[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: simple IPF and IPNAT but problem between chair and keyboard
What is being said is that a packet coming to the OBSD box that
has ipfilter on it checks the packet with the ipnat rules first, to
determine if the packet even is part of the ip schema or routing.
It will then check it against any ipf.rules that you have in place.
You could have your ipf.rules set to:
pass in from any to any
pass out from any to any
which basically means that you are not restricting anything but for
testing purposes may make redirecting easier for you.
Hope this helps a little.
PS. Don't leave your ipf.rules set to the above noted either!!! ;-)
Make sure that your redirects are setup as stated at www.obfuscation.org/ipf
and BEFORE your mappings!
Dean Carey
PGP public key available upon request.
-----Original Message-----
From: Gary MacKay [mailto:Gary@EdisonInfo.com]
Sent: Tuesday, May 01, 2001 12:46 PM
To: bruce@specialdevices.com
Cc: misc@openbsd.org
Subject: Re: simple IPF and IPNAT but problem between chair and keyboard
Sorry to jump in here, but this post peeked the interest of a newbie. (me!)
You mentioned that IPNAT happens before IPF. Does that mean I don't have to
have rules in the ipf.rules file to "allow in", say, port 25 or port 80 if
I am nat'ing them to another machine behind the firewall?
> It's not clear whether these rules worked on your 2.8 machine or
> not.
>
> In General:
>
> IPNAT rule order.
>
> IPNAT rules are first match and quit EXCEPT they are also
> largest netmask first. This means that all x/32 rules are
> evaluated before any others. So in your case the order is not
> important.
>
> IPNAT happens before IPF.
>
> Change your rules to filter on your private addresses.
> To verify use ipfstat -hio to see which of your rules are actually
> being matched.
>
> Bruce
>
>> I installed the 2.9 snapshot on a machine yesterday, and configures
>> using the same rules I had applied to a 2.8 machine recently, and am
>> having serious problems use rdr to send SMTP/www traffice to a machine
>> on internal network.
>>
>> I have simplified the rules as much as possible, but no joy. I've also
>> read through www.obfuscation.org/ipf without any luck.
>>
>> Can someone see what is wrong ?? I have modified the file sysctl.conf
>> and rc.conf accordingly. All traffic behind the NAT machine works OK,
>> but when I try to telnet to port 25 from outside i get no response.
>>
>> In the ipnat.rules file I tried having the map rules after the rdr
>> rules, but no luck either way.
>> /etc/ipnat.rules
>> map ep0 10.1.1.7/24 -> 123.123.123.123/32 portmap tcp/udp 1025:65000
>> map ep0 10.1.1.7/24 -> 123.123.123.123/32
>>
>> #map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000
>> rdr ep0 123.123.123.123/32 port 25 -> 10.1.1.1 port 25
>> rdr ep0 123.123.123.123/32 port 80 -> 10.1.1.1 port 80
>> rdr ep0 123.123.123.123/32 port 110 -> 10.1.1.1 port 110
>> rdr ep0 123.123.123.123/32 port 143 -> 10.1.1.1 port 143
>> rdr ep0 123.123.123.123/32 port 993 -> 10.1.1.1 port 993
>>
>>
>> /etc/ipf.rules
>> pass in from any to any
>> pass out from any to any
>>
>> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port =
>> 25 keep state
>> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port =
>> 80 keep state
>> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port =
>> 143 keep state
>> pass out quick on ep0 proto tcp from any to any keep state
>>
>
>
> -*-*-*-*-*-*-*-*-*-*-*-*-*-
>
> All opinions are my own.
> All advice is worth what you pay for it.
> A little experience often upsets a lot of theory.
>
> -*-*-*-*-*-*-*-*-*-*-*-*-*-
--
Edison Information Technologies
www.EdisonInfo.com