[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

little question.



Hello pf,
  I've found two problems today on my 3.2 release machine. I've got an
  $ExtIF that connects to the Internet and an $IntIF that goes to a
  NATed private net.
  1) I've got a cablemodem that asigns an IP throu DHCP. But the
  cablemodem itself has an 192.169.100.1 IP. So I have added an alias
  192.168.100.128. Which leads to two subroblems.
  1a) When I try to reach it from my NATed machine it gets translated
  and so it doesn't goes throu 192.168.100.128 but my CM assigned IP.
  I think that I have to add a:
      nat on $ExtIF from $IntNet to ! 192.168.100.1 -> $ExtIP
  Is that right? does this works on 3.2-release? If I had multiple
  aliases (non consecutive) how should I do it?
  1b) I want to make sure that if some machine gets compromised, it
  can't send spoofed IP. So I've put:
      block out quick on $ExtIF inet from ! $ExtIP to any
  But it doesn't allows my aliased IP. I've tried to use a list. But
  when I negate a list I get a sysntax error (which I expected
  anyway). I don't think it's logical to have a list of negated IPs
  since that should mean everything. How am I supposed to do this?
  I've been explicitly allowing what to get out so I do:
      pass out quick on $ExtIF inet proto tcp  from $ExtIPalias to any \
        flags S/SAFPRU keep state
      pass out quick on $ExtIF inet proto tcp  from $ExtIP to any \
        flags S/SAFPRU keep state
      pass out quick on $ExtIF inet proto udp  from $ExtIP to any \
        keep state
      pass out quick on $ExtIF inet proto icmp from $ExtIP to any
      block out quick on $ExtIF all
  Which get's what I want. Is this the only way to attain what I
  intend? Seems a bit cumbersome.
  2) Since I'm NATing on the external interface I can't do something
  like:
      #Modulate weak clients sequence number
      pass out quick on $ExtIF inet proto tcp  from $WeakClientsIP \
        to any flags S/SAFPRU modulate state
      pass out quick on $ExtIF inet proto tcp  from $ExtIP to any \
        flags S/SAFPRU keep state
  So or I modulate everything that get out (which I think would
  modulate the firewall's own already excellent sequence numbers or I
  have to live with the weak clients sequence numbers. Did  get
  something wrong or is this the way it's done?
  Please keep in mind that I don't want to upgrade until 3.3 release,
  so lists and such thins is a no no for now.
  
-- 
Best regards,
 Alejandro Belluscio