FBSD 6.0 ipfilter nat redirect not working.
Erik Norgaard
norgaard at locolomo.org
Wed Mar 29 13:40:31 UTC 2006
First, if you want to set a default policy, include these as your first rules:
block log in all
block log out all
Since there is no quick keyword this rule applies to anything you don't
explicitly allow or block later.
fbsd_user wrote:
> Here are the complete firewall rules
>
>
> #################################################################
> # No restrictions on Inside Lan Interface for private network
> #################################################################
>
> pass out quick on xl0 all # production server config
> pass in quick on xl0 all # production server config
Ok, I understand xl0 is your internal interface, rl0 is your external
interface. Looking at your nat rules, you want to redirect traffic from
the internet port 6188 to an internal server on port 80?
Secondly, note that all packets coming in on xl0 and going out on rl0 will
be filtered in the out ruleset for rl0.
Generally, if you decide to pass a packet definitively by including the
"quick" keyword, you should also add "keep state" otherwise you risk that
packet is caught on the way out or the response is caught on the way back,
this can be really difficult to track down.
So, add keep state to the above.
> #################################################################
> # No restrictions on Loopback Interface
> #################################################################
>
> pass in quick on lo0 all
> pass out quick on lo0 all
>
> #################################################################
> # Interface facing Public internet (Outbound Section)
> # Interrogate session start requests originating from behind the
> # firewall on the private network
> # or from this gateway server destine for the public internet.
> #################################################################
>
> # Allow out access to my ISP's Domain name server.
> pass out quick on rl0 proto tcp from any to xx.168.240.5 port = 53 flags S keep state
> pass out quick on rl0 proto udp from any to xx.168.240.5 port = 53 keep state
>
> pass out quick on rl0 proto tcp from any to xx.168.240.2 port = 53 flags S keep state
> pass out quick on rl0 proto udp from any to xx.168.240.2 port = 53 keep state
>
> # Allow out access to my ISP's DHCP server for cable or DSL networks.
> pass out quick on rl0 proto udp from any to xx.173.0.1 port = 67 keep state
> pass out quick on rl0 proto udp from any to xx.39.64.1 port = 67 keep state
>
> # Allow out non-secure standard www function
> pass out quick on rl0 proto tcp from any to any port = 80 flags S keep state
>
> # Allow out secure www function https over TLS SSL
> pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state
>
> # Allow out send & get email function
> pass out quick on rl0 proto tcp from any to any port = 25 flags S keep state
> pass out quick on rl0 proto tcp from any to any port = 110 flags S keep state
>
>
> # Allow out secure FTP, Telnet, and SCP
> # This function is using SSH (secure shell)
> pass out quick on rl0 proto tcp from any to any port = 22 flags S keep state
>
> # Allow out non-secure Telnet
> pass out log quick on rl0 proto tcp from any to any port = 23 flags S keep state
>
> # Allow out FBSD CVSUP function
> pass out quick on rl0 proto tcp from any to any port = 5999 flags S keep state
>
> # Allow out all icmp to public Internet
> pass out quick on rl0 proto icmp from any to any keep state
>
> # Allow out whois for LAN PC to public Internet
> pass out quick on rl0 proto tcp from any to any port = 43 flags S keep state
>
> # Block and log only the first occurrence of everything
> # else that's trying to get out.
> # This rule enforces the block all by default logic.
> #block out log first quick on rl0 all
> block out log quick on rl0 all
This last rule also applies to packets going in on xl0 destined for the
internet and not being passed explicitly in the out rules above.
> #################################################################
> # Interface facing Public internet (Inbound Section)
> # Interrogate packets originating from the public internet
> # destine for this gateway server or the private network.
> #################################################################
>
> # Block all inbound traffic from non-routable or reserved address spaces
> block in quick on rl0 from 192.168.0.0/16 to any #RFC 1918 private IP
> block in quick on rl0 from 172.16.0.0/12 to any #RFC 1918 private IP
> block in quick on rl0 from 10.0.0.0/8 to any #RFC 1918 private IP
> block in quick on rl0 from 127.0.0.0/8 to any #loopback
> block in quick on rl0 from 0.0.0.0/8 to any #loopback
> block in quick on rl0 from 169.254.0.0/16 to any #DHCP auto-config
> block in quick on rl0 from 192.0.2.0/24 to any #reserved for doc's
> block in quick on rl0 from 204.152.64.0/23 to any #Sun cluster interconnect
> block in quick on rl0 from 224.0.0.0/3 to any #Class D & E multicast
You can also block any traffic not destined to you:
block in quick on rl0 from any to !<external ip>
This is ok when you use keep state because connections out from your LAN
will then not be evaluated against this rule when response packets come back.
