FBSD 6.0 ipfilter nat redirect not working.

fbsd_user fbsd_user at a1poweruser.com
Wed Mar 29 13:01:24 UTC 2006 

Here are the complete firewall rules


################################################################# 
# No restrictions on Inside Lan Interface for private network
################################################################# 
 
pass out quick on xl0 all   # production server config
pass in  quick on xl0 all   # production server config

################################################################# 
# No restrictions on Loopback Interface 
################################################################# 

pass in  quick on lo0 all 
pass out quick on lo0 all 

#################################################################
# Interface facing Public internet  (Outbound Section) 
# Interrogate session start requests originating from behind the 
# firewall on the private network 
# or from this gateway server destine for the public internet.
#################################################################

# Allow out access to my ISP's Domain name server.
pass out quick on rl0 proto tcp from any to xx.168.240.5 port = 53 flags S keep state
pass out quick on rl0 proto udp from any to xx.168.240.5 port = 53 keep state

pass out quick on rl0 proto tcp from any to xx.168.240.2 port = 53 flags S keep state
pass out quick on rl0 proto udp from any to xx.168.240.2 port = 53 keep state

# Allow out access to my ISP's DHCP server for cable or DSL networks.
pass out quick on rl0 proto udp from any to xx.173.0.1 port = 67 keep state
pass out quick on rl0 proto udp from any to xx.39.64.1 port = 67 keep state

# Allow out non-secure standard www function
pass out quick on rl0 proto tcp from any to any port = 80 flags S keep state

# Allow out secure www function https over TLS SSL
pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state

# Allow out send & get email function
pass out quick on rl0 proto tcp from any to any port = 25  flags S keep state
pass out quick on rl0 proto tcp from any to any port = 110 flags S keep state


# Allow out secure FTP, Telnet, and SCP 
# This function is using SSH  (secure shell)
pass out quick on rl0 proto tcp from any to any port = 22 flags S keep state

# Allow out non-secure Telnet 
pass out log quick on rl0 proto tcp from any to any port = 23 flags S keep state

# Allow out FBSD CVSUP function 
pass out quick on rl0 proto tcp from any to any port = 5999 flags S keep state

# Allow out all icmp to public Internet
pass out quick on rl0 proto icmp from any to any keep state

# Allow out whois for LAN PC to public Internet
pass out quick on rl0 proto tcp from any to any port = 43 flags S keep state

# Block and log only the first occurrence of everything 
# else that's trying to get out.
# This rule enforces the block all by default logic. 
#block out log first quick on rl0 all
block out log quick on rl0 all


#################################################################
# Interface facing Public internet  (Inbound Section)
# Interrogate packets originating from the public internet
# destine for this gateway server or the private network.
#################################################################

# Block all inbound traffic from non-routable or reserved address spaces
block in quick on rl0 from 192.168.0.0/16  to any  #RFC 1918 private IP
block in quick on rl0 from 172.16.0.0/12   to any  #RFC 1918 private IP
block in quick on rl0 from 10.0.0.0/8      to any  #RFC 1918 private IP
block in quick on rl0 from 127.0.0.0/8     to any  #loopback
block in quick on rl0 from 0.0.0.0/8       to any  #loopback
block in quick on rl0 from 169.254.0.0/16  to any  #DHCP auto-config
block in quick on rl0 from 192.0.2.0/24    to any  #reserved for doc's
block in quick on rl0 from 204.152.64.0/23 to any  #Sun cluster interconnect
block in quick on rl0 from 224.0.0.0/3     to any  #Class D & E multicast

##### Block a bunch of different nasty things. ############
# That I don't want to see in the log 

# Block frags
#block in log quick on rl0 all with frags
block in quick on rl0 all with frags

# Block short tcp packets
#block in log quick on rl0 proto tcp all with short
block in quick on rl0 proto tcp all with short

# block source routed packets
#block in log quick on rl0 all with opt lsrr
#block in log quick on rl0 all with opt ssrr
block in quick on rl0 all with opt lsrr
block in quick on rl0 all with opt ssrr


