd add allow tcp from any to $oip 22 setup
 $fwcmd add allow log tcp from any to <publicaddress> 21 via $oif
<---------------Add Allow statement

 $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
 $fwcmd add allow udp from any 53 to $ns1 53
 $fwcmd add check-state
 $fwcmd add allow ip from $oip to any keep-state out via $oif
 $fwcmd add allow ip from $inwr to any keep-state via $iif

 $fwcmd add 65435 deny log ip from any to any  <---------------------Is this
line cancelling out my Add Allow above?

Any help would be appriciated.

TIA

Rob

 
 
 
Top

HELP - IPFW with NATD for port forwarding

Post by Rob Hughe » Mon, 01 Oct 2001 22:20:29


I don't see a rule in there that actually allows the traffic to your server,
only to the outside interface. Since you have deny log in there, why not
look through /var/log/security and see what rule is dropping the packets?


Quote:> I am having a problem getting my FreeBSD 4.3 IPFW firewall to forward
> incoming FTP requests to a server on a private network.  I have scoured
> dejanews and the like and all the previous post seem to say the same
thing.
> NATD redirect_port entries in NATD.CONF and a ADD ALLOW statement in the
> firewall script as noted in the script below.

> Natd.conf entries ar as follows:

> use_sockets yes
> redirect_port tcp 192.168.1.3:21 21
> redirect_port udp 192.168.1.3:21 21

> natd.conf is of course called in rc.conf via natd_flags="-f
/etc/natd.conf"

> And here is my firewall script:

> fwcmd="/sbin/ipfw" #leave as is if using ipfw
> oif="oifx"  #set to outside interface name
> onwr="a.b.c.d/24" #set to outside network range
> oip="a.b.c.d"  #set to outside ip address

> iif="ifx"  #set to internal interface name
> inwr="x.y.z.x/24" #set to internal network range
> iip="x.y.z.x"  #set to internal ip address

> ns1="e.f.g.h"  #set to primary name server best if = oif
> #ntp="i.j.k.l"  #set to ip of NTP server or leave as is

>  $fwcmd -f flush

>  $fwcmd add allow all from any to any via lo0
>  $fwcmd add deny log all from any to 127.0.0.0/8

>  $fwcmd add deny log ip from $inwr to any in via $oif

>  $fwcmd add deny log ip from not $inwr to any in via $iif

>  $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
>  $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
>  $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
>  $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
>  $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
>  $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif

>  $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
>  $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
>  $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
>  $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
>  $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
>  $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
>  $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
>  $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
>  $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
>  $fwcmd add deny all from any to 240.0.0.0/4 in via $oif

>  $fwcmd add divert natd all from any to any via $oif

>  $fwcmd add allow tcp from any to any established
>  $fwcmd add allow tcp from any to $oip 22 setup
>  $fwcmd add allow log tcp from any to <publicaddress> 21 via $oif
> <---------------Add Allow statement

>  $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
>  $fwcmd add allow udp from any 53 to $ns1 53
>  $fwcmd add check-state
>  $fwcmd add allow ip from $oip to any keep-state out via $oif
>  $fwcmd add allow ip from $inwr to any keep-state via $iif

>  $fwcmd add 65435 deny log ip from any to any  <---------------------Is
this
> line cancelling out my Add Allow above?

> Any help would be appriciated.

> TIA

> Rob


 
 
 
Top

HELP - IPFW with NATD for port forwarding

Post by Rob » Tue, 02 Oct 2001 07:24:32


Even if I add an "add pass all from any to any" and rem out the "add 65435
deny log ip from any to any"  I still cant seem to get this to work.  This
seems so straight forward.  What am I missing?


> I don't see a rule in there that actually allows the traffic to your
server,
> only to the outside interface. Since you have deny log in there, why not
> look through /var/log/security and see what rule is dropping the packets?



> > I am having a problem getting my FreeBSD 4.3 IPFW firewall to forward
> > incoming FTP requests to a server on a private network.  I have scoured
> > dejanews and the like and all the previous post seem to say the same
> thing.
> > NATD redirect_port entries in NATD.CONF and a ADD ALLOW statement in the
> > firewall script as noted in the script below.

