OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stein Boerge Sylvarnes (Stein.Sylvarnesstudent.uib.no)
Date: Sun Apr 01 2001 - 17:11:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Sun, 1 Apr 2001, Louis W. Erickson wrote:

    >
    > Hi, all.
    >
    Hi

    > I haven't been able to find archives of the mailing list, so this may be a
    > common question. If so, I'm sorry about that. I did try to check.
    >
    http://www.openbsd.org/mail.html

    > I've got an OpenBSD machine set up as a firewall. It has two network
    > cards in it, sis0 and sis1, and they're working fine. sis0 is set to an
    > 192.168.0 address, and sis1 is set to one of the addresses given to me by
    > my ISP, which are in the 63.205.237 range. Less than a class C, but
    > having a label for them may make my descriptions clearer.
    >
    > The excellent FAQ helped me get ipf and ipnat running, and I am quite
    > pleased with the ease that was done. All of our workstations have been
    > able to do anything we asked, right away, and that was completely unlike
    > any other NAT installation I'd ever done. That part hass been great.
    >
    I know

    > However, we now want to put some machines up that have permanent addresses
    > that can be seen from the Internet, yet are behind the firewall and can
    > take advantage of it's excellent filtering. I have yet to be able to make
    > this work.
    >
    Shouldn't be too hard, just rtfm ;)
    > My first thought was to set the new machine up with a 192.168 address, and
    > use NAT to let the outside world see it, with a bimap entry in ipnat.rules
    > and an IP alias on the NIC with the Internet address. From the outside,
    > this seemed to work fine; the services on that machine were all avaliable
    > from it's extrenal address. However, from our 192.168 network, that
    > machine wasn't visible as 63.205.237 address. Apparently, NAT dosen't
    > happen from any interface, just over the 63.205.237 one. The machine is
    > visible to us on it's 192.168.0 address, but using it's web server from
    > that address is quite difficult, as the DNS lists the 63.205.237 address,
    > and all the URLs are wrong.
    >
    How'bout using an alias on the box with a "real" address. Just
    set 192.168.x.x as the alias.

    > I tried adding entries to ipnat.rules to make it do the NAT for both
    > interfaces, and was unable to make that happen.
    >
    Then just let through the firewall without nat'ing it, as you have
    a "real"/external ip. Remember to check the packats for blackhat activity
    before letting them in, though.
    > If there is a way to do this, then I believe this is the soloution I would
    > prefer to use.
    >
    > The ipf.rules allowed all the right protocols, and the ipnat.rules was set
    > up this way:
    >
    > # Allow the outside workd to see this one machine
    > bimap sis1 192.168.0.183/32 -> 63.205.237.183/32
    >
    > # Allow all our internal machines to go out
    > map sis1 192.168.0.0/28 -> 63.205.237.162/32 proxy port ftp ftp/tcp
    > map sis1 192.168.0.0/28 -> 63.205.237.162/32 portmap tcp/udp 10000:60000
    > map sis1 192.168.0.0/28 -> 63.205.237.162/32
    >
    > When I was unable to make this work, I tried to find another way, that
    > didn't use NAT. I turned it off, and set both machines up differently.
    >
    > I also have been trying to set up static routes for the machine. I put it
    > on the 192.168.0 side of the firewall, but with a 63.205.237 address. This
    > server runs Linux, and I added a static route:
    >
    > route add -host 192.168.0.xxx 63.205.237.xxx
    >
    > On the OpenBSD firewall, I added a static route back:
    >
    > route add -host 63.204.237.xxx 192.168.0.xxx
    >
    > The route commands seemed to work. I tried pinging from one machine to