# Block nmap OS fingerprint attempts
block in quick on rl0 proto tcp from any to any flags FUP

# Block anything with special options
#block in log quick on rl0 all with ipopts 
block in quick on rl0 all with ipopts

# Block public pings 
block in quick on rl0 proto icmp all icmp-type 8

# Block ident
block in quick on rl0 proto tcp from any to any port = 113

# Block all Netbios service. 137=name, 138=datagram, 139=session 
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in quick on rl0 proto tcp/udp from any to any port = 137
block in quick on rl0 proto tcp/udp from any to any port = 138
block in quick on rl0 proto tcp/udp from any to any port = 139
block in quick on rl0 proto tcp/udp from any to any port = 81

# Block all ftp attempts to login so count will show in daily cron rpt
block in quick on rl0 proto tcp/udp from any to any port = 21

# Block all SSH attempts to login so count will show in daily cron rpt
block in quick on rl0 proto tcp/udp from any to any port = 22

# Block all telnet attempts to login so count will show in daily cron rpt
block in quick on rl0 proto tcp/udp from any to any port = 23

# Block all www attempts so count will show in daily cron rpt
block in quick on rl0 proto tcp/udp from any to any port = 80

# Block all secure www attempts so count will show in daily cron rpt
block in quick on rl0 proto tcp from any to any port = 443 

# Block all smtp email server attempts so count will show in daily cron rpt
block in quick on rl0 proto tcp from any to any port = 25 

# block range of Trojan udp ports 1021 thru 1039 
# so count will show in daily cron rpt
block in quick on rl0 proto udp from any to any port 1020 >< 1040

# block Trojan scan port
block in quick on rl0 proto tcp from any port = 6000 to any 

# Allow traffic in from ISP's DHCP server. 
pass in quick on rl0 proto udp from xx.173.0.1 port = 67 to any keep state
pass in quick on rl0 proto udp from xx.39.64.1 port = 67 to any keep state

# Allow traffic in from ISP's DNS server. 
pass in quick on rl0 proto udp from xx.168.240.5 port = 53 to any keep state
pass in quick on rl0 proto udp from xx.168.240.2 port = 53 to any keep state

# Allow in testing www function because I have apache server on lan
pass in log quick on rl0 proto tcp from any to any port = 6188 flags S keep state
pass in log quick on rl0 proto tcp from any to 10.0.10.4 port = 80  flags S keep state

# Block all upd traffic
block in log quick on rl0 proto udp all
#block in quick on rl0 proto udp all

# Block and log only first occurrence of all remaining traffic 
# coming into the firewall. 
# This rule enforces the block all by default logic. 
#block in quick on rl0 all
block in log quick on rl0 all

-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Erik Norgaard
Sent: Wednesday, March 29, 2006 2:54 AM
To: fbsd_user at a1poweruser.com
Cc: freebsd-questions at FreeBSD. ORG
Subject: Re: FBSD 6.0 ipfilter nat redirect not working.


fbsd_user wrote:

> # /root >ipnat -l
> List of active MAP/Redirect filters:
> map rl0 10.0.10.0/29 -> 0.0.0.0/32 proxy port ftp ftp/tcp
> map rl0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp
> map rl0 10.0.10.0/29 -> 0.0.0.0/32
> rdr rl0 0.0.0.0/0 port 6188 -> 10.0.10.4 port 80 tcp
> 
> List of active sessions:
> RDR 10.0.10.4       80    <- -> 79.69.59.49     6188  [65.45.227.95
> 2698]
> MAP 10.0.10.6       1857  <- -> 79.69.59.49     1857
> [216.155.193.144 5050]
> 
> Nothing happens. No ipf.log records on gateway box and
> no ipf.log records on the LAN web server box.
> There is firewall rule to log & pass from any to 10.0.10.4 port = 80
> keep state
> And any packet that does not match a firewall rule get logged and
> dropped.

Please post your filter ruleset also.

Erik
-- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list