svn commit: r44088 - head/en_US.ISO8859-1/books/handbook/firewalls
Dru Lavigne
dru at FreeBSD.org
Thu Feb 27 18:05:03 UTC 2014
Author: dru
Date: Thu Feb 27 18:05:03 2014
New Revision: 44088
URL: http://svnweb.freebsd.org/changeset/doc/44088
Log:
Start to clarify the NAT ruleset by comparing it to the
previous example.
The next commit will finish describing the rule modifications
and what to watch out for so that NAT works.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Feb 27 16:56:07 2014 (r44087)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Feb 27 18:05:03 2014 (r44088)
@@ -2039,7 +2039,7 @@ pif="dc0" # interface name of NIC at
<para>The next rule allows the packet through if it matches an
existing entry in the dynamic rules table:</para>
- <programlisting>$cmd 00015 check-state</programlisting>
+ <programlisting>$cmd 00101 check-state</programlisting>
<para>The next set of rules defines which stateful connections
internal systems can create to hosts on the Internet:</para>
@@ -2157,52 +2157,45 @@ pif="dc0" # interface name of NIC at
<application>IPFW</application> to provide network address
translation. This can be used to provide an Internet
Connection Sharing solution so that several internal computers
- can connect to the Internet using <acronym>IP</acronym>
+ can connect to the Internet using a single <acronym>IP</acronym>
address.</para>
<para>To do this, the &os; machine connected to the Internet
- must act as a gateway. This gateway machine must have two
- <acronym>NIC</acronym>s: one connects to the Internet router
- and the other connects to a <acronym>LAN</acronym>. All the
- machines on the <acronym>LAN</acronym> are connected through
- a hub or switch.</para>
-
- <para>Each machine and interface behind the
- <acronym>LAN</acronym> should be assigned
- <acronym>IP</acronym> addresses in the private network space,
+ must act as a gateway. This system must have two
+ <acronym>NIC</acronym>s, where one is connected to the Internet
+ and the other is connected to the internal <acronym>LAN</acronym>. All the
+ machines connected to the <acronym>LAN</acronym> should be assigned
+ an <acronym>IP</acronym> addresses in the private network space,
as defined by <link
xlink:href="ftp://ftp.isi.edu/in-notes/rfc1918.txt">RFC
- 1918</link>, and have a default gateway of the
- &man.natd.8; machine's internal <acronym>IP</acronym>
+ 1918</link>, and have their default gateway set to the
+ &man.natd.8; system's internal <acronym>IP</acronym>
address.</para>
<para>Some additional configuration is needed in order to
activate the <acronym>NAT</acronym> function of
<application>IPFW</application>. If the system has a custom
kernel, the kernel configuration file needs to include
- <literal>option IPDIVERT</literal> with the other
+ <literal>option IPDIVERT</literal> along with the other
<literal>IPFIREWALL</literal> options.</para>
- <para>To enable firewall and <acronym>NAT</acronym> support at
+ <para>To enable <acronym>NAT</acronym> support at
boot time, the following must be in
<filename>/etc/rc.conf</filename>:</para>
- <programlisting>gateway_enable="YES" # enables the gateway function
-natd_enable="YES" # enables the <acronym>NAT</acronym> function
-natd_interface="rl0" # specify interface name of NIC attached to Internet
-natd_flags="-dynamic -m" # -m = preserve port numbers if possible</programlisting>
+ <programlisting>gateway_enable="YES" # enables the gateway
+natd_enable="YES" # enables <acronym>NAT</acronym>
+natd_interface="rl0" # specify interface name of NIC attached to Internet
+natd_flags="-dynamic -m" # -m = preserve port numbers; additional options are listed in &man.natd.8;</programlisting>
<note>
- <para>It is also possible to use a configuration file for
- &man.natd.8; when there are too many options to pass. In
- this case, the configuration file must be defined by adding
- the following line to
- <filename>/etc/rc.conf</filename>:</para>
+ <para>It is also possible to specify a configuration file which
+ contains the options to pass to &man.natd.8;:</para>
<programlisting>natd_flags="-f /etc/natd.conf"</programlisting>
- <para>A list of configuration options, one per line, can be
- added to <filename>/etc/natd.conf</filename>. For
+ <para>The specified file must contain a list of configuration
+ options, one per line. For
example:</para>
<programlisting>redirect_port tcp 192.168.0.2:6667 6667
@@ -2212,18 +2205,50 @@ redirect_port tcp 192.168.0.3:80 80</pro
consult &man.natd.8;.</para>
</note>
- <para>Utilizing stateful rules with a <literal>divert
- natd</literal> rule complicates the ruleset logic. The
- positioning of the <literal>check-state</literal>, and
- <literal>divert natd</literal> rules in the ruleset is
- critical and a new action type is used, called
- <literal>skipto</literal>. When using
- <literal>skipto</literal>, it is mandatory that each rule is
- numbered, so that the <literal>skipto</literal> rule knows
+ <para>Next, add the <acronym>NAT</acronym> rules to the firewall
+ ruleset. When the rulest contains stateful rules, the
+ positioning of the <acronym>NAT</acronym> rules is
+ critical and the <literal>skipto</literal> action is used.
