IPFilter/IPNat and rdr

From: steve (steve@clublinux.org)
Date: 07/08/01 

Date: Sun, 08 Jul 2001 00:14:34 -0500
From: steve <steve@clublinux.org>
To: freebsd-security@freebsd.org

Hi,
        First off, I'm quite new to FreeBSD and I hope I chose the correct list
to mail to. In order to help teach myself FreeBSD, I'm recreating my
home firewall using FreeBSD(ipfilter/ipnat) instead of Linux
(ipchains). I'm using the 4.3 RELEASE of FreeBSD.
        I have a web server behind the firewall that I want to allow people to
access from the outside. After reading the IPFilter How-To, this seems
fairly easy:

ipnat.rules
-----------

rdr ep0 216.170.19.162/32 port 80 -> 192.168.1.100 port 80

ipfilter.rules
--------------

pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80
flags S keep state keep frags

However, because NAT occurs before the filtering, I can no longer have a
rule to prevent packets from the outside that contain a destination IP
on my internal network from passing through my firewall and entering my
internal network like this:

block in quick on ep0 from any to 192.168.0.0/16

I realize that packets with a source or destination of 192.168.0.0/16
should be dropped by routers on the internet, but I know this doesn't
always happen as our firewall at work has recorded such packets in the
past.

Am I mis-understanding how IPFilter/IPNat work together correctly? If
so, is there a way around this problem? If not, would the following
provide the protection I'm looking for while still allowing people to
access my web server from the outside?

pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80
flags S keep state keep frags
block in quick on ep0 from any to 192.168.0.0/16

This would prevent any packet from the outside with a destination
address of my internal network from passing through the firewall unless
it was specifically going to port 80 on my web server right?

Please CC me on any replies as I'm not currently subscribed to the list.

Thanks in advance,
Steve

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • IPFW questions
    ... I'm in the process of reviewing my IPFW firewall rules since they've ... bdg_forward packets. ... that when a machine on my internal network transmits a packet that is ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Firewall
    ... I'm running FreeBSD 6.2 and setting it up as a network router/firewall. ... It has 3 nics, two of internal network and ... firewall rules and would output into different formats. ... The graphical tool you are thinking of is probably Firewall Builder, it is also in ports. ...
    (freebsd-net)
  • Help wanted with NAT/IPFW settings (4.10 stable)
    ... I am using FreeBSD 4.10 stable, ... with the firewall configuration and allowing a specific application to ... The DSL modem thingy contains a primitive firewall, ... This computer then uses firewall/NAT rules to allow packets in to/out from ...
    (freebsd-questions)
  • Re: Strict Destination Multi-Homing on FreeBSD 6.2 ?
    ... destination multihoming on FreeBSD 6.2? ... no - this isn't really considered "forwarding" on FreeBSD (or ... again AFAIK) - the packets arrive at the box and are ... Your best bet is probably to add a firewall rule to block ...
    (comp.unix.bsd.freebsd.misc)
  • Re: SmoothWall
    ... The internal network is assigned a green card and the ... > And this connects perfectly from the internet. ... > Am I asking a little too much from my firewall?? ... machine now has a connection to the firewall, and expects packets back from ...
    (comp.security.firewalls)