.:: n 3 t . n e t :: / I n f o s / Freebsd cdrw info ::.

:: local ::

WebMail
Services
Products
TheVault
Programming
Downloads
Web Tools
Humor
Infos
About

:: hosted ::

xtc4u.org
jucifer.com
okay-o.com
network3.net
corndogs.org
elephant6.net
perlchest.com
ofmontreal.net
orangetwin.com
darrenmobley.com
neutralmilkhotel.net
thelatebphelium.com
oliviatremorcontrol.com

:: remote ::

Antioffline.com
Siliconinc.net
Cryptome.org
Speedygrl.com
google.com
perlmonks.org
unixhideout.com
darkshells.ath.cx
freshports.org
daemonnews.org
the-satan.org
freebooks.by.ru
virtual library

:: TheVault ::

SignUp for a free
account to TheVault

-> HERE <-

[an error occurred while processing this directive] Registered Users
view blocked ip blocks

:: WebMail ::

Username

Password

:: Manage ::
:: Account ::

Username

Password

:: Virii Alerts ::

[an error occurred while processing this directive]

Setting up a NAT firewall with Freebsd 4.X, ipfilter and ipnat

*** FreeBSD 4.7 update - move the "-E" in the ipf reload perl script to be first argument. Don't know why but it's needed..

Initial setup:
First, I assume you have your kernel built with the ipfilter support and stuff.
I will assume you have two NIC's, for this example, I will use fxp0 and fxp1 (Intel cards).
For this example, I will use 192.168.1.0/24 as the internal network and 12.34.56.78/32 as the public ip for our NAT box.
create the file /etc/ipnat.rules

map fxp0 192.168.1.0/24 -> 12.34.56.78/32 proxy port ftp ftp/tcp
map fxp0 192.168.1.0/24 -> 12.34.56.78/32 portmap tcp/udp 10000:55000
map fxp0 192.168.1.0/24 -> 12.34.56.78/32

Now create or edit /etc/ipf.rules

# pass these first
pass in quick on lo0
pass out quick on lo0
pass out quick proto tcp/udp from 192.168.1.0/24 to any keep state
# just not gonna happen
block in log quick on fxp0 from 192.168.0.0/16 to any
block in log quick on fxp0 from 172.16.0.0/12 to any
block in log quick on fxp0 from 10.0.0.0/8 to any
block in log quick on fxp0 from 127.0.0.0/8 to any
#block in log quick on fxp0 from 0.0.0.0/8 to any
block in log quick on fxp0 from 169.254.0.0/16 to any
block in log quick on fxp0 from 192.0.2.0/24 to any
block in log quick on fxp0 from 204.152.64.0/23 to any
block in log quick on fxp0 from 224.0.0.0/3 to any
block in log quick on fxp0 from 255.255.255.255/32 to any
block in log quick on fxp0 from 12.34.56.78/32 to any
block return-icmp-as-dest(port-unr) in log quick all with frag
block return-icmp-as-dest(port-unr) in log quick all with ipopts
block return-icmp-as-dest(port-unr) in log quick proto tcp/udp all with short
block return-icmp-as-dest(port-unr) in log quick on fxp0 all with opt lsrr
block return-icmp-as-dest(port-unr) in log quick on fxp0 all with opt ssrr
block return-icmp-as-dest(port-unr) in log quick on fxp0 from any to any with short frag
# allow traffic i/o internally
pass out on fxp0 from any to any
pass in quick on fxp1 from any to any
pass out quick on fxp1 from any to any
pass out quick proto tcp/udp from 12.34.56.78/32 to any keep state
pass out on fxp0 from any to any
pass in quick on fxp1 from any to any
pass out quick on fxp1 from any to any
# pings
pass in quick on fxp0 proto icmp from any to 192.168.1.0/24 icmp-type 0
pass in quick on fxp0 proto icmp from any to 192.168.1.0/24 icmp-type 11
block in log quick on fxp0 proto icmp from any to any

It's usually a good idea to add in a 'quick' rule near the top to allow the ip of a secure machine (desktop workstation running no services at all, no open ports) so that you don't have to walk over to the box if you mess something up.

