• Welcome to Valhalla Legends Archive.
 

FreeBSD and ipf + ipnat

Started by Eric, September 09, 2005, 12:40 AM

Previous topic - Next topic
Print
|
Go Down Pages1
User actions

Eric

September 09, 2005, 12:40 AM Last Edit: September 09, 2005, 12:44 AM by LoRd[nK]
I've recently bought a cheap barebones system which I installed 3 10/100/1000 NIC's on, as well as FreeBSD 5.4 and I'm currently attempting to turn it into a firewall gateway for my network.

I managed to setup natd on it just fine, but I'd rather use ipnat, however after I got it all setup, I noticed that it wasn't allowing connections, even to the loopback addresses.

re0 connects to my DSL modem.
vge0 connects to my wired internal network.
vge1 connects to my wireless internal network.

Options added to GENERIC kernel:

Code Select
# natd

options         IPFIREWALL
options         IPDIVERT
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
options         TCP_DROP_SYNFIN

# IPSec

options         IPSEC
options         IPSEC_ESP

# ipf / ipnat / ipmon

options         IPFILTER
options         IPFILTER_LOG
options         IPFILTER_DEFAULT_BLOCK


/etc/rc.conf:

Code Select
# -- sysinstall generated deltas -- # Fri Sep  2 10:11:46 2005
# Created: Fri Sep  2 10:11:46 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
apm_enable="YES"
ibcs2_enable="YES"
linux_enable="YES"
lpd_enable="YES"
moused_enable="YES"
nfs_reserved_port_only="YES"
svr4_enable="YES"
usbd_enable="YES"
sshd_enable="YES"

# -- sysinstall generated deltas -- # Sat Sep  3 23:39:19 2005
kern_securelevel="1"
kern_securelevel_enable="YES"

ifconfig_vge0="inet 192.168.1.1 netmask 255.255.255.0"
gateway_enable="YES"

# natd
#firewall_enable="YES"
#firewall_script="/etc/rc.firewall"
#firewall_type="open"
#firewall_quiet="NO"
#natd_program="/sbin/natd"
#natd_enable="YES"
#natd_interface="re0"
#natd_flags="-f /etc/natd.conf"

# ip
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags=""
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
ipmon_enable="YES"
ipmon_flags="-Dsn" 

tcp_drop_synfin="YES"

# ifconfig

ifconfig_re0="inet 192.168.254.1  netmask 255.255.255.0"

ipv6_enable="YES"   
defaultrouter="192.168.254.254"
hostname="EFWGW.xDSL"

ifconfig_vge1="inet 192.168.2.100  netmask 255.255.255.0"

/etc/ipnat.rules:

Code Select
#   Dev  Inside IP     Local Inet IP

map re0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map re0 192.168.2.0/24 -> 0/32 proxy port ftp ftp/tcp

# Map all tcp and udp connections from 192.168.1.0/24 to external IP address,
# changing the source port number to something between 40,000 and 60,000
# inclusive
map re0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
map re0 192.168.2.0/24 -> 0/32 portmap tcp/udp 40000:60000

# For all other IP packets, map to the external IP address
map re0 192.168.1.0/24 -> 0/32
map re0 192.168.2.0/24 -> 0/32

/etc/ipf.rules:

Code Select
oif="re0"
odns="192.168.254.254"
myip="192.168.254.1"
ks="keep state"
fks="flags S keep state"

# Allow all loopback
pass in quick on lo0 all
pass out quick on lo0 all

# Allow all re0
pass in quick on re0 all
pass out quick on re0 all

# Allow all vge0
pass in quick on vge0 all
pass out quick on vge0 all

# Allow all vge1
pass in quick on vge1 all
pass out quick on vge1 all

# Allow all fxp0
pass in quick on fxp0 all
pass out quick on fxp0 all

# Allow all plip0
pass in quick on plip0 all
pass out quick on plip0 all

nslay

#1
September 09, 2005, 12:31 PM
On FreeBSD 5.4 OpenBSD's pf is built into the base system.  I recommend pf, it is really easy to configure and there is excellent documentation.

FreeBSD Handbook on pf
FreeBSD man page on pf.conf
OpenBSD pf handbook (the easiest to read)

An example pf.conf can be found at /etc/pf.conf

However, I'll look over ipf and ipnat when I get a chance.
Btw pf uses altq too, so you can limit bandwidth for particular groups of people.  Pf is more than just an ordinary packet filter, it can perform NAT, ingress filtering, egress filtering, and stateful inspection...etc...

Eric

#2
September 09, 2005, 03:25 PM
Quote from: David on September 09, 2005, 03:12 PM
Wireless routers are horrible.

No.

nslay

#3
September 09, 2005, 04:36 PM
Quote from: David on September 09, 2005, 03:12 PM
Wireless routers are horrible.

Actually, if you were doing wireless and you absolutely wanted 99.99% privacy (as well as regulate connections), it would be very smart to use encrypted PPTP.
Print
|
Go Up Pages1
User actions