Still having IPFW/natd trouble

From: Materialised (materialised_at_privacy.net)
Date: 02/07/04

• Next message: Kris Kennaway: "Re: Installation - feel the pain"
• Previous message: Lee Harr: "Re: Installation - feel the pain"
• Next in thread: Materialised: "Re: Still having IPFW/natd trouble"
• Reply: Materialised: "Re: Still having IPFW/natd trouble"
• Reply: Henri Hennebert: "Re: Still having IPFW/natd trouble"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sat, 07 Feb 2004 01:36:36 +0000

Hi everyone, sorry about this repost, but I am in desperate need of help.
I have the following setup:

                                           Windows 2000 PC
                                          /
                                         /
                                        /
Cable Modem --> FreeBSD Box-->Network Hub
                                        \
                                         \
                                          \
                                           Redhat 8.0 Machine

I am running natd and ipfw. What I want to do is be able to forward a
port (telnet) to the redhat 8.0 machine. (I also need to forward some
windows ports, but I assume once I know how to do one I will be able to
do both.)

This is the contents of my /etc/natd.conf
cat /etc/natd.conf
interface sis0
redirect_port tcp 192.168.1.3:23 23

Upon boot, natd is started with the follwoing options from rc.conf
natd_enable="YES"
natd_interface="sis0"
natd_flags="-f /etc/natd.conf"

This is the output of ipfw -a list
00100 42048 12347328 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 deny udp from 0.0.2.8 to me in via sis0
00500 0 0 deny ip from 198.168.1.0/24 to any in via sis0
00600 6414216 3693951270 divert 8668 ip from any to any via sis0
00700 0 0 divert 8668 tcp from any to me dst-port 23 in
via sis0
00800 0 0 divert 8668 tcp from 198.168.1.3 5800 to any
out via sis0
00900 4026829 2720037776 allow ip from any to any via sis1
01000 0 0 check-state
01100 2217718 1353948797 allow tcp from any to any established
01200 165678 90494058 allow tcp from any to any dst-port 80 out via
sis0 setup keep-state
01300 4 200 allow tcp from any to any dst-port 22 out via
sis0 setup keep-state
01400 11812 9352846 allow tcp from any to any dst-port 5999 out via
sis0 setup keep-state
01500 0 0 allow gre from any to any keep-state
01600 15108 11242827 allow tcp from any to any dst-port 21 out via
sis0 setup keep-state
01700 2062 85105 allow tcp from any to any dst-port 110 out via
sis0 setup keep-state
01800 281 84861 allow tcp from any to any dst-port 25 out via
sis0 setup keep-state
01900 4054 1574995 allow tcp from any to any dst-port 119 out via
sis0 setup keep-state
02000 540 98453 allow tcp from any to any dst-port 443 out via
sis0 setup keep-state
02100 4 200 allow tcp from any to any dst-port 37 out via
sis0 setup keep-state
02200 4731 392272 allow udp from any to any dst-port 53 out via
sis0 keep-state
02300 604 75399 allow udp from any 53 to any in via sis0 keep-state
02400 0 0 allow udp from any 123 to any dst-port 123 via
sis0 keep-state
02500 0 0 allow udp from any 123 to any dst-port 123 in
via sis0 keep-state
02600 1419 146926 allow icmp from any to any out via sis0 keep-state
02700 87899 17438844 allow tcp from any to any dst-port 5000-5200
out via sis0 keep-state
02800 0 0 allow tcp from any to any dst-port 6890-6900 in
via sis0 keep-state
02900 11738 756948 allow tcp from any to any dst-port 1863 out via
sis0 keep-state
03000 626 87152 allow log icmp from any to any icmptypes 0,3,4,8,11
03100 3356038 2165588807 allow tcp from any to any dst-port 0-65535 out
via sis0 keep-state
03200 1836 292965 allow udp from any to any dst-port 0-65535 out
via sis0 keep-state
03300 1850 74104 allow tcp from any to me dst-port 48000-50000
in via sis0 keep-state
03400 1081 31384 allow udp from any to me dst-port 48000-50000
in via sis0 keep-state
03500 0 0 allow tcp from any to me dst-port 5700-5703 in
via sis0 keep-state
03600 1 40 allow udp from any to me dst-port 5700-5703 in
via sis0 keep-state
03700 0 0 allow tcp from any to me dst-port 5700-5703 out
via sis0 keep-state
03800 0 0 allow udp from any to me dst-port 5700-5703 out
via sis0 keep-state
03900 0 0 allow tcp from any to me dst-port 3330 in via
sis0 keep-state
04000 65 8031 allow tcp from any to me dst-port 20000-20004
in via sis0 keep-state
04100 16 812 allow tcp from any to me dst-port 10000 in via
sis0 keep-state
04200 393 21170 allow tcp from any to me dst-port 113 in via
sis0 keep-state
04300 2621 244056 allow log tcp from any to me dst-port 22 in via
sis0 setup keep-state
04400 0 0 allow log tcp from any to me dst-port 23 in via
sis0 setup keep-state
04500 598 36162 allow tcp from any to me dst-port 21 in via
sis0 keep-state
04600 0 0 allow tcp from any to me dst-port 20 in via
sis0 keep-state
04700 40 1760 allow tcp from any to me dst-port 49152-65535
in via sis0 keep-state
04800 40767 19081683 allow tcp from any to me dst-port 80 in via
sis0 keep-state
04900 0 0 allow tcp from any to me dst-port 20 in via
sis0 keep-state
05000 3335 2391005 allow tcp from any to me dst-port 25 in via
sis0 keep-state
05100 690 33622 allow tcp from any to me dst-port 110 in via
sis0 keep-state
05200 0 0 deny log ip from me to me in via sis0
05300 0 0 deny tcp from any to any dst-port 137-139 in
via sis0
05400 1 48 deny tcp from any to any dst-port 3306 in via sis0
05500 4 192 deny tcp from any to any dst-port 6000 in via sis0
05600 67420 3252828 deny log tcp from any to any in via sis0 setup
05700 0 0 deny log tcp from any to any in via sis0
65535 221033 7828632 deny ip from any to any