Now, we've got our initial ipnat rules and ipfilter rules. In /etc/rc.conf we make sure these lines are present

network_interfaces="fxp0 fxp1"
defaultrouter="12.34.56.1"
ifconfig_fxp0="inet 12.34.56.78 netmask 255.255.255.0"
ifconfig_fxp1="inet 192.168.1.1 netmask 255.255.0.0"
ipfilter_enable="YES"       #Stateful firewall
ipnat_enable="YES"          #Network Address Translation
ipmon_enable="YES"          #Firewall logging
static_routes="inlan"
route_inlan="192.168.1.0 -netmask 255.255.255.0 -interface 192.168.1.1"

These are pretty self explanatory..
Go ahead and just reboot the box to make it easy.
While the box is rebooting, you can start plugging everything in, the fxp0 to the public switch or whatever that goes to the outside world.
Then the fxp1 to another switch to be used to serve the internal lan. (if you are going to plug it straight into a workstation for testing or whatever, make sure you use a crossover cable, not regular cat5).
Now, as a matter of convenience stemmed from pure laziness, put this perl script somewhere in your path.

!/usr/bin/perl

print "-- Reloading PNAT\n";
print "-- Shutting down ipfilter: /sbin/ipf -D\n";
system(`/sbin/ipf -D`);
print "-- Initializing ipfilter: /sbin/ipf -E -Fa -f /etc/ipf.rules\n";
system(`/sbin/ipf -E -Fa -f /etc/ipf.rules`);
print "-- Initializing PNAT rules: /sbin/ipnat -CF -f /etc/ipnat.rules\n";
system(`/sbin/ipnat -CF -f /etc/ipnat.rules`);
print "-- Reloaded\n\n";

Now, just type 'nat' and your NAT should come alive. everyone in the office can assign themselves ips like 192.168.1.2 or 192.168.1.56 etc (ie: 192.168.1.0/24 except for .0 .1 or .255 of course)

But hey, now the boss finds out that security means s/he can't vnc or pcanywhere into their desktops from home.
and the tech staff can't ssh in. oh well, she was secure before the lusers bothered us right :)
Let's say Adam and Jaime want ssh access to their machines, Jenny wants pcanywhere access to her box, Fernanado and Diana want vnc access, and the head cheese wants to connect to his box with vnc and his MicroSoft Windows 2000 VPN.
well humky dorey.
First, we get a list of ips and who needs what.

Adam - 192.168.1.15 - ssh
Jaime - 192.168.1.78 - ssh
Jenny - 192.168.1.99 - pcanywhere
Fernando - 192.168.21 - vnc
Diana - 192.168.1.113 - vnc
Boss - 192.168.1.2 - vnc and VPN

So, we kiss good security goodbye and edit /etc/ipnat.rules, adding the following lines at the bottom..

#################################################################
# Adam's laptop - ssh
rdr fxp0 12.34.56.78/32 port 55555 -> 192.168.1.15 port 22
#################################################################
# Jaime's workstation - ssh
rdr fxp0 12.34.56.78/32 port 55556 -> 192.168.1.78 port 22
#################################################################
# Jenny's  workstation - pcanywhere
rdr fxp0 12.34.56.78/32 port 55561 -> 192.168.1.99 port 5631
rdr fxp0 12.34.56.78/32 port 55565 -> 192.168.1.99 port 5632
#################################################################
# Fernanado's workstation - vnc
rdr fxp0 12.34.56.78/32 port 55500 -> 192.168.1.21 port 5900
#################################################################
# Diana's workstation - vnc
rdr fxp0 12.34.56.78/32 port 55501 -> 192.168.1.113 port 5900
#################################################################
# Boss's vnc
rdr fxp0 12.34.56.78/32 port 55560 -> 192.168.1.2 port 5900 
#################################################################
# Boss's vpn 
rdr fxp0 12.34.56.78/32 port 1723 -> 192.168.1.2 port 1723
rdr fxp0 0/0 port 0 -> 192.168.1.2 port 0 gre

Make sure the person with the vpn has the ip setup correctly for the vpn interface once it's connected.
(don't forget to type `nat`)
If this doesn't work for you, sorry, works for me.

Comments, Questions, Corrections > decker(at)n3t.net