Hi,
        First off, I'm quite new to FreeBSD and I hope I chose the correct list
to mail to. In order to help teach myself FreeBSD, I'm recreating my
home firewall using FreeBSD(ipfilter/ipnat) instead of Linux
(ipchains). I'm using the 4.3 RELEASE of FreeBSD.
        I have a web server behind the firewall that I want to allow people to
access from the outside. After reading the IPFilter How-To, this seems
fairly easy:

ipnat.rules
-----------

rdr ep0 216.170.19.162/32 port 80 -> 192.168.1.100 port 80

ipfilter.rules
--------------

pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80
flags S keep state keep frags

However, because NAT occurs before the filtering, I can no longer have a
rule to prevent packets from the outside that contain a destination IP
on my internal network from passing through my firewall and entering my
internal network like this:

block in quick on ep0 from any to 192.168.0.0/16

I realize that packets with a source or destination of 192.168.0.0/16
should be dropped by routers on the internet, but I know this doesn't
always happen as our firewall at work has recorded such packets in the
past.

Am I mis-understanding how IPFilter/IPNat work together correctly? If
so, is there a way around this problem? If not, would the following
provide the protection I'm looking for while still allowing people to
access my web server from the outside?

pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80
flags S keep state keep frags
block in quick on ep0 from any to 192.168.0.0/16

This would prevent any packet from the outside with a destination
address of my internal network from passing through the firewall unless
it was specifically going to port 80 on my web server right?

Please CC me on any replies as I'm not currently subscribed to the list.

Thanks in advance,
Steve

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]