And also here is the contents of my /etc/rc.firewall script

#!/bin/sh
# /etc/rc.firewall.log
#

###############################################################################
###############################################################################
#
# Setup system for firewall service.
#
###############################################################################
###############################################################################

# Set rules command prefix
# The -q option on the command is for quite mode.
# Do not display rules as they load. Remove during development to see.
fwcmd="/sbin/ipfw"

# set these to your outside interface network and netmask and ip
oif="sis0"

# set these to your inside interface network and netmask and ip
iif="sis1"
inet="198.168.1.1"
imask="255.255.255.0"
iip="198.168.1.1"

############
# Flush out the list before we begin.
#
${fwcmd} -f flush

############
# mandatory
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any

############
# open (for debug only)
#
#${fwcmd} add 65000 pass all from any to any

# Handle router 520 rip request
${fwcmd} add deny udp from $oisp 520 to me in via $oif

# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
#${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

${fwcmd} add divert natd all from any to any via ${oif}

#NATD stuff
${fwcmd} add divert natd tcp from any to me 23 in via ${oif}
${fwcmd} add divert natd tcp from 198.168.1.3 5800 to any out via ${oif}

################################################################################
# interesting stuffs start beneath
        #
################################################################################
# exempt everything behind the firewall from this rules set
${fwcmd} add pass ip from any to any via sis1 # allow all internal traffic

#turn on statefull firewall
${fwcmd} add check-state

# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.
${fwcmd} add allow tcp from any to any established

# Deny IP fragments to pass through
#${fwcmd} add deny all from any to any frag

################################################################################
# allow outoing connexions to specified TCP ports
        #
################################################################################
# Allow setup of http to the outside
${fwcmd} add pass tcp from any to any 80 out via ${oif} setup keep-state

# Allow setup of ssh to the outside
${fwcmd} add pass tcp from any to any 22 out via ${oif} setup keep-state

# Allow setup of CVSUP to the outside
${fwcmd} add allow tcp from any to any 5999 out via ${oif} setup keep-state

# Allow GRE (IPSEC)
${fwcmd} add pass gre from any to any keep-state

# Allow setup of https to the outside
#${fwcmd} add pass tcp from any to any 443 out via ${oif} setup keep-state

# Allow setup of ftp to the outside
${fwcmd} add pass tcp from any to any 21 out via ${oif} setup keep-state
#${fwcmd} add pass tcp from any to any 49152-65535 out via ${oif} setup
keep-state

