firewalls' behavior help

efrenba at dhl.gcc.cu efrenba at dhl.gcc.cu
Mon Jul 3 18:38:34 UTC 2006 

Sorry,

this mail was for the ipfilter's list...




> Box:freeBSD 6.0, ipf: IP Filter: v4.1.8 (416), Kernel: IP Filter: v4.1.8
>
> Network layout:
> ---------------
> other building [ PCs - 192.168.80.0/24 ]
>  |
>  g1 (ipf - vr0:192.168.80.2 <-> sis0:10.10.10.13)
>  |
> My Lan ( 10.10.10.0/24 )
>
> [ PCs (DefaultGw = g2) ]
>
> [ MailSrv (10.10.10.12) (pop3/smtp/ssh) (DefaultGw = g2) ]
>
> [ WebSrv (10.10.10.11) (http) (DefaultGw = g1) ]
>  |
>  g2
>  |
> Internet
>
>
> ipnat.rules
> -----------
> map vr0 10.10.10.0/24 -> 192.168.80.2/32 proxy port 21 ftp/tcp
> map vr0 10.10.10.0/24 -> 192.168.80.2/32
>
> rdr vr0 192.168.80.2/32 port 80 -> 10.10.10.11 port 80 tcp
> rdr vr0 192.168.80.2/32 port 22 -> 10.10.10.12 port 22 tcp
> rdr vr0 192.168.80.2/32 port 25 -> 10.10.10.12 port 25 tcp
> rdr vr0 192.168.80.2/32 port 110 -> 10.10.10.12 port 110 tcp
>
>
> ipf.rules
> ---------
> ### No restrictions inside LAN Interface ###
> pass out quick on sis0 all
> pass in quick on sis0 all
>
> ### No restrictions on Loopback Interface ###
> pass out quick on lo0 all
> pass in quick on lo0 all
>
> ### Allow out DNS queries ###
> pass out quick on vr0 proto tcp from any to 192.168.10.5 port = 53 flags S
> keep state
> pass out quick on vr0 proto udp from any to 192.168.10.5 port = 53 keep
> state
>
>
> ### Allow IE out ###
> pass out quick on vr0 proto tcp from any to any port = 80 flags S keep
> state
>
> ### Allow Squid Access out ###
> pass out quick on vr0 proto tcp from any to any port = 3128 flags S keep
> state
> pass out quick on vr0 proto tcp from any to any port = 3130 flags S keep
> state
>
> ### Allow FTP out ###
> pass out quick on vr0 proto tcp from any to any port = 21 flags S keep
> state
>
> ### Allow Remote Desktop to WinXP external PCs ###
> pass out quick on vr0 proto tcp from any to any port = 3389 flags S keep
> state
>
> ### Allow MailServer to Deliver mails ###
> pass out quick on vr0 proto tcp from any to any port = 25 flags S keep
> state
>
>
> ### Block and Log only first occurrence of everything ###
> block out log first quick on vr0 all
>
>
> ### Block all inbound traffic from non-routable or reserved address spaces
> ...
>
>
>
> ### Allow in ssh session from other building ###
> pass in quick on vr0 proto tcp from any to any port = 22 flags S keep
> state
>
> ### Allow in HTTP session from public to Internat MailServer ###
> pass in quick on vr0 proto tcp from any to any port = 80 flags S keep
> state
>
> ### Allow in SMTP access to Internal Mail Server ###
> pass in quick on vr0 proto tcp from any to any port = 25 flags S keep
> state
>
> ### Allow in POP3 access to Internal Mail Server ###
> pass in quick on vr0 proto tcp from any to any port = 110 flags S keep
> state
>
>
> ### Block and log anly first occurence of all remaining traffic ###
> block in log first quick on vr0 all
>
>
> The situation:
> --------------
> ...if the server(MailSrv) is redirected to G1, the users are able to
> connect themselves to the services. To be sure about it I redirected the
> server(WebSrv) with apache that before was pointing to G1 to G2(internet)
> and the access was broken for the other building...
>
> Why happen this?
>
>
>
>
>
>> If I understand your description, it could be mapped like this:
>>
>> net1 is the other building's network
>> net1pc1 .. net1pcN
>>
>> net2 is your network
>> net2pc1 .. net2pcN
>> net2server1 .. net2server3
>>
>> g1 == net1,net2
>> g2 == net2,Internet
>>
>> Assumptions:
>> net1 and net2 are private
>> the default gateway for g1 is g2
>> g1 is using a map rule to nat net1 hosts to net2
>> the default gateway for g2 is on the Internet
>> g2 is using a map rule to nat net2 hosts to the Internet
>>
>> If a net1 PC connects through g1, it would be mapped as coming from g1.
>> Since g1 is on net2, and g2 can route to net2, the servers using g2 as
>> the default route should have no problem.  My assumptions may be false.
>> Would you post the g1 and g2 ipf.conf and ipnat.conf, and specify what
>> the net1 and net2 CIDR?
>>
>> Thank you,
>>
>> Ben
>>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>


-- 
Efren Bravo
Sistemas DHL-Cuba
Telf-Pizarra: (537)-2041578 Ext 123

More information about the freebsd-questions mailing list