+ The
+ <literal>skipto</literal> action requires a rule number
+ so that it knows
which rule to jump to.</para>
- <para>The following is an uncommented example of a ruleset
- which explains the sequence of the packet flow.</para>
+ <para>The following example builds upon the firewall ruleset
+ shown in the previous section. It adds some additional
+ entries and modifies some existing rules in order to configure
+ the firewall for <acronym>NAT</acronym>. It starts by
+ adding some additional variables which represent the rule
+ number to skip to, the <literal>keep-state</literal> option,
+ and a list of <acronym>TCP</acronym> ports which will be
+ used to reduce the number of rules:</para>
+
+ <programlisting>#!/bin/sh
+cmd="ipfw -q add"
+skip="skipto 500"
+pif=rl0
+ks="keep-state"
+good_tcpo="22,25,37,43,53,80,443,110,119"
+
+ipfw -q -f flush</programlisting>
+
+ <para>The <acronym>NAT</acronym> rule is inserted
+ <emphasis>after</emphasis> the two rules which allow all
+ traffic on the trusted internal interface and on the loopback
+ interface and <emphasis>before</emphasis> the
+ <literal>check-state</literal> rule. It is important that the
+ rule number selected for the <acronym>NAT</acronym> rule, in
+ this example <literal>100</literal>, is higher than the first
+ two rules and lower than the <literal>check-state</literal>
+ rule:</para>
+
+ <programlisting>$cmd 005 allow all from any to any via xl0 # exclude LAN traffic
+$cmd 010 allow all from any to any via lo0 # exclude loopback traffic
+
+# NAT any inbound packets
+$cmd 100 divert natd ip from any to any in via $pif
+# Allow the packet through if it has an existing entry in the dynamic rules table
+$cmd 101 check-state</programlisting>
<para>The processing flow starts with the first rule from the
top of the ruleset and progresses one rule at a time until
@@ -2290,24 +2315,7 @@ redirect_port tcp 192.168.0.3:80 80</pro
<acronym>NAT</acronym>ing and released to the outbound
interface.</para>
- <para>Example Ruleset #1:</para>
-
- <programlisting>#!/bin/sh
-cmd="ipfw -q add"
-skip="skipto 500"
-pif=rl0
-ks="keep-state"
-good_tcpo="22,25,37,43,53,80,443,110,119"
-
-ipfw -q -f flush
-
-$cmd 002 allow all from any to any via xl0 # exclude LAN traffic
-$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
-
-$cmd 100 divert natd ip from any to any in via $pif
-$cmd 101 check-state
-
-# Authorized outbound packets
+<programlisting># Authorized outbound packets
$cmd 120 $skip udp from any to xx.168.240.2 53 out via $pif $ks
$cmd 121 $skip udp from any to xx.168.240.5 53 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
@@ -2335,168 +2343,7 @@ ipfw -q -f flush
# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
-$cmd 510 allow ip from any to any
-
-######################## end of rules ##################</programlisting>
-
- <para>The next example is functionally equivalent, but uses
- descriptive comments to help the inexperienced IPFW rule
- writer to better understand what the rules are doing.</para>
-
- <para>Example Ruleset #2:</para>
-
- <programlisting>#!/bin/sh
-################ Start of IPFW rules file ###############################
-# Flush out the list before we begin.
