[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: simple IPF and IPNAT but problem between chair and keyboard

To: <bruce@specialdevices.com>
Subject: Re: simple IPF and IPNAT but problem between chair and keyboard
From: "Gary MacKay" <Gary@EdisonInfo.com>
Date: Tue, 1 May 2001 12:46:07 -0400 (EDT)
Cc: <misc@openbsd.org>
References: <3AEE8275.17576.294ABA82@localhost>

Sorry to jump in here, but this post peeked the interest of a newbie. (me!) 
You mentioned that IPNAT happens before IPF. Does that mean I don't have to 
have rules in the ipf.rules file to "allow in", say, port 25 or port 80 if 
I am nat'ing them to another machine behind the firewall?


> It's not clear whether these rules worked on your 2.8 machine or 
> not.
> 
> In General:
> 
> IPNAT rule order.
> 
> IPNAT rules are first match and quit EXCEPT they are also 
> largest netmask first.  This means that all x/32 rules are 
> evaluated before any others.  So in your case the order is not 
> important.
> 
> IPNAT happens before IPF.
> 
> Change your rules to filter on your private addresses.
> To verify use ipfstat -hio to see which of your rules are actually 
> being matched.
> 
> Bruce
> 
>> I installed the 2.9 snapshot on a machine yesterday, and configures
>> using the same rules I had applied to a 2.8 machine recently, and am
>> having serious problems use rdr to send SMTP/www traffice to a machine
>> on internal network.
>> 
>> I have simplified the rules as much as possible, but no joy. I've also
>> read through www.obfuscation.org/ipf without any luck.
>> 
>> Can someone see what is wrong ?? I have modified the file sysctl.conf
>> and rc.conf accordingly. All traffic behind the NAT machine works OK,
>> but when I try to telnet to port 25 from outside i get no response.
>> 
>> In the ipnat.rules file I tried having the map rules after the rdr
>> rules, but no luck either way.
>> /etc/ipnat.rules
>> map ep0 10.1.1.7/24 -> 123.123.123.123/32 portmap tcp/udp 1025:65000
>> map ep0 10.1.1.7/24 -> 123.123.123.123/32
>> 
>> #map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000
>> rdr ep0 123.123.123.123/32 port 25 -> 10.1.1.1 port 25
>> rdr ep0 123.123.123.123/32 port 80 -> 10.1.1.1 port 80
>> rdr ep0 123.123.123.123/32 port 110 -> 10.1.1.1 port 110
>> rdr ep0 123.123.123.123/32 port 143 -> 10.1.1.1 port 143
>> rdr ep0 123.123.123.123/32 port 993 -> 10.1.1.1 port 993
>> 
>> 
>> /etc/ipf.rules
>> pass in from any to any
>> pass out from any to any
>> 
>> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port =
>> 25 keep state
>> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port =
>> 80 keep state
>> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port =
>> 143 keep state
>> pass out quick on ep0 proto tcp from any to any keep state
>> 
> 
> 
> -*-*-*-*-*-*-*-*-*-*-*-*-*-
> 
> All opinions are my own.
> All advice is worth what you pay for it.
> A little experience often upsets a lot of theory.
> 
> -*-*-*-*-*-*-*-*-*-*-*-*-*-


-- 
Edison Information Technologies
www.EdisonInfo.com

References:
- Re: simple IPF and IPNAT but problem between chair and keyboard
  - From: "Bruce Bauer" <bruce@specialdevices.com>

Prev by Date: Re: ipnat with ipx?
Next by Date: Re: mpg123 weirdness
Prev by thread: Re: simple IPF and IPNAT but problem between chair and keyboard
Next by thread: RE: simple IPF and IPNAT but problem between chair and keyboard
Index(es):
- Date
- Thread