IPNAT + IPFILTER + DUMMYNET + FreeBSD 4.7prerelease

From: Juraj Petrik (juro@software602.sk)
Date: 09/25/02 

From: "Juraj Petrik" <juro@software602.sk>
To: <freebsd-security@freebsd.org>
Date: Wed, 25 Sep 2002 09:41:44 +0200

hello,
can you help me, please,

I'm trying to run firewall with using
IPFilter, IPNAT and Dummynet, on FreeBSD

I'm readed so much HOWTOs but, I can't do
redirection to another server in internal
network:
rl0 - WAN (194.x.x.0/24) 194.x.x.22 if FreeBSD box
rl1 - LAN (192.168.1.0/24) 192.168.1.22 if FreeBSD box
rl2 - DMZ (10.0.0.0/24) 10.0.0.22 if FreeBSD box

my server is now on LAN, not on DMZ.

I'm using FreeBSD 4.7 prerelease from CVS.

In kernel config have added:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=30
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
options DUMMYNET

options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
options RANDOM_IP_ID

in /etc/rc.conf have:
tcp_extensions="YES"
gateway_enable="YES"
portmap_enable="NO"

#firewall_enable="YES"
#firewall_type="/etc/dummynet.conf"
#firewall_logging="NO"

ipfilter_enable="YES"
ipfilter_flags=""
ipfilter_rules="/etc/ipf.conf"

ipnat_enable="YES"
ipnat_flags=""
ipnat_rules="/etc/ipnat.conf"

ipmon_enable="YES"
ipmon_flags="-Dns -l block"

in /etc/ipf.conf:
pass in log all
pass out log all

in /etc/ipnat.conf:
map rl0 192.168.1.0/24 -> 194.x.x.22/32
map rl0 0/0 -> 194.x.x.22/32 proxy port ftp ftp/tcp

map rl0 192.168.1.0/24 -> 194.x.x.22/32 portmap tcp/udp 12500:60000
map rl0 192.168.1.0/24 -> 194.x.x.22/32

rdr rl0 194.x.x.22/32 port 80 -> 192.168.1.35 port 80
rdr rl0 194.x.x.22/32 port 22 -> 192.168.1.35 port 22

NAT from LAN to internet works OK,
but from Internet I can't redirct connect to server
on LAN (192.168.1.35)

Please help me ANYBODY!!!!
-jp-

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • RE: Firewall Rule Set not allowing access to DNS servers?
    ... > My LAN is configured with static IP addresses, ... > I have full connectivity with the internet from every machine on my ... > # Allow out access to my ISP's Domain name server. ... > # Interrogate packets originating from the public internet ...
    (freebsd-questions)
  • RE: pppNAT woes =(
    ... You say that in current configuration you can get on internet from ... performing NAT function for you. ... FreeBSD box unless you want to run one of the 3 FreeBSD firewalls to ... How LAN is cabled is too large of subject to ...
    (freebsd-questions)
  • Re: MSSQL Server Gateway
    ... I personaly don't think it's possible to do this with ISA and/or Proxy ... Server but I was told otherwise and just try to figure out if I'm wrong ... - Client in private LAN wants data from SQL Server DB in secure private ... to the other LAN Segment but have a "nat relationship" to the Internet ...
    (microsoft.public.isa)
  • New user questions :)
    ... For the last year or so I have been using SME server (an optimised Linux ... HTTP/Samba - all configurable from a Web browser on the LAN) ... In the meantime I decided to try FreeBSD and am dual booting into ...
    (freebsd-questions)
  • ISA configuration
    ... configured with a Proxy configuration pointing to your ... Server on port 8080. ... all destinations for the Backoffice Internet Users group. ... pointing to the primary LAN address by opening your FW ...
    (microsoft.public.windows.server.sbs)