-ipfw -q -f flush
-
-# Set rules command prefix
-cmd="ipfw -q add"
-skip="skipto 800"
-pif="rl0" # public interface name of NIC
- # facing the public Internet
-
-#################################################################
-# No restrictions on Inside LAN Interface for private network
-# Change xl0 to your LAN NIC interface name
-#################################################################
-$cmd 005 allow all from any to any via xl0
-
-#################################################################
-# No restrictions on Loopback Interface
-#################################################################
-$cmd 010 allow all from any to any via lo0
-
-#################################################################
-# check if packet is inbound and nat address if it is
-#################################################################
-$cmd 014 divert natd ip from any to any in via $pif
-
-#################################################################
-# Allow the packet through if it has previous been added to the
-# the "dynamic" rules table by a allow keep-state statement.
-#################################################################
-$cmd 015 check-state
-
-#################################################################
-# Interface facing Public Internet (Outbound Section)
-# Check session start requests originating from behind the
-# firewall on the private network or from this gateway server
-# destined for the public Internet.
-#################################################################
-
-# Allow out access to my ISP's Domain name server.
-# x.x.x.x must be the IP address of your ISP's DNS
-# Dup these lines if your ISP has more than one DNS server
-# Get the IP addresses from /etc/resolv.conf file
-$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state
-
-
-# Allow out access to my ISP's DHCP server for cable/DSL configurations.
-$cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state
-
-# Allow out non-secure standard www function
-$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
-
-# Allow out secure www function https over TLS SSL
-$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
-
-# Allow out send & get email function
-$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
-$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
-
-# Allow out FreeBSD (make install & CVSUP) functions
-# Basically give user root "GOD" privileges.
-$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root
-
-# Allow out ping
-$cmd 080 $skip icmp from any to any out via $pif keep-state
-
-# Allow out Time
-$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
-
-# Allow out nntp news (i.e., news groups)
-$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
-
-# Allow out secure FTP, Telnet, and SCP
-# This function is using SSH (secure shell)
-$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
-
-# Allow out whois
-$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
-
-# Allow ntp time server
-$cmd 130 $skip udp from any to any 123 out via $pif keep-state
-
-#################################################################
-# Interface facing Public Internet (Inbound Section)
-# Check packets originating from the public Internet
-# destined for this gateway server or the private network.
-#################################################################
-
-# Deny all inbound traffic from non-routable reserved address spaces
-$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
-$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
-$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
-$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
-$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
-$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
-$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
-$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
-$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
-
-# Deny ident
-$cmd 315 deny tcp from any to any 113 in via $pif
-
-# Deny all Netbios service. 137=name, 138=datagram, 139=session
-# Netbios is MS/Windows sharing services.
-# Block MS/Windows hosts2 name server requests 81
-$cmd 320 deny tcp from any to any 137 in via $pif
-$cmd 321 deny tcp from any to any 138 in via $pif
-$cmd 322 deny tcp from any to any 139 in via $pif
-$cmd 323 deny tcp from any to any 81 in via $pif
-
-# Deny any late arriving packets
-$cmd 330 deny all from any to any frag in via $pif
-
-# Deny ACK packets that did not match the dynamic rule table
-$cmd 332 deny tcp from any to any established in via $pif
-
-# Allow traffic in from ISP's DHCP server. This rule must contain
-# the IP address of your ISP's DHCP server as it is the only
-# authorized source to send this packet type.
-# Only necessary for cable or DSL configurations.
-# This rule is not needed for 'user ppp' type connection to
-# the public Internet. This is the same IP address you captured
-# and used in the outbound section.
-$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state
-
-# Allow in standard www function because I have Apache server
-$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
-
-# Allow in secure FTP, Telnet, and SCP from public Internet
-$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
-
-# Allow in non-secure Telnet session from public Internet
-# labeled non-secure because ID & PW are passed over public
-# Internet as clear text.
-# Delete this sample group if you do not have telnet server enabled.
-$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2
-
-# Reject & Log all unauthorized incoming connections from the public Internet
-$cmd 400 deny log all from any to any in via $pif
-
-# Reject & Log all unauthorized out going connections to the public Internet
-$cmd 450 deny log all from any to any out via $pif
-
-# This is skipto location for outbound stateful rules
-$cmd 800 divert natd ip from any to any out via $pif
-$cmd 801 allow ip from any to any
-
-# Everything else is denied by default
-# deny and log all packets that fell through to see what they are
-$cmd 999 deny log all from any to any
-################ End of IPFW rules file ###############################</programlisting>
+$cmd 510 allow ip from any to any</programlisting>
<sect3>
<title>Port Redirection</title>
More information about the svn-doc-all
mailing list