General Discussion | FreeBSD and ipf + ipnat

Author	Message	Time
LoRd	I've recently bought a cheap barebones system which I installed 3 10/100/1000 NIC's on, as well as FreeBSD 5.4 and I'm currently attempting to turn it into a firewall gateway for my network. I managed to setup natd on it just fine, but I'd rather use ipnat, however after I got it all setup, I noticed that it wasn't allowing connections, even to the loopback addresses. re0 connects to my DSL modem. vge0 connects to my wired internal network. vge1 connects to my wireless internal network. Options added to GENERIC kernel: [code]# natd options IPFIREWALL options IPDIVERT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options TCP_DROP_SYNFIN # IPSec options IPSEC options IPSEC_ESP # ipf / ipnat / ipmon options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK [/code] /etc/rc.conf: [code]# -- sysinstall generated deltas -- # Fri Sep 2 10:11:46 2005 # Created: Fri Sep 2 10:11:46 2005 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. apm_enable="YES" ibcs2_enable="YES" linux_enable="YES" lpd_enable="YES" moused_enable="YES" nfs_reserved_port_only="YES" svr4_enable="YES" usbd_enable="YES" sshd_enable="YES" # -- sysinstall generated deltas -- # Sat Sep 3 23:39:19 2005 kern_securelevel="1" kern_securelevel_enable="YES" ifconfig_vge0="inet 192.168.1.1 netmask 255.255.255.0" gateway_enable="YES" # natd #firewall_enable="YES" #firewall_script="/etc/rc.firewall" #firewall_type="open" #firewall_quiet="NO" #natd_program="/sbin/natd" #natd_enable="YES" #natd_interface="re0" #natd_flags="-f /etc/natd.conf" # ip ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" ipfilter_flags="" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules" ipmon_enable="YES" ipmon_flags="-Dsn" tcp_drop_synfin="YES" # ifconfig ifconfig_re0="inet 192.168.254.1 netmask 255.255.255.0" ipv6_enable="YES" defaultrouter="192.168.254.254" hostname="EFWGW.xDSL" ifconfig_vge1="inet 192.168.2.100 netmask 255.255.255.0"[/code] /etc/ipnat.rules: [code]# Dev Inside IP Local Inet IP map re0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp map re0 192.168.2.0/24 -> 0/32 proxy port ftp ftp/tcp # Map all tcp and udp connections from 192.168.1.0/24 to external IP address, # changing the source port number to something between 40,000 and 60,000 # inclusive map re0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000 map re0 192.168.2.0/24 -> 0/32 portmap tcp/udp 40000:60000 # For all other IP packets, map to the external IP address map re0 192.168.1.0/24 -> 0/32 map re0 192.168.2.0/24 -> 0/32[/code] /etc/ipf.rules: [code]oif="re0" odns="192.168.254.254" myip="192.168.254.1" ks="keep state" fks="flags S keep state" # Allow all loopback pass in quick on lo0 all pass out quick on lo0 all # Allow all re0 pass in quick on re0 all pass out quick on re0 all # Allow all vge0 pass in quick on vge0 all pass out quick on vge0 all # Allow all vge1 pass in quick on vge1 all pass out quick on vge1 all # Allow all fxp0 pass in quick on fxp0 all pass out quick on fxp0 all # Allow all plip0 pass in quick on plip0 all pass out quick on plip0 all[/code]	September 9, 2005, 5:40 AM
nslay	On FreeBSD 5.4 OpenBSD's pf is built into the base system. I recommend pf, it is really easy to configure and there is excellent documentation. FreeBSD Handbook on pf FreeBSD man page on pf.conf OpenBSD pf handbook (the easiest to read) An example pf.conf can be found at /etc/pf.conf However, I'll look over ipf and ipnat when I get a chance. Btw pf uses altq too, so you can limit bandwidth for particular groups of people. Pf is more than just an ordinary packet filter, it can perform NAT, ingress filtering, egress filtering, and stateful inspection...etc...	September 9, 2005, 5:31 PM
LoRd	[quote author=David link=topic=12750.msg127550#msg127550 date=1126296722] Wireless routers are horrible. [/quote] No.	September 9, 2005, 8:25 PM
nslay	[quote author=David link=topic=12750.msg127550#msg127550 date=1126296722] Wireless routers are horrible. [/quote] Actually, if you were doing wireless and you absolutely wanted 99.99% privacy (as well as regulate connections), it would be very smart to use encrypted PPTP.	September 9, 2005, 9:36 PM

