thetherington
asked on
natd not port forwarding after ip change freebsd 4.8
This whole configuration of a DSL firewall/router using freebsd 4.8 was built based on way too many tutorials.
The port forwarding worked correctly when the tun adapter only had 1 ip address. Since my provider dynamically allocates my ip address to my site, a new one was given to me. With the new ip address (second in the adapter information) i am unable to get any port forwarding to work correctly. Internet access does work from the private hosts behind the firewall. I think they are working correctly because of the dynamic flag in the natd.conf but i'm not too sure. When connecting to my site on ports 80 and 22 from remote sites, i just get my firewall machine instead of the proper hosts behind my firewall. This all works fine when the tun adapter only has one ip address.
Another funny note is that when using pppnat instead of natd. Port forwarding working perfectly no matter how many ip address's are listed in the tun adapter. I switched to natd for ppptp forwarding support. I'm having a hard time finding documentation on pptp forwarding with pppnat.
i have exhausted myself looking for similiar problems on the internet. I really hope this is a misconfiguration because i really enjoy using pptp from work and etc.
thanks!
#####ppp.conf#########
defualt:
set timeout 0
sympatico:
set device PPPoE:xl0
enable lqr
set mru 1492
set mtu 1492
set speed sync
set dial
set login
set timeout 0
set authname *******
set authkey *******
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add 0 0 HISADDR
set redial 0 0
enable dns
#####rc.conf#######
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="sympatico"
gateway_enable="YES"
kern_securelevel_enable="N
linux_enable="YES"
nfs_reserved_port_only="YE
sendmail_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
natd_enable="YES"
natd_flags="-f /etc/natd.conf"
firewall_enable="YES"
firewall_script="/etc/rc.f
firewall_type="/etc/ipfw.r
firewall_quiet="YES"
firewall_logging="YES"
#####ipfw rules (ipfw.rules)########
add divert natd all from any to any via tun0
add allow 47 from 192.168.0.7 to any in recv fxp0
add allow 47 from any to 192.168.0.7 in recv tun0
add allow tcp from any to 192.168.0.7 1723 in recv tun0
add allow tcp from any to 192.168.0.10 80 in recv tun0
add allow tcp from any to 192.168.0.10 22 in recv tun0
add allow tcp from any to 192.168.0.10 21 in recv tun0
add allow ip from any to any
#####natd.conf############
interface tun0
use_sockets yes
same_ports yes
dynamic yes
redirect_proto gre 192.168.0.7
redirect_port tcp 192.168.0.7:1723 1723
redirect_port tcp 192.168.0.10:80 80
redirect_port tcp 192.168.0.10:21 21
redirect_port tcp 192.168.0.10:22 22
redirect_port tcp 192.168.0.1:23 23
####ifconfig output for tun0 adapter####
tun0: flags=8151<UP,POINTOPOINT,
inet 65.95.X.X --> 65.95.X.X netmask 0xffffff00
inet 65.95.X.X --> 65.95.X.X netmask 0xffffff00
Opened by PID 50
The port forwarding worked correctly when the tun adapter only had 1 ip address. Since my provider dynamically allocates my ip address to my site, a new one was given to me. With the new ip address (second in the adapter information) i am unable to get any port forwarding to work correctly. Internet access does work from the private hosts behind the firewall. I think they are working correctly because of the dynamic flag in the natd.conf but i'm not too sure. When connecting to my site on ports 80 and 22 from remote sites, i just get my firewall machine instead of the proper hosts behind my firewall. This all works fine when the tun adapter only has one ip address.
Another funny note is that when using pppnat instead of natd. Port forwarding working perfectly no matter how many ip address's are listed in the tun adapter. I switched to natd for ppptp forwarding support. I'm having a hard time finding documentation on pptp forwarding with pppnat.
i have exhausted myself looking for similiar problems on the internet. I really hope this is a misconfiguration because i really enjoy using pptp from work and etc.
thanks!
#####ppp.conf#########
defualt:
set timeout 0
sympatico:
set device PPPoE:xl0
enable lqr
set mru 1492
set mtu 1492
set speed sync
set dial
set login
set timeout 0
set authname *******
set authkey *******
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add 0 0 HISADDR
set redial 0 0
enable dns
#####rc.conf#######
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="sympatico"
gateway_enable="YES"
kern_securelevel_enable="N
linux_enable="YES"
nfs_reserved_port_only="YE
sendmail_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
natd_enable="YES"
natd_flags="-f /etc/natd.conf"
firewall_enable="YES"
firewall_script="/etc/rc.f
firewall_type="/etc/ipfw.r
firewall_quiet="YES"
firewall_logging="YES"
#####ipfw rules (ipfw.rules)########
add divert natd all from any to any via tun0
add allow 47 from 192.168.0.7 to any in recv fxp0
add allow 47 from any to 192.168.0.7 in recv tun0
add allow tcp from any to 192.168.0.7 1723 in recv tun0
add allow tcp from any to 192.168.0.10 80 in recv tun0
add allow tcp from any to 192.168.0.10 22 in recv tun0
add allow tcp from any to 192.168.0.10 21 in recv tun0
add allow ip from any to any
#####natd.conf############
interface tun0
use_sockets yes
same_ports yes
dynamic yes
redirect_proto gre 192.168.0.7
redirect_port tcp 192.168.0.7:1723 1723
redirect_port tcp 192.168.0.10:80 80
redirect_port tcp 192.168.0.10:21 21
redirect_port tcp 192.168.0.10:22 22
redirect_port tcp 192.168.0.1:23 23
####ifconfig output for tun0 adapter####
tun0: flags=8151<UP,POINTOPOINT,
inet 65.95.X.X --> 65.95.X.X netmask 0xffffff00
inet 65.95.X.X --> 65.95.X.X netmask 0xffffff00
Opened by PID 50
ASKER
gheist, thanks!