> ##### Block a bunch of different nasty things. ############
> # That I don't want to see in the log
>
> # Block frags
> #block in log quick on rl0 all with frags
> block in quick on rl0 all with frags
>
> # Block short tcp packets
> #block in log quick on rl0 proto tcp all with short
> block in quick on rl0 proto tcp all with short
>
> # block source routed packets
> #block in log quick on rl0 all with opt lsrr
> #block in log quick on rl0 all with opt ssrr
> block in quick on rl0 all with opt lsrr
> block in quick on rl0 all with opt ssrr
>
>
> # Block nmap OS fingerprint attempts
> block in quick on rl0 proto tcp from any to any flags FUP
>
> # Block anything with special options
> #block in log quick on rl0 all with ipopts
> block in quick on rl0 all with ipopts
>
> # Block public pings
> block in quick on rl0 proto icmp all icmp-type 8
>
> # Block ident
> block in quick on rl0 proto tcp from any to any port = 113
>
> # Block all Netbios service. 137=name, 138=datagram, 139=session
> # Netbios is MS/Windows sharing services.
> # Block MS/Windows hosts2 name server requests 81
> block in quick on rl0 proto tcp/udp from any to any port = 137
> block in quick on rl0 proto tcp/udp from any to any port = 138
> block in quick on rl0 proto tcp/udp from any to any port = 139
> block in quick on rl0 proto tcp/udp from any to any port = 81
>
> # Block all ftp attempts to login so count will show in daily cron rpt
> block in quick on rl0 proto tcp/udp from any to any port = 21
>
> # Block all SSH attempts to login so count will show in daily cron rpt
> block in quick on rl0 proto tcp/udp from any to any port = 22
>
> # Block all telnet attempts to login so count will show in daily cron rpt
> block in quick on rl0 proto tcp/udp from any to any port = 23
>
> # Block all www attempts so count will show in daily cron rpt
> block in quick on rl0 proto tcp/udp from any to any port = 80
Here you go! You have the nat rule
rdr rl0 0.0.0.0/0 port 6188 -> 10.0.10.4 port 80 tcp
for rdr, this takes place on the incoming interface before the packet
traverses the in-rules for that interface. So the packets on rl0 you
redirect to port 80 are blocked here.
> # Block all secure www attempts so count will show in daily cron rpt
> block in quick on rl0 proto tcp from any to any port = 443
>
> # Block all smtp email server attempts so count will show in daily cron rpt
> block in quick on rl0 proto tcp from any to any port = 25
>
> # block range of Trojan udp ports 1021 thru 1039
> # so count will show in daily cron rpt
> block in quick on rl0 proto udp from any to any port 1020 >< 1040
>
> # block Trojan scan port
> block in quick on rl0 proto tcp from any port = 6000 to any
>
> # Allow traffic in from ISP's DHCP server.
> pass in quick on rl0 proto udp from xx.173.0.1 port = 67 to any keep state
> pass in quick on rl0 proto udp from xx.39.64.1 port = 67 to any keep state
>
> # Allow traffic in from ISP's DNS server.
> pass in quick on rl0 proto udp from xx.168.240.5 port = 53 to any keep state
> pass in quick on rl0 proto udp from xx.168.240.2 port = 53 to any keep state
>
> # Allow in testing www function because I have apache server on lan
> pass in log quick on rl0 proto tcp from any to any port = 6188 flags S keep state
> pass in log quick on rl0 proto tcp from any to 10.0.10.4 port = 80 flags S keep state
These two rules never apply, the rdr takes place as mentioned before
filtering, so the first won't ever match, and the second is blocked above.
Remember with nat: if rules applies on the way in, the are applied
_before_ the packet is filtered. If rules applies on the way out, they are
applied _after_ the packet is filtered.
And this is great, because when you write the filter rules, you can simply
think of all your ip's being routeable.
Cheers, Erik
> # Block all upd traffic
> block in log quick on rl0 proto udp all
> #block in quick on rl0 proto udp all
>
> # Block and log only first occurrence of all remaining traffic
> # coming into the firewall.
> # This rule enforces the block all by default logic.
> #block in quick on rl0 all
> block in log quick on rl0 all
>
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Erik Norgaard
> Sent: Wednesday, March 29, 2006 2:54 AM
> To: fbsd_user at a1poweruser.com
> Cc: freebsd-questions at FreeBSD. ORG
> Subject: Re: FBSD 6.0 ipfilter nat redirect not working.
>
>
> fbsd_user wrote:
>
>> # /root >ipnat -l
>> List of active MAP/Redirect filters:
>> map rl0 10.0.10.0/29 -> 0.0.0.0/32 proxy port ftp ftp/tcp
>> map rl0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp
>> map rl0 10.0.10.0/29 -> 0.0.0.0/32
>> rdr rl0 0.0.0.0/0 port 6188 -> 10.0.10.4 port 80 tcp
>>
>> List of active sessions:
>> RDR 10.0.10.4 80 <- -> 79.69.59.49 6188 [65.45.227.95
>> 2698]
>> MAP 10.0.10.6 1857 <- -> 79.69.59.49 1857
>> [216.155.193.144 5050]
>>
>> Nothing happens. No ipf.log records on gateway box and
>> no ipf.log records on the LAN web server box.
>> There is firewall rule to log & pass from any to 10.0.10.4 port = 80
>> keep state
>> And any packet that does not match a firewall rule get logged and
>> dropped.
>
> Please post your filter ruleset also.
>
> Erik
--
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
More information about the freebsd-questions
mailing list