[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Long question about firewall/routing

To: "Louis W. Erickson" <wwonko@rdwarf.com>
Subject: Re: Long question about firewall/routing
From: Stein Boerge Sylvarnes <Stein.Sylvarnes@student.uib.no>
Date: Mon, 2 Apr 2001 00:11:16 +0200 (MET DST)
Cc: <misc@openbsd.org>

On Sun, 1 Apr 2001, Louis W. Erickson wrote:

>
> Hi, all.
>
Hi

> I haven't been able to find archives of the mailing list, so this may be a
> common question.  If so, I'm sorry about that.  I did try to check.
>
http://www.openbsd.org/mail.html

> I've got an OpenBSD machine set up as a firewall.  It has two network
> cards in it, sis0 and sis1, and they're working fine.  sis0 is set to an
> 192.168.0 address, and sis1 is set to one of the addresses given to me by
> my ISP, which are in the 63.205.237 range.  Less than a class C, but
> having a label for them may make my descriptions clearer.
>
> The excellent FAQ helped me get ipf and ipnat running, and I am quite
> pleased with the ease that was done.  All of our workstations have been
> able to do anything we asked, right away, and that was completely unlike
> any other NAT installation I'd ever done.  That part hass been great.
>
I know

> However, we now want to put some machines up that have permanent addresses
> that can be seen from the Internet, yet are behind the firewall and can
> take advantage of it's excellent filtering.  I have yet to be able to make
> this work.
>
Shouldn't be too hard, just rtfm ;)
> My first thought was to set the new machine up with a 192.168 address, and
> use NAT to let the outside world see it, with a bimap entry in ipnat.rules
> and an IP alias on the NIC with the Internet address.  From the outside,
> this seemed to work fine; the services on that machine were all avaliable
> from it's extrenal address.  However, from our 192.168 network, that
> machine wasn't visible as 63.205.237 address.  Apparently, NAT dosen't
> happen from any interface, just over the 63.205.237 one.  The machine is
> visible to us on it's 192.168.0 address, but using it's web server from
> that address is quite difficult, as the DNS lists the 63.205.237 address,
> and all the URLs are wrong.
>
How'bout using an alias on the box with a "real" address. Just
set 192.168.x.x as the alias.

> I tried adding entries to ipnat.rules to make it do the NAT for both
> interfaces, and was unable to make that happen.
>
Then just let through the firewall without nat'ing it, as you have
a "real"/external ip. Remember to check the packats for blackhat activity
before letting them in, though.
> If there is a way to do this, then I believe this is the soloution I would
> prefer to use.
>
> The ipf.rules allowed all the right protocols, and the ipnat.rules was set
> up this way:
>
> # Allow the outside workd to see this one machine
> bimap sis1 192.168.0.183/32 -> 63.205.237.183/32
>
> # Allow all our internal machines to go out
> map sis1 192.168.0.0/28 -> 63.205.237.162/32 proxy port ftp ftp/tcp
> map sis1 192.168.0.0/28 -> 63.205.237.162/32 portmap tcp/udp 10000:60000
> map sis1 192.168.0.0/28 -> 63.205.237.162/32
>
> When I was unable to make this work, I tried to find another way, that
> didn't use NAT.  I turned it off, and set both machines up differently.
>
> I also have been trying to set up static routes for the machine.  I put it
> on the 192.168.0 side of the firewall, but with a 63.205.237 address. This
> server runs Linux, and I added a static route:
>
> route add -host 192.168.0.xxx 63.205.237.xxx
>
> On the OpenBSD firewall, I added a static route back:
>
> route add -host 63.204.237.xxx 192.168.0.xxx
>
> The route commands seemed to work.  I tried pinging from one machine to
> the other, though, and could get no response.  tcpdump shows the
> 63.204.237.xxx machine's echo request on both it, and on the firewall, but
> no replies are sent.  My firewall rules allow ICMP, and I can ping
> elsewhere just fine, even through NAT.
>
> OpenBSD begins to log messages, too:
>
> Apr 1 12:43:17 muspell /bsd: arplookup: unable to enter address for  63.205.237.xxx
> Apr 1 12:43:17 muspell /bsd: arpresolve: can't allocate llinfo
>
> It seems to be unable to install the arp entry for the static routed
> machine.  I don't know why it wouldn't be able to.
>
> Can anybody suggest what I might be doing wrong, or another way to allow
> access to a machine through the firewall?
>
> I've been messing with this on and off for a week now, and have no other
> ideas on how I might get what I need to work.  Thank you for any
> suggestions you can give.  I hope I haven't confused everybody terribly
> with this long message.
>
>
Allso, be sure to check out www.obfuscation.org/ipf for a great ipf intro.

--
regards/mvh
Stein B. Sylvarnes
stein.sylvarnes@student.uib.no

References:
- Long question about firewall/routing
  - From: "Louis W. Erickson" <wwonko@rdwarf.com>

Prev by Date: Re: Benchmark DLT1?
Next by Date: Re: ftp> get question
Prev by thread: Long question about firewall/routing
Next by thread: RE: Long question about firewall/routing
Index(es):
- Date
- Thread