> > Natd.conf entries ar as follows:

> > use_sockets yes
> > redirect_port tcp 192.168.1.3:21 21
> > redirect_port udp 192.168.1.3:21 21

> > natd.conf is of course called in rc.conf via natd_flags="-f
> /etc/natd.conf"

> > And here is my firewall script:

> > fwcmd="/sbin/ipfw" #leave as is if using ipfw
> > oif="oifx"  #set to outside interface name
> > onwr="a.b.c.d/24" #set to outside network range
> > oip="a.b.c.d"  #set to outside ip address

> > iif="ifx"  #set to internal interface name
> > inwr="x.y.z.x/24" #set to internal network range
> > iip="x.y.z.x"  #set to internal ip address

> > ns1="e.f.g.h"  #set to primary name server best if = oif
> > #ntp="i.j.k.l"  #set to ip of NTP server or leave as is

> >  $fwcmd -f flush

> >  $fwcmd add allow all from any to any via lo0
> >  $fwcmd add deny log all from any to 127.0.0.0/8

> >  $fwcmd add deny log ip from $inwr to any in via $oif

> >  $fwcmd add deny log ip from not $inwr to any in via $iif

> >  $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
> >  $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
> >  $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
> >  $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
> >  $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
> >  $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif

> >  $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
> >  $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
> >  $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
> >  $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
> >  $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
> >  $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
> >  $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
> >  $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
> >  $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
> >  $fwcmd add deny all from any to 240.0.0.0/4 in via $oif

> >  $fwcmd add divert natd all from any to any via $oif

> >  $fwcmd add allow tcp from any to any established
> >  $fwcmd add allow tcp from any to $oip 22 setup
> >  $fwcmd add allow log tcp from any to <publicaddress> 21 via $oif
> > <---------------Add Allow statement

        $fwcmd add pass udp from any 123 to ${ip} in

- Show quoted text -

Quote:

> >  $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
> >  $fwcmd add allow udp from any 53 to $ns1 53
> >  $fwcmd add check-state
> >  $fwcmd add allow ip from $oip to any keep-state out via $oif
> >  $fwcmd add allow ip from $inwr to any keep-state via $iif

> >  $fwcmd add 65435 deny log ip from any to any  <---------------------Is
> this
> > line cancelling out my Add Allow above?

> > Any help would be appriciated.

> > TIA

> > Rob

 
 
 
Top

HELP - IPFW with NATD for port forwarding

Post by Simon Y. Chan » Tue, 02 Oct 2001 11:33:54


Guys - FTP service requires that two ports be used in conjunction:  ports 20
and 21.  Port 20 is used for control data, while port 21 transport the
actual data.

I had a client at my workplace who insisted that our FTP server was down.  I
was vindicated when they sent me a screenshot of their attempts to connect
and realized that they PORTed only one of the ports in the command line.

Good luck,

Simon Chang


> Even if I add an "add pass all from any to any" and rem out the "add 65435
> deny log ip from any to any"  I still cant seem to get this to work.  This
> seems so straight forward.  What am I missing?



> > I don't see a rule in there that actually allows the traffic to your
> server,
> > only to the outside interface. Since you have deny log in there, why not
> > look through /var/log/security and see what rule is dropping the
packets?



> > > I am having a problem getting my FreeBSD 4.3 IPFW firewall to forward
> > > incoming FTP requests to a server on a private network.  I have
scoured
> > > dejanews and the like and all the previous post seem to say the same
> > thing.
> > > NATD redirect_port entries in NATD.CONF and a ADD ALLOW statement in
the
> > > firewall script as noted in the script below.