# Allow setup of pop to the outside
${fwcmd} add pass tcp from any to any 110 out via ${oif} setup keep-state

# Allow setup of smtp to the outside
${fwcmd} add pass tcp from any to any 25 out via ${oif} setup keep-state

# Allow setup of news to the outside
${fwcmd} add pass tcp from any to any 119 out via ${oif} setup keep-state

# Allow setup of https to the outside
${fwcmd} add pass tcp from any to any 443 out via ${oif} setup keep-state

# Allow setup of time to the outside
${fwcmd} add pass tcp from any to any 37 out via ${oif} setup keep-state

# Allow DNS queries out to my ISP's DNSs
${fwcmd} add pass udp from any to any 53 out via ${oif} keep-state

# Allow answers to DNS queries from my ISP
${fwcmd} add pass udp from any 53 to any in via ${oif} keep-state

# Allow NTP queries out in the world
${fwcmd} add pass udp from any 123 to any 123 via ${oif} keep-state
# Allow answers to NTP queries from my NTP server
${fwcmd} add pass udp from any 123 to any 123 in via ${oif} keep-state

# Allow ICMP outbound
${fwcmd} add pass icmp from any to any out via ${oif} keep-state

# Allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
${fwcmd} add allow log icmp from any to any icmptypes 0,3,4,8,11

#Allow webmin access
${fwcmd} add allow tcp from any to me 10000 in via ${oif} keep-state

#IDENT
${fwcmd} add allow tcp from any to me 113 in via ${oif} keep-state

################################################################################
# allow incoming connections from the internet to those specified ports
        #
################################################################################
# Allow access to our SSH server
${fwcmd} add pass log tcp from any to me 22 in via ${oif} setup keep-state

#Allow telnet access
${fwcmd} add pass log tcp from any to any 23 in via ${oif} setup keep-state

# Allow access to our httpd
${fwcmd} add allow tcp from any to me 80 in via ${oif} keep-state
${fwcmd} add allow tcp from any to me 20 in via ${oif} keep-state

#Allow access to pop and sendmail
${fwcmd} add allow tcp from any to me 25 in via ${oif} keep-state
${fwcmd} add allow tcp from any to me 110 in via ${oif} keep-state

################################################################################
# default to catch all the rest #
################################################################################
# Reset all ident packets
#${fwcmd} add reset log tcp from any to me 113 in via ${oif}

# Stop & log spoofing Attack attempts.
# Examine incoming traffic for packets with both a source and destination
# IP address in my local domain as per CIAC prevention alert.
${fwcmd} add deny log ip from me to me in via $oif

# Reject peer-to-peer traffic incoming connections without logging
${fwcmd} add deny tcp from any to any 137-139 in via ${oif}
${fwcmd} add deny tcp from any to any 3306 in via ${oif}
${fwcmd} add deny tcp from any to any 6000 in via ${oif}
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup

# Reject&Log all incoming datagrams from the outside
${fwcmd} add deny log tcp from any to any in via ${oif}

Sorry about the long posting people, I figured if I provided as much
information as possible someone might help me with a solution. I have no
idea what my problem is here, and it is really stressing me out. I have
spent the last week laid in bed (all be it due to illness) constantly
googling for the answer to my problem, but the answer still eludes me.

I hope someone can help
Thanks
Mick

• Next message: Kris Kennaway: "Re: Installation - feel the pain"
• Previous message: Lee Harr: "Re: Installation - feel the pain"
• Next in thread: Materialised: "Re: Still having IPFW/natd trouble"
• Reply: Materialised: "Re: Still having IPFW/natd trouble"
• Reply: Henri Hennebert: "Re: Still having IPFW/natd trouble"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages IPFW Problem ... I am tryin to setup my Firewall on my server, so far i have the following. ... $fwcmd add check-state ... $fwcmd add allow tcp from any to me 80 setup keep-state ... MYIP:80 in via bge0 ... (freebsd-questions) Re: ipfw and ssh ... ${fwcmd} add pass all from $to $:$ ... This allows any existing TCP connections to work. ... This way you only need one rule (setup) for each inbound service you want. ... This will allow anyone access to my system through SSH provided they can authenticate. ... (freebsd-questions) Re: firewalling help/audit ... > # Setup Loopback ... > $fwcmd add deny log tcp from any to any in tcpflags syn,fin ... (FreeBSD-Security) improve ipfw rules ... ${fwcmd} add 100 pass all from any to any via lo0 ... $add 200 deny all from any to 127.0.0.0/8 ... $add deny all from any to 10.0.0.0/8 via ${oif} ... $add pass tcp from any to any 80 setup ... (FreeBSD-Security) ipfw ... ${fwcmd} add 100 pass all from any to any via lo0 ... $add 200 deny all from any to 127.0.0.0/8 ... $add deny all from any to 10.0.0.0/8 via ${oif} ... $add pass tcp from any to any 80 setup ... (freebsd-isp)

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint