firewalls' behavior help
efrenba at dhl.gcc.cu
efrenba at dhl.gcc.cu
Mon Jul 3 17:30:39 UTC 2006
Box:freeBSD 6.0, ipf: IP Filter: v4.1.8 (416), Kernel: IP Filter: v4.1.8
Network layout:
---------------
other building [ PCs - 192.168.80.0/24 ]
|
g1 (ipf - vr0:192.168.80.2 <-> sis0:10.10.10.13)
|
My Lan ( 10.10.10.0/24 )
[ PCs (DefaultGw = g2) ]
[ MailSrv (10.10.10.12) (pop3/smtp/ssh) (DefaultGw = g2) ]
[ WebSrv (10.10.10.11) (http) (DefaultGw = g1) ]
|
g2
|
Internet
ipnat.rules
-----------
map vr0 10.10.10.0/24 -> 192.168.80.2/32 proxy port 21 ftp/tcp
map vr0 10.10.10.0/24 -> 192.168.80.2/32
rdr vr0 192.168.80.2/32 port 80 -> 10.10.10.11 port 80 tcp
rdr vr0 192.168.80.2/32 port 22 -> 10.10.10.12 port 22 tcp
rdr vr0 192.168.80.2/32 port 25 -> 10.10.10.12 port 25 tcp
rdr vr0 192.168.80.2/32 port 110 -> 10.10.10.12 port 110 tcp
ipf.rules
---------
### No restrictions inside LAN Interface ###
pass out quick on sis0 all
pass in quick on sis0 all
### No restrictions on Loopback Interface ###
pass out quick on lo0 all
pass in quick on lo0 all
### Allow out DNS queries ###
pass out quick on vr0 proto tcp from any to 192.168.10.5 port = 53 flags S
keep state
pass out quick on vr0 proto udp from any to 192.168.10.5 port = 53 keep state
### Allow IE out ###
pass out quick on vr0 proto tcp from any to any port = 80 flags S keep state
### Allow Squid Access out ###
pass out quick on vr0 proto tcp from any to any port = 3128 flags S keep
state
pass out quick on vr0 proto tcp from any to any port = 3130 flags S keep
state
### Allow FTP out ###
pass out quick on vr0 proto tcp from any to any port = 21 flags S keep state
### Allow Remote Desktop to WinXP external PCs ###
pass out quick on vr0 proto tcp from any to any port = 3389 flags S keep
state
### Allow MailServer to Deliver mails ###
pass out quick on vr0 proto tcp from any to any port = 25 flags S keep state
### Block and Log only first occurrence of everything ###
block out log first quick on vr0 all
### Block all inbound traffic from non-routable or reserved address spaces
...
### Allow in ssh session from other building ###
pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state
### Allow in HTTP session from public to Internat MailServer ###
pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state
### Allow in SMTP access to Internal Mail Server ###
pass in quick on vr0 proto tcp from any to any port = 25 flags S keep state
### Allow in POP3 access to Internal Mail Server ###
pass in quick on vr0 proto tcp from any to any port = 110 flags S keep state
### Block and log anly first occurence of all remaining traffic ###
block in log first quick on vr0 all
The situation:
--------------
...if the server(MailSrv) is redirected to G1, the users are able to
connect themselves to the services. To be sure about it I redirected the
server(WebSrv) with apache that before was pointing to G1 to G2(internet)
and the access was broken for the other building...
Why happen this?
> If I understand your description, it could be mapped like this:
>
> net1 is the other building's network
> net1pc1 .. net1pcN
>
> net2 is your network
> net2pc1 .. net2pcN
> net2server1 .. net2server3
>
> g1 == net1,net2
> g2 == net2,Internet
>
> Assumptions:
> net1 and net2 are private
> the default gateway for g1 is g2
> g1 is using a map rule to nat net1 hosts to net2
> the default gateway for g2 is on the Internet
> g2 is using a map rule to nat net2 hosts to the Internet
>
> If a net1 PC connects through g1, it would be mapped as coming from g1.
> Since g1 is on net2, and g2 can route to net2, the servers using g2 as
> the default route should have no problem. My assumptions may be false.
> Would you post the g1 and g2 ipf.conf and ipnat.conf, and specify what
> the net1 and net2 CIDR?
>
> Thank you,
>
> Ben
>
More information about the freebsd-questions
mailing list