Re: ipfw-ntad-jail

From: Nielsen (nielsen@memberwebs.com)
Date: 06/17/02


From: "Nielsen" <nielsen@memberwebs.com>
To: "grimm" <grimm@planetquake.com>, <freebsd-security@freebsd.org>
Date: Sun, 16 Jun 2002 17:37:24 -0700 (PDT)

Hmmm, first of all (and maybe you've done this) you need to alias the jail's
ip on you network card. Secondly make sure that "net.inet.ip.fw.one_pass" is
set to 1 (the default). Otherwise diverted packets will continue down the
fire wall after the divert rule.

Lastly, I would check that the packets are in fact getting NAT'd in. It may
be the out that's the problem. I think in addition to the redirect_tcp you
also have to do a proper NAT thing. In my inderstanding, redirections open
holes to let stuff in, but for the packets to get back out proper Natting is
required. OTOH, most of my experience is with ipnat, so I'm not sure here.

Nate

----- Original Message -----
From: "grimm" <grimm@planetquake.com>
To: <freebsd-security@freebsd.org>
Sent: Sunday, June 16, 2002 11:42
Subject: ipfw-ntad-jail

> Greetings,
>
> Ok, so I setup IPFW and NATd on my freeBSD 4.5-RELEASE box,
> where I configured a jail environment. Here are some details for
> first time readers:
>
> I have a host computer called dagobah, which
> runs a virtual system in a jailed environment, called
> darkside. This system is running FreeBSD 4.5-RELEASE.
>
> host (dagobah) xl0 IP 143.XX.XX.238
> jail (darkside) IP alias to xl0 (192.168.200.13)
>
> What had happened is that once I setup IPFW, I could no
> longer connect (DNS lookup failure was causing huge delay
> on connect) to my jail (darkside).
>
> My other problem was making it possible to connect to
> these services from the outside world:
>
> host (dagobah)
> allow ftp (port 21)
> allow www (port 80)
> allow ssh (port 777)
>
> jail (darkside)
> allow ssh (port 22)
>
> with natd forwarding all requests dagobah received on port 22
> to the jail's sshd.
>
> Everything else should be blocked.
>
> =========== question =====================================
>
> My DNS lookup problem with IPFW running is now solved, internally
> I can connect to my jail without any problem.
>
> However, I can't connect from the outside world to my host (dagobah).
> I have tried to view the web page, as well as telnet and both
> don't connect. Although I do see in the IPFW SHOP output that
> some stuff seems to be reaching my port 80.
>
> I would really appreciate it if someone could look at my configs
> and point out my mistake. I have pretty much just learned how to
> do this stuff, and I may have missed something obvious!
>
> --------------
>
> # rc.conf
> #
> hostname="dagobah.somewhere.ca"
> ifconfig_xl0="inet 142.XX.XX.238 netmask 255.255.255.0"
> defaultrouter="142.XX.XX.254"
> inetd_enable="YES"
> kern_securelevel_enable="NO"
> linux_enable="YES"
> moused_enable="YES"
> nfs_reserved_port_only="YES"
> sendmail_enable="NO"
> sshd_enable="YES"
> usbd_enable="YES"
> quota_enable="YES"
> check_quotas="YES"
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall"
> firewall_type="/etc/ipfw.rules"
> gateway_enable="YES"
> natd_enable="YES"
> natd_interface="xl0"
> natd_flags="-config /etc/natd_rules"
> inetd_flags="-wW -a 142.XX.XX.238"
> portmap_enable="NO"
> syslogd_flags="-ss"
>
>
> --------------
>
> #
> # natd config (/etc/natd_config)
:> #
> redirect_port tcp 192.168.200.13:22 22
>
>
> --------------
>
> #
> # my ipfw.rules (additional to rc.firewall defaults)
> #
> #make sure natd gets a hold of the packets prior to FIREWALL
> add 00320 divert natd all from any to any via xl0
> #
> #
> # from man 8 ipfw: allow only outbound TCP connections I've created
> add 00350 check-state
> add 00351 deny tcp from any to any in established
> add 00352 allow tcp from any to any out setup keep-state
> #
> #
> #allow DNS
> add 00400 allow udp from 142.XX.XX.1 to any in recv xl0
> add 00401 allow udp from 142.XX.XX.2 to any in recv xl0
