faq
search
add article
cool-stuff
how-to
main
tips
|
 IPFilter on FreeBSD 4.6-STABLE |
 |
 |
 |
 Posted by Neafevoc on Wednesday August 21, @04:44PM
from the i-still-can't-seem-to-get-this-working dept.
I've done this a dozen times and I still can't get IPFilter to work correctly. I've read Marty's neat document on how to build a stable firewall with FBSD, and yet, I still can't get it to work.
I wanted to install IPF by recompiling the kernel with the appropriate options...
options IPFILTER #ipfilter support
options IPFILTER_LOG #ipfilter logging
options IPFILTER_DEFAULT_BLOCK #block all packets by default
options IPSTEALTH #support
for stealth forwarding
options RANDOM_IP_ID
And then some :)
My /etc/rc.conf file does have gateway_enable and does list my
network_interfaces that I'm using (including loopback). I also added
these for IPF..
ipfilter_enable="YES"
ipfilter_flags=""
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
ipmon_enable="YES"
ipmon_flags="-Dsvn"
icmp_drop_redirects="YES
My /etc/ipf.rules contain just two lines to make sure it's working...
pass in all
pass out all
...and /etc/ipnat.rules contain this one line just to let everything in
and out...
map fxp0 10.0.0.0/24 -> XXX.224.XXX.XXX/29
(Hid real IP address for obvious reasons.)
Btw, my internal address I'm using is 10.0.0.1 if it really makes a
difference.
Now on with the hardware. I know the switch I'm using is working because
I'm trading it off with another machine that's currently running as our
NAT/Firewall box. (I'm trading the switch back and forth until I have
this new box with IPF running.) So I know the switch works. (And why am
I replacing a firewall that already 'works', I wanted to try something
new :))
Anyway, I think I've done this install (from scratch) a dozen times
already following the same few guides I see floating around the web.
(FreeBSD Diary's is kind of old, and Marty seems to update his guide
quite often.)
Can someone show me some direction?
<
|
>
|
|
The Fine Print: The following comments
are owned by whoever posted them.
( Add a Reply )
|
Re: IPFilter on FreeBSD 4.6-STABLE
by RoaminCatholic on Thursday August 22, @11:30AM
|
Couple of things:
Make sure you have a default_router entry in rc.conf, eg:
defaultrouter="your.isps.gateway.ip"
Try ipmon_flags="-Dn /var/log/firewall_logs", in order to have all firewall notices go directly to a file rather than through syslog (makes it easier to read)
Change your ipf.rules file to be:
pass in log quick all
pass out log quick all
The "quick" option is appropriate to use when your default policy is set to deny, so that no further rules get applied.
Change your ipnat.rules to be:
map fxp0 10.0.0.0/24 -> 0/32
The "map-to" address needs to be a 32-bit mask. The result is that ipnat will rewrite your outgoing IP source header to be whatever the address of fxp0 is.
Also, make sure that fxp0 is your *external* interface.
Good luck.
-Erik Norvelle
|
[
Add a Reply to this ]
|
Re: IPFilter on FreeBSD 4.6-STABLE
by Neafevoc on Thursday August 22, @01:18PM
|
First of all... thanks for the help Erik. It works!
Did my problem lie in my original ipnat.rules? I thought I was supposed to direct it to an actual IP address to my external NIC?
And it didn't matter if my external NIC was /29? (Or subnet mask 255.255.255.248).
I ask this only to understand the workings of IPFilter (and probably networking in general).
Now that it works, I'll write new ipf.rules and ipnat.rules. And I'll follow ipnat.rules where my external NIC is 0/32, correct? (Sorry for being redundant. Hopefully this post will help others out since I couldn't find any other post relating to IPF on this site.)
Thanks again :)
|
[
Reply to this ]
|
Re: IPFilter on FreeBSD 4.6-STABLE
by Coercitas on Thursday January 22, @08:23AM
|
Actually, your problem was your ipnat rules. You just asked IPF to map your internal LAN with any possible address in the XXX.224.XXX.XXX/29 subnet, which won't work.
Imagine XXX.224.XXX.XXX/29 stands for 80.224.128.0/29; then ipnat would map your internal LAN with any possible address from 80.224.128.1 to 80.224.128.6 (80.224.128.7 means BROADCAST and thus, cannot be applied). Problem is you only are reachable with one of those addresses (or your ISP gave you this whole pool of addresses and something else have to be done on your IPF box to accept this). Pretty sure the first (or last, depends on your ISP) address in this subnet is ISP's side so this address can't be used (but ipnat may use it since you allowed it to do so) and other addresses have to exist...if you only have one of these (you can set up many addresses on one NIC) configured on your side, no one could reach others (since they don't even exist actually).
The "map fxp0 0/0 -> 0/32" statement means "change
anything that go out on interface fxp0 with my real fxp0's address".
The "map fxp0 10.0.0.0/24 -> 0/32" command means "change anything going out on interface fxp0 with source address in the 10.0.0.0/24 subnet with my real fxp0's address"
So yes, it does matter you are in a 29 bit subnet, you have to really understand how things work with TCP/IP subnetting before going any further or you may shoot yourself in the foot and get some serious headhache.
If you only own a single address in the XXX.224.XXX.XXX/29 subnet, then you must use the "0/32" statement. If you own all this subnet (but the ISP router one) you can use them to set up a DMZ and put there some servers of your choice...or anything else you prefer.
Hope this helped a bit.
|
[
Reply to this ]
|
|
Re: IPFilter on FreeBSD 4.6-STABLE
by sluggo Magoo on Tuesday March 04, @02:51AM
|
Correct me if I'm wrong but the version of IPFILTER that cam with Freebsd 4.6 has a bad FTP bug in it. I'm using 4.7stable.
Anyway.. question about stealthing... Is there some sysctls entries that are required when stealthing is turned on?
|
[
Add a Reply to this ]
|
The Fine Print: The following
comments are owned by whoever posted them.
( Article Reply )
|
|