> > > Natd.conf entries ar as follows:

> > > use_sockets yes
> > > redirect_port tcp 192.168.1.3:21 21
> > > redirect_port udp 192.168.1.3:21 21

> > > natd.conf is of course called in rc.conf via natd_flags="-f
> > /etc/natd.conf"

> > > And here is my firewall script:

> > > fwcmd="/sbin/ipfw" #leave as is if using ipfw
> > > oif="oifx"  #set to outside interface name
> > > onwr="a.b.c.d/24" #set to outside network range
> > > oip="a.b.c.d"  #set to outside ip address

> > > iif="ifx"  #set to internal interface name
> > > inwr="x.y.z.x/24" #set to internal network range
> > > iip="x.y.z.x"  #set to internal ip address

> > > ns1="e.f.g.h"  #set to primary name server best if = oif
> > > #ntp="i.j.k.l"  #set to ip of NTP server or leave as is

> > >  $fwcmd -f flush

> > >  $fwcmd add allow all from any to any via lo0
> > >  $fwcmd add deny log all from any to 127.0.0.0/8

> > >  $fwcmd add deny log ip from $inwr to any in via $oif

> > >  $fwcmd add deny log ip from not $inwr to any in via $iif

> > >  $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
> > >  $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
> > >  $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
> > >  $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
> > >  $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
> > >  $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif

> > >  $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
> > >  $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
> > >  $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
> > >  $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
> > >  $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
> > >  $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
> > >  $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
> > >  $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
> > >  $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
> > >  $fwcmd add deny all from any to 240.0.0.0/4 in via $oif

> > >  $fwcmd add divert natd all from any to any via $oif

> > >  $fwcmd add allow tcp from any to any established
> > >  $fwcmd add allow tcp from any to $oip 22 setup
> > >  $fwcmd add allow log tcp from any to <publicaddress> 21 via $oif
> > > <---------------Add Allow statement
>         $fwcmd add pass udp from any 123 to ${ip} in

> > >  $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
> > >  $fwcmd add allow udp from any 53 to $ns1 53
> > >  $fwcmd add check-state
> > >  $fwcmd add allow ip from $oip to any keep-state out via $oif
> > >  $fwcmd add allow ip from $inwr to any keep-state via $iif

> > >  $fwcmd add 65435 deny log ip from any to any

<---------------------Is

- Show quoted text -

Quote:> > this
> > > line cancelling out my Add Allow above?

> > > Any help would be appriciated.

> > > TIA

> > > Rob

 
 
 
Top

HELP - IPFW with NATD for port forwarding

Post by Simon Y. Chan » Tue, 02 Oct 2001 11:39:09


By the way - just looking through your scripts again, they look fine except
for the point that I mentioned about FTP using two ports.  Make sure you add
that into your natd.conf and try again, and if you like I can proofread your
final product for you just for double-checking.  But like you said, this was
pretty straightward.

Cheers,

Simon Chang


> Even if I add an "add pass all from any to any" and rem out the "add 65435
> deny log ip from any to any"  I still cant seem to get this to work.  This
> seems so straight forward.  What am I missing?



> > I don't see a rule in there that actually allows the traffic to your
> server,
> > only to the outside interface. Since you have deny log in there, why not
> > look through /var/log/security and see what rule is dropping the
packets?



> > > I am having a problem getting my FreeBSD 4.3 IPFW firewall to forward
> > > incoming FTP requests to a server on a private network.  I have
scoured
> > > dejanews and the like and all the previous post seem to say the same
> > thing.
> > > NATD redirect_port entries in NATD.CONF and a ADD ALLOW statement in
the
> > > firewall script as noted in the script below.

> > > Natd.conf entries ar as follows:

> > > use_sockets yes
> > > redirect_port tcp 192.168.1.3:21 21
> > > redirect_port udp 192.168.1.3:21 21

> > > natd.conf is of course called in rc.conf via natd_flags="-f
> > /etc/natd.conf"

> > > And here is my firewall script:

> > > fwcmd="/sbin/ipfw" #leave as is if using ipfw
> > > oif="oifx"  #set to outside interface name
> > > onwr="a.b.c.d/24" #set to outside network range
> > > oip="a.b.c.d"  #set to outside ip address

> > > iif="ifx"  #set to internal interface name
> > > inwr="x.y.z.x/24" #set to internal network range
> > > iip="x.y.z.x"  #set to internal ip address

> > > ns1="e.f.g.h"  #set to primary name server best if = oif
> > > #ntp="i.j.k.l"  #set to ip of NTP server or leave as is

> > >  $fwcmd -f flush

> > >  $fwcmd add allow all from any to any via lo0
> > >  $fwcmd add deny log all from any to 127.0.0.0/8

