OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sam Carleton (scarletonmiltonstreet.com)
Date: Sun Jul 22 2001 - 13:56:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Ok folks I simply do NOT understand this. The firewall seems to be
    working fine. Standard NAT (allowing my workstations out) seems to be
    working fine. But I am completely unable to get NAT to redirect
    incoming requests. This is what I am using:

    ---------ipf.conf---------
    block in on tun0
    block in quick on tun0 from 192.168.0.0/16 to any
    block in quick on tun0 from 172.16.0.0/12 to any
    block in quick on tun0 from 10.0.0.0/8 to any
    block in quick on tun0 from 127.0.0.0/8 to any
    block in quick on tun0 from 0.0.0.0/8 to any
    block in quick on tun0 from 169.254.0.0/16 to any
    block in quick on tun0 from 192.0.2.0/24 to any
    block in quick on tun0 from 204.152.64.0/23 to any
    block in quick on tun0 from 224.0.0.0/3 to any
    block in log quick on tun0 from 192.168.0.0/24 to any
    block in log quick on tun0 from any to 192.168.0.0/32
    block in log quick on tun0 from any to 192.168.0.255/32
    pass out quick on tun0 proto tcp/udp from 192.168.0.1/32 to any keep
    state
    pass out quick on tun0 proto icmp from 192.168.0.1/32 to any keep state

    pass in quick on tun0 proto tcp from any to 192.168.0.1/32 port = 22
    flags S keep state
    pass in quick on tun0 proto tcp from any to 192.168.0.5/32 port = 22
    flags S keep state

    pass in quick on tun0 proto tcp from any to 192.168.0.1/32 port = 25
    flags S keep state
    pass in quick on tun0 proto tcp from any to 192.168.0.5/32 port = 25
    flags S keep state

    pass in quick on tun0 proto tcp from any to 192.168.0.1/32 port = 80
    flags S keep state
    pass in quick on tun0 proto tcp from any to 192.168.0.5/32 port = 80
    flags S keep state

    pass in quick on tun0 proto tcp from any to 192.168.0.1/32 port = 443
    flags S keep state
    pass in quick on tun0 proto tcp from any to 192.168.0.5/32 port = 443
    flags S keep state
    ---------ipf.conf---------

    ---------ipnat.conf---------
    map iy0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp
    map iy0 192.168.0.1/24 -> 0/32 portmap tcp/udp 40000:60000
    map iy0 192.168.0.1/24 -> 0/32

    rdr iy0 0.0.0.0/32 port 22 -> 192.168.0.5 port 22
    rdr iy0 0.0.0.0/32 port 25 -> 192.168.0.5 port 25
    rdr iy0 0.0.0.0/32 port 80 -> 192.168.0.5 port 80
    rdr iy0 0.0.0.0/32 port 443 -> 192.168.0.5 port 443
    ---------ipnat.conf---------

    If my understanding is correct, the NAT rules get applied before the
    packet goes through the IP FIlter. These means that the rules I have
    allowing things into 192.168.0.1 will never be used, I simply had them
    there to make sure:)

    Another question: It is my understanding that when I get a new IP
    address for my ISP, I need to have NAT update itself. What is the best
    way to do this considering the machine never disconnect?

    Sam