[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf rules not working; is binat the solution?



Ouch, let's try that again with the line wrap set to a more reasonable value.
Sorry!
Here is my pf.conf file. Some things are working --
like access to the internet from within the network.
Other things, like external access to the web sites,
and incoming email, are not working. Outgoing email
and pings are working.
I'm thinking the problems are most likely in the NAT
section, labeled as problematic below.
# note: real external IP address has been replaced with 999.999.999
# real internal IP addresses have not been changed.
eif="dc0" # external interface, routes 999.999.999.226-230
iif="dc1" # internal interface, 192.168.0.230
external_net="999.999.999.224" # external network (/29)
internal_net="192.168.0.224"  # internal network (/29)
eipc="999.999.999.226" # foo.com (not its real name) web site, external address
eipa="999.999.999.227" # bar.com (not its real name) web site, external address
eipf="999.999.999.229" # firewall, external address
iipc="192.168.0.226"  # foo.com web site, internal address
iipa="192.168.0.227"  # bar.com web site, internal address
iipf="192.168.0.229"  # firewall, internal address
fssaks="flags S/SA keep state"
unrouteable="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, \
	192.168.0.0/16, 255.255.255.255/32 }"
# normalize: reassemble fragments and resolve or reduce traffic ambiguities
scrub out all
scrub in  all
############# THIS SECTION IS TOTALLY BROKEN -- CLUES WELCOME! #############
# nat: packets going out through ext0 with source address 10.0.0.0/8 will get
# translated as coming from 192.168.1.1. a state is created for such packets,
# and incoming packets will be redirected to the internal address.
# nat on ext0 from 10.0.0.0/8 to any -> 192.168.1.1
# make ftp clients work ??? very iffy.
nat on $eif from $internal_net/29 to any -> $eipf port ftp
# make everything else work
# what is this? is 226/29 right, or should it be 224/29? or would 0/24 work?
nat on $eif from $internal_net/29 to any -> $eipf
# this gives "expands to multile ips of same family" error
#binat on $eif from $iipc to $eipc -> $eif
#binat on $eif from $iipa to $eipa -> $eif
# the author likes this
#binat on $eif from $iipc to any -> $eipc
#binat on $eif from $iipa to any -> $eipa
#the man page likes this
#binat on $eif from $iipa to any -> ($iif)
############# END OF BROKEN SECTION -- I HOPE! #############
# foo.com web, mail, ssh
rdr on $iif proto tcp from any to $eipc/32 port 80  -> $iipc port 8080
rdr on $iif proto tcp from any to $eipc/32 port 25  -> $iipc port 25
rdr on $iif proto tcp from any to $eipc/32 port 22  -> $iipc port 22
# bar.com web, mail, ssh
rdr on $iif proto tcp from any to $eipa/32 port 80  -> $iipa port 8090
rdr on $iif proto tcp from any to $eipa/32 port 25  -> $iipa port 25
rdr on $iif proto tcp from any to $eipa/32 port 22  -> $iipa port 22
# filter rules
antispoof for lo0
antispoof for dc0 inet
antispoof for dc1 inet
block             out log                all
block             in  log                all
block return-rst  in  log inet proto tcp all
block return-rst  out log inet proto tcp all
block return-icmp in  log inet proto udp all
block return-icmp out log inet proto udp all
# block packets from or to unrouteable addresses
block in log quick on $eif from $unrouteable to any
block out log quick on $eif from any to $unrouteable
# by default, block all incoming packets, except those explicity
# allowed by further rules.
block in log on $eif all
# for www connections from the outside
pass in log quick on $eif proto tcp from any to $iipc port 8080 $fssaks
pass in log quick on $eif proto tcp from any to $iipa port 8090 $fssaks
# for mail connections from the outside
pass in quick on $eif inet proto tcp from any to $eipc port 25 $fssaks
pass in quick on $eif inet proto tcp from any to $eipa port 25 $fssaks
# for ident connections from the outside
pass in quick on $eif proto tcp     from any to $eipc port 113 $fssaks
pass in quick on $eif proto tcp     from any to $eipa port 113 $fssaks
# ident on firewall
pass in quick on $eif proto tcp     from any to $eipf port 113 $fssaks
# pass ssh, plus locally originating outgoing traffic
pass  in  on $eif inet proto tcp from any to $eif port 22 $fssaks
# deal with outgoing traffic
block out on $eif all
pass in  quick on { lo0, $iif } all
pass out quick on { lo0, $iif } all
pass out on $eif inet proto tcp all $fssaks
pass out on $eif inet proto { udp, icmp } all keep state
# block attempts to 1) access our network; 2) broadcast; 3) fingerprint
block in log quick on $eif from any to { 999.999.999.0/32, $external_net/32 }
block in log quick on $eif from any to { 999.999.999.231/32, 999.999.999.255/32
}
block in log quick on $eif inet proto tcp all flags FUP/FUP
__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com