> > >  $fwcmd add deny log ip from $inwr to any in via $oif

> > >  $fwcmd add deny log ip from not $inwr to any in via $iif

> > >  $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
> > >  $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
> > >  $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
> > >  $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
> > >  $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
> > >  $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif

> > >  $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
> > >  $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
> > >  $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
> > >  $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
> > >  $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
> > >  $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
> > >  $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
> > >  $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
> > >  $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
> > >  $fwcmd add deny all from any to 240.0.0.0/4 in via $oif

> > >  $fwcmd add divert natd all from any to any via $oif

> > >  $fwcmd add allow tcp from any to any established
> > >  $fwcmd add allow tcp from any to $oip 22 setup
> > >  $fwcmd add allow log tcp from any to <publicaddress> 21 via $oif
> > > <---------------Add Allow statement
>         $fwcmd add pass udp from any 123 to ${ip} in

> > >  $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
> > >  $fwcmd add allow udp from any 53 to $ns1 53
> > >  $fwcmd add check-state
> > >  $fwcmd add allow ip from $oip to any keep-state out via $oif
> > >  $fwcmd add allow ip from $inwr to any keep-state via $iif

> > >  $fwcmd add 65435 deny log ip from any to any

<---------------------Is

- Show quoted text -

Quote:> > this
> > > line cancelling out my Add Allow above?

> > > Any help would be appriciated.

> > > TIA

> > > Rob

 
 
 
Top

HELP - IPFW with NATD for port forwarding

Post by Rob » Tue, 02 Oct 2001 12:34:53


Hey Simon, thanks for your help.

This entry, "$fwcmd add allow tcp from any to any established",   should
allow for the FTP dual port silliness that is the venerable FTP protocol.
The port 20 connection should be initiated from the FTP server, which is
behind the firewall on the private network.  Correct?

I should at that with the scripts as is, the FTP port 21 doesnt even
respond.  Much to my dismay, as a good, secure firewall should.  However,
when I remove this line, "$fwcmd add 65435 deny log ip from any to any", the
last entry in the scrupt, I can see port 21 from the outside interface.
Unfortunatly, removing this entry pretty much hoses my security.  Is the
order that the firewall rules are entered in the scripts  have an effect?

Thanks again,

Rob



> By the way - just looking through your scripts again, they look fine
except
> for the point that I mentioned about FTP using two ports.  Make sure you
add
> that into your natd.conf and try again, and if you like I can proofread
your
> final product for you just for double-checking.  But like you said, this
was
> pretty straightward.

> Cheers,

> Simon Chang



> > Even if I add an "add pass all from any to any" and rem out the "add
65435
> > deny log ip from any to any"  I still cant seem to get this to work.
This
> > seems so straight forward.  What am I missing?



> > > I don't see a rule in there that actually allows the traffic to your
> > server,
> > > only to the outside interface. Since you have deny log in there, why
not
> > > look through /var/log/security and see what rule is dropping the
> packets?



> > > > I am having a problem getting my FreeBSD 4.3 IPFW firewall to
forward
> > > > incoming FTP requests to a server on a private network.  I have
> scoured
> > > > dejanews and the like and all the previous post seem to say the same
> > > thing.
> > > > NATD redirect_port entries in NATD.CONF and a ADD ALLOW statement in
> the
> > > > firewall script as noted in the script below.

> > > > Natd.conf entries ar as follows:

> > > > use_sockets yes
> > > > redirect_port tcp 192.168.1.3:21 21
> > > > redirect_port udp 192.168.1.3:21 21

> > > > natd.conf is of course called in rc.conf via natd_flags="-f
> > > /etc/natd.conf"

> > > > And here is my firewall script:

> > > > fwcmd="/sbin/ipfw" #leave as is if using ipfw
> > > > oif="oifx"  #set to outside interface name
> > > > onwr="a.b.c.d/24" #set to outside network range
> > > > oip="a.b.c.d"  #set to outside ip address

> > > > iif="ifx"  #set to internal interface name
> > > > inwr="x.y.z.x/24" #set to internal network range
> > > > iip="x.y.z.x"  #set to internal ip address