to clarify, i can use ipfmeta with ipfw? Can provide like a few line examples of the ipf.metarules file that uses ipfw? the example
http://www.sentia.org/projects/ipfmeta/example.shtml
only demonstrates from what it looks like to me is ip filter.
to clarify, i can use ipfmeta with ipfw? Can provide like a few line examples of the ipf.metarules file that uses ipfw? the example
http://www.sentia.org/projects/ipfmeta/example.shtml
only demonstrates from what it looks like to me is ip filter.
Your link is right, same app.
It does not care about content of input much, it simply looks via input stream, and multiplies lines, whenever object string is found.
given object file ( call it ipfw.objs )
[TUN0]
65.95.X.X
65.95.Y.Y
[PUBLICPORTS]
80
443
Metarules for ipfw ( call it ipf.metarules )
add allow tcp from any to TUN0 port PUBLICPORTS via tun0
ipfmeta ipfw.objs < ipfw.metarules
will simply expand to 4 respective rules
add allow tcp from any to 65.95.X.X port 80 via tun0
add allow tcp from any to 65.95.Y.Y port 80 via tun0
add allow tcp from any to 65.95.X.X port 443 via tun0
add allow tcp from any to 65.95.Y.Y port 443 via tun0
btw tracking tcp states adds more to security than simply filtering on port numbers
It does not care about content of input much, it simply looks via input stream, and multiplies lines, whenever object string is found.
given object file ( call it ipfw.objs )
[TUN0]
65.95.X.X
65.95.Y.Y
[PUBLICPORTS]
80
443
Metarules for ipfw ( call it ipf.metarules )
add allow tcp from any to TUN0 port PUBLICPORTS via tun0
ipfmeta ipfw.objs < ipfw.metarules
will simply expand to 4 respective rules
add allow tcp from any to 65.95.X.X port 80 via tun0
add allow tcp from any to 65.95.Y.Y port 80 via tun0
add allow tcp from any to 65.95.X.X port 443 via tun0
add allow tcp from any to 65.95.Y.Y port 443 via tun0
btw tracking tcp states adds more to security than simply filtering on port numbers
As you can see objects file can be reused to make up many config files where such hosts need to be listed like resolv.conf etc, some acls for login services etc.
And you can put it all in some kind of Makefile to make adjusting all access lists on system at once very easy
And you can put it all in some kind of Makefile to make adjusting all access lists on system at once very easy
ASKER
gheist, this sounds pretty good. I guess that i would have to create a script to update the TUN0 object with all the ip address's for the tun interface and cron (ipfmeta ipfw.objs < ipfw.metarules) like every half hour?
ASKER
wraping this all up, explicitly allowing the port traffic to enter each specific network ip address(or the last) on the tun0 interface with make the following rules work?
############
add allow 47 from any to 192.168.0.7 in recv tun0
add allow tcp from any to 192.168.0.7 1723 in recv tun0
add allow tcp from any to 192.168.0.10 80 in recv tun0
add allow tcp from any to 192.168.0.10 22 in recv tun0
add allow tcp from any to 192.168.0.10 21 in recv tun0
############
without even using ipfmeta i have full access to my firewall because of the explicit permit all statement.
################
add allow ip from any to any
################
it really doesn't look logical to me that "any" means first ip address of the interface.
############
add allow 47 from any to 192.168.0.7 in recv tun0
add allow tcp from any to 192.168.0.7 1723 in recv tun0
add allow tcp from any to 192.168.0.10 80 in recv tun0
add allow tcp from any to 192.168.0.10 22 in recv tun0
add allow tcp from any to 192.168.0.10 21 in recv tun0
############
without even using ipfmeta i have full access to my firewall because of the explicit permit all statement.
################
add allow ip from any to any
################
it really doesn't look logical to me that "any" means first ip address of the interface.
ASKER
*Sorry
my look at logic was a bit off at the time i wrote it
the explicit permit all statement is after the port rules.
but i'm thinking again, if port forwarding was specified in my natd.conf that anything on port 80 should go to 192.168.0.10 host. shouldn't i have got access denied rather than my firewall box?
my look at logic was a bit off at the time i wrote it
the explicit permit all statement is after the port rules.
but i'm thinking again, if port forwarding was specified in my natd.conf that anything on port 80 should go to 192.168.0.10 host. shouldn't i have got access denied rather than my firewall box?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Same with ipf, so I use ipfmeta ( /usr/ports/security/ipfmet
pf in OpenBSD has much better logic to handle such situations, lets hope this feature will come along with import of pf in 5.3 release and hope 5.3 will be production release at least...