I've recently bought a cheap barebones system which I installed 3 10/100/1000 NIC's on, as well as FreeBSD 5.4 and I'm currently attempting to turn it into a firewall gateway for my network.

I managed to setup natd on it just fine, but I'd rather use ipnat, however after I got it all setup, I noticed that it wasn't allowing connections, even to the loopback addresses.

re0 connects to my DSL modem.
vge0 connects to my wired internal network.
vge1 connects to my wireless internal network.

Options added to GENERIC kernel:

[code]# natd

options IPFIREWALL
options IPDIVERT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options TCP_DROP_SYNFIN

# IPSec

options IPSEC
options IPSEC_ESP

# ipf / ipnat / ipmon

options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
[/code]

/etc/rc.conf:

[code]# -- sysinstall generated deltas -- # Fri Sep 2 10:11:46 2005
# Created: Fri Sep 2 10:11:46 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
apm_enable="YES"
ibcs2_enable="YES"
linux_enable="YES"
lpd_enable="YES"
moused_enable="YES"
nfs_reserved_port_only="YES"
svr4_enable="YES"
usbd_enable="YES"
sshd_enable="YES"

# -- sysinstall generated deltas -- # Sat Sep 3 23:39:19 2005
kern_securelevel="1"
kern_securelevel_enable="YES"

ifconfig_vge0="inet 192.168.1.1 netmask 255.255.255.0"
gateway_enable="YES"

# natd
#firewall_enable="YES"
#firewall_script="/etc/rc.firewall"
#firewall_type="open"
#firewall_quiet="NO"
#natd_program="/sbin/natd"
#natd_enable="YES"
#natd_interface="re0"
#natd_flags="-f /etc/natd.conf"

# ip
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags=""
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
ipmon_enable="YES"
ipmon_flags="-Dsn"

tcp_drop_synfin="YES"

# ifconfig

ifconfig_re0="inet 192.168.254.1 netmask 255.255.255.0"

ipv6_enable="YES"
defaultrouter="192.168.254.254"
hostname="EFWGW.xDSL"

ifconfig_vge1="inet 192.168.2.100 netmask 255.255.255.0"[/code]

/etc/ipnat.rules:

[code]# Dev Inside IP Local Inet IP

map re0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map re0 192.168.2.0/24 -> 0/32 proxy port ftp ftp/tcp

# Map all tcp and udp connections from 192.168.1.0/24 to external IP address,
# changing the source port number to something between 40,000 and 60,000
# inclusive
map re0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
map re0 192.168.2.0/24 -> 0/32 portmap tcp/udp 40000:60000

# For all other IP packets, map to the external IP address
map re0 192.168.1.0/24 -> 0/32
map re0 192.168.2.0/24 -> 0/32[/code]

/etc/ipf.rules:

[code]oif="re0"
odns="192.168.254.254"
myip="192.168.254.1"
ks="keep state"
fks="flags S keep state"

# Allow all loopback
pass in quick on lo0 all
pass out quick on lo0 all

# Allow all re0
pass in quick on re0 all
pass out quick on re0 all

# Allow all vge0
pass in quick on vge0 all
pass out quick on vge0 all

# Allow all vge1
pass in quick on vge1 all
pass out quick on vge1 all

# Allow all fxp0
pass in quick on fxp0 all
pass out quick on fxp0 all

# Allow all plip0
pass in quick on plip0 all
pass out quick on plip0 all[/code]

Valhalla Legends Forums Archive | General Discussion | FreeBSD and ipf + ipnat