> add 00402 allow udp from 142.XX.XX.3 to any in recv xl0
> add 00403 allow udp from any to any out
> #
> #allow some ICMP types (codes not supported)
> ## allow path-mtu in both directions
> add 00600 allow icmp from any to any icmptypes 3
> ## allow source quench in and out
> add 00601 allow icmp from any to any icmptypes 4
> ## allow me to ping out and receive response back
> add 00602 allow icmp from any to any icmptypes 8 out
> add 00603 allow icmp from any to any icmptypes 0 in
> ## allow me to traceroute
> #
> # when I traceroute, I send out UDP packets (rule 00403)
> #
> add 00604 allow icmp from any to any icmptypes 11 in
> #
> #
> # enable www server on dagobah (142.XX.XX.238)
> add 00700 allow tcp from any to any 80 in via xl0
> add 00701 allow tcp from any to any 80 out via xl0
> #
> #
> # enable ssh server on dagobah (142.XX.XX.238)
> add 00702 allow tcp from any to any 777 in via xl0
> add 00703 allow tcp from any to any 777 out via xl0
> #
> #
> # enable ssh server on darkside (142.XX.XX.238)
> add 00704 allow tcp from any to any 22 in via xl0
> add 00705 allow tcp from any to any 22 out via xl0
>
>
> --------------
>
> OUTPUT OF THE IPFW SHOW command
>
> 00100 0 0 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 00320 171 34652 divert 8668 ip from any to any via xl0
> 00350 0 0 check-state
> 00351 0 0 deny tcp from any to any in established
> 00352 78 8668 allow tcp from any to any keep-state out setup
> 00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0
> 00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0
> 00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0
> 00403 2 120 allow udp from any to any out
> 00600 0 0 allow icmp from any to any icmptype 3
> 00601 0 0 allow icmp from any to any icmptype 4
> 00602 0 0 allow icmp from any to any out icmptype 8
> 00603 0 0 allow icmp from any to any in icmptype 0
> 00604 0 0 allow icmp from any to any in icmptype 11
> 00700 3 144 allow tcp from any to any 80 in recv xl0
> 00701 0 0 allow tcp from any to any 80 out xmit xl0
> 00702 0 0 allow tcp from any to any 777 in recv xl0
> 00703 0 0 allow tcp from any to any 777 out xmit xl0
> 00704 0 0 allow tcp from any to any 22 in recv xl0
> 00705 0 0 allow tcp from any to any 22 out xmit xl0
> 65535 86 25238 deny ip from any to any
>
> __
> grimm
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: Survive without ICMP?
    ... ICMP resides above IP protocol, ... it receives a UDP or TCP packet on port 0 would be packets ... ICMP Type 3 Code 3 (Port unreachable). ... when it receives a TCP packet to a forbidden port which may ...
    (comp.security.firewalls)
  • Re: Survive without ICMP?
    ... > an Orion modem, Linksys programmable router, three machines ... > Linksys router responding to port 0 requests. ... > a timestamp ICMP did make it through to our hack testing. ... > the ICMP packet for a netmask. ...
    (comp.security.firewalls)
  • Re: Keine ICMP Replys mit NAT unter Windows 2003 Server SR2
    ... Windows wohl nichts anderes übrigbleiben als "Port and Address ... Protokollen wie ICMP, die keine Ports haben... ... Und wieso funktionierts dann bei uns allen? ... Port Address Translation extends the notion of translation one step ...
    (microsoft.public.de.german.windows.server.networking)
  • Re: nmap and icmp-replies
    ... Since UDP is stateless, it's the only way a stack can "tell" a port is closed/filtered. ... Even if you send a packet to an open UDP Port, depending on the protocol your scanner has to send a valid payload to get an answer. ... If your target sends ICMP Dest-Unrecheachables, ... You have an option to go with a managed service or an enterprise software. ...
    (Pen-Test)
  • Re: Network Routing Problems???
    ... for my FreeBSD gateway. ... ipfw rule-set and my natd.conf ... add 00301 deny tcp from any to any in established ... add 00600 allow icmp from any to any icmptypes 3 ...
    (freebsd-questions)