> > > > ns1="e.f.g.h"  #set to primary name server best if = oif
> > > > #ntp="i.j.k.l"  #set to ip of NTP server or leave as is

> > > >  $fwcmd -f flush

> > > >  $fwcmd add allow all from any to any via lo0
> > > >  $fwcmd add deny log all from any to 127.0.0.0/8

> > > >  $fwcmd add deny log ip from $inwr to any in via $oif

> > > >  $fwcmd add deny log ip from not $inwr to any in via $iif

> > > >  $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
> > > >  $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
> > > >  $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
> > > >  $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
> > > >  $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
> > > >  $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif

> > > >  $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
> > > >  $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
> > > >  $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
> > > >  $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
> > > >  $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
> > > >  $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
> > > >  $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
> > > >  $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
> > > >  $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
> > > >  $fwcmd add deny all from any to 240.0.0.0/4 in via $oif

> > > >  $fwcmd add divert natd all from any to any via $oif

> > > >  $fwcmd add allow tcp from any to any established
> > > >  $fwcmd add allow tcp from any to $oip 22 setup
> > > >  $fwcmd add allow log tcp from any to <publicaddress> 21 via $oif
> > > > <---------------Add Allow statement
> >         $fwcmd add pass udp from any 123 to ${ip} in

> > > >  $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
> > > >  $fwcmd add allow udp from any 53 to $ns1 53
> > > >  $fwcmd add check-state
> > > >  $fwcmd add allow ip from $oip to any keep-state out via $oif
> > > >  $fwcmd add allow ip from $inwr to any keep-state via $iif

> > > >  $fwcmd add 65435 deny log ip from any to any
> <---------------------Is
> > > this
> > > > line cancelling out my Add Allow above?

> > > > Any help would be appriciated.

> > > > TIA

> > > > Rob

 
 
 
Top

HELP - IPFW with NATD for port forwarding

Post by Daniel Rud » Tue, 02 Oct 2001 14:47:30



> I am having a problem getting my FreeBSD 4.3 IPFW firewall to forward
> incoming FTP requests to a server on a private network.  I have scoured
> dejanews and the like and all the previous post seem to say the same thing.
> NATD redirect_port entries in NATD.CONF and a ADD ALLOW statement in the
> firewall script as noted in the script below.

> Natd.conf entries ar as follows:

> use_sockets yes
> redirect_port tcp 192.168.1.3:21 21
> redirect_port udp 192.168.1.3:21 21

> natd.conf is of course called in rc.conf via natd_flags="-f /etc/natd.conf"

> And here is my firewall script:

> fwcmd="/sbin/ipfw" #leave as is if using ipfw
> oif="oifx"  #set to outside interface name
> onwr="a.b.c.d/24" #set to outside network range
> oip="a.b.c.d"  #set to outside ip address

> iif="ifx"  #set to internal interface name
> inwr="x.y.z.x/24" #set to internal network range
> iip="x.y.z.x"  #set to internal ip address

> ns1="e.f.g.h"  #set to primary name server best if = oif
> #ntp="i.j.k.l"  #set to ip of NTP server or leave as is

>  $fwcmd -f flush

>  $fwcmd add allow all from any to any via lo0
>  $fwcmd add deny log all from any to 127.0.0.0/8

>  $fwcmd add deny log ip from $inwr to any in via $oif

>  $fwcmd add deny log ip from not $inwr to any in via $iif

>  $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
>  $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
>  $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
>  $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
>  $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
>  $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif

>  $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
>  $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
>  $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
>  $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
>  $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
>  $fwcmd add divert natd all from any to any via $oif

This line should be here, not below.  Reason for this is that natd is
changing the addresses of the packets.  And because of this, packets are
screened 4 times.  Twice on each interface, once before natd does its
thing, and once after.

- Show quoted text -

Quote:>  $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
>  $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
>  $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
>  $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
>  $fwcmd add deny all from any to 240.0.0.0/4 in via $oif

>  $fwcmd add divert natd all from any to any via $oif

>  $fwcmd add allow tcp from any to any established
>  $fwcmd add allow tcp from any to $oip 22 setup
>  $fwcmd add allow log tcp from any to <publicaddress> 21 via $oif
> <---------------Add Allow statement

>  $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
>  $fwcmd add allow udp from any 53 to $ns1 53
>  $fwcmd add check-state
>  $fwcmd add allow ip from $oip to any keep-state out via $oif
>  $fwcmd add allow ip from $inwr to any keep-state via $iif

>  $fwcmd add 65435 deny log ip from any to any  <---------------------Is this
> line cancelling out my Add Allow above?

> Any help would be appriciated.

> TIA

> Rob

Hope this helps.

--
Daniel Rudy
Reply to dcrudy at aol dot com.

*!*!* DO NOT HIT REPLY *!*!*
ALL EMAIL SENT TO REPLY ADDRESS WILL BE DELETED!

 
 
 
Top

HELP - IPFW with NATD for port forwarding

Post by Simon Y. Chan » Tue, 02 Oct 2001 21:56:58


Well, the FTP server will use both ports as part of any connection, but if
you are only redirecting one of them to the transparent proxy then you have
a problem since it's expecting to first use port 20 and then 21.

On the question of whether the order of the rules matter:  Yes, they
absolutely do.  Every time a packet is received it is screened against the
rules in a sequential manner, and if you don't position them right then you
may not get the results that you want.  Consider what would happen if you do
this right off the ipfw rules:

100 add deny any from any to any via any

In this case nothing will get through, since this is the first rule of the
chain.

As another poster of this thread has mentioned (and for which I apologize
for not having looked at it more thoroughly - another argument for having
more eyes), you need to recheck your rules sequence to make sure that the
desired packets are not filtered out, and the unwelcome packets are kept out
(especially important if you are using the "pipe" option in ipfw which can
reinject packets into a later point in the rules).

Good luck,

Simon Chang


> Hey Simon, thanks for your help.

> This entry, "$fwcmd add allow tcp from any to any established",   should
> allow for the FTP dual port silliness that is the venerable FTP protocol.
> The port 20 connection should be initiated from the FTP server, which is
> behind the firewall on the private network.  Correct?

> I should at that with the scripts as is, the FTP port 21 doesnt even
> respond.  Much to my dismay, as a good, secure firewall should.  However,
> when I remove this line, "$fwcmd add 65435 deny log ip from any to any",
the
> last entry in the scrupt, I can see port 21 from the outside interface.
> Unfortunatly, removing this entry pretty much hoses my security.  Is the
> order that the firewall rules are entered in the scripts  have an effect?

> Thanks again,

> Rob



> > By the way - just looking through your scripts again, they look fine
> except
> > for the point that I mentioned about FTP using two ports.  Make sure you
> add
> > that into your natd.conf and try again, and if you like I can proofread
> your
> > final product for you just for double-checking.  But like you said, this
> was
> > pretty straightward.

> > Cheers,

> > Simon Chang



> > > Even if I add an "add pass all from any to any" and rem out the "add
> 65435
> > > deny log ip from any to any"  I still cant seem to get this to work.
> This
> > > seems so straight forward.  What am I missing?



> > > > I don't see a rule in there that actually allows the traffic to your
> > > server,
> > > > only to the outside interface. Since you have deny log in there, why
> not
> > > > look through /var/log/security and see what rule is dropping the
> > packets?



> > > > > I am having a problem getting my FreeBSD 4.3 IPFW firewall to
> forward
> > > > > incoming FTP requests to a server on a private network.  I have
> > scoured
> > > > > dejanews and the like and all the previous post seem to say the
same
> > > > thing.
> > > > > NATD redirect_port entries in NATD.CONF and a ADD ALLOW statement
in
> > the
> > > > > firewall script as noted in the script below.

> > > > > Natd.conf entries ar as follows:

> > > > > use_sockets yes
> > > > > redirect_port tcp 192.168.1.3:21 21
> > > > > redirect_port udp 192.168.1.3:21 21

> > > > > natd.conf is of course called in rc.conf via natd_flags="-f
> > > > /etc/natd.conf"

> > > > > And here is my firewall script:

> > > > > fwcmd="/sbin/ipfw" #leave as is if using ipfw
> > > > > oif="oifx"  #set to outside interface name
> > > > > onwr="a.b.c.d/24" #set to outside network range
> > > > > oip="a.b.c.d"  #set to outside ip address

> > > > > iif="ifx"  #set to internal interface name
> > > > > inwr="x.y.z.x/24" #set to internal network range
> > > > > iip="x.y.z.x"  #set to internal ip address

> > > > > ns1="e.f.g.h"  #set to primary name server best if = oif
> > > > > #ntp="i.j.k.l"  #set to ip of NTP server or leave as is

> > > > >  $fwcmd -f flush

> > > > >  $fwcmd add allow all from any to any via lo0
> > > > >  $fwcmd add deny log all from any to 127.0.0.0/8

> > > > >  $fwcmd add deny log ip from $inwr to any in via $oif

> > > > >  $fwcmd add deny log ip from not $inwr to any in via $iif

> > > > >  $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
> > > > >  $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
> > > > >  $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
> > > > >  $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
> > > > >  $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
> > > > >  $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif

> > > > >  $fwcmd add deny all from 0.0.0.0/8 to any in via $oif
> > > > >  $fwcmd add deny all from 169.254.0.0/16 to any in via $oif
> > > > >  $fwcmd add deny all from 192.0.2.0/24 to any in via $oif
> > > > >  $fwcmd add deny all from 224.0.0.0/4 to any in via $oif
> > > > >  $fwcmd add deny all from 240.0.0.0/4 to any in via $oif
> > > > >  $fwcmd add deny all from any to 0.0.0.0/8 in via $oif
> > > > >  $fwcmd add deny all from any to 169.254.0.0/16 in via $oif
> > > > >  $fwcmd add deny all from any to 192.0.2.0/24 in via $oif
> > > > >  $fwcmd add deny all from any to 224.0.0.0/4 in via $oif
> > > > >  $fwcmd add deny all from any to 240.0.0.0/4 in via $oif

> > > > >  $fwcmd add divert natd all from any to any via $oif

> > > > >  $fwcmd add allow tcp from any to any established
> > > > >  $fwcmd add allow tcp from any to $oip 22 setup
> > > > >  $fwcmd add allow log tcp from any to <publicaddress> 21 via $oif
> > > > > <---------------Add Allow statement
> > >         $fwcmd add pass udp from any 123 to ${ip} in

> > > > >  $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
> > > > >  $fwcmd add allow udp from any 53 to $ns1 53
> > > > >  $fwcmd add check-state
> > > > >  $fwcmd add allow ip from $oip to any keep-state out via $oif
> > > > >  $fwcmd add allow ip from $inwr to any keep-state via $iif

> > > > >  $fwcmd add 65435 deny log ip from any to any
> > <---------------------Is
> > > > this
> > > > > line cancelling out my Add Allow above?

> > > > > Any help would be appriciated.

> > > > > TIA

> > > > > Rob

 
 
 
Top

1. Port Forwarding, ipfw + natd

Hi,

    How do I setup a port forwarding ?

    My ipfw is set to OPEN.

ed1 = outside interface
ed0 = inside interface
10.0.0.1 = IP of an other pc into my network

there is my ipfw l :

00050 divert 8668 ip from any to any via ed1
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
65000 allow ip from any to any
65535 deny ip from any to any

the error I get from natd when I type :

natd -redirect_port tcp 10.0.0.1:21 21

is :

natd: Unable to bind divert socket.: Address already i use

What is the error I make ? What i'm trying to do is to forward from any
connection to me on the port 21 forward to 10.0.0.1 on port 21

thx

MrNorton

2. what is gui mean

3. ipfw / natd port forwarding.

4. NFS exports don't show up.

5. port forwarding with ipfw/natd

6. need help finding driver for 3Com Fast Etherlink XL network card

7. need help with port redirects using natd/ipfw

8. get current PID in ksh

9. ipfw, freebsd 4.6, natd redirected ports (NOT)

10. ipfw + natd; port redirection problem

11. Do I need port redirection in my box running IPFW and NATD?

12. natd port forwarding disappeared

13. NATD and port forwarding (for quake)


All times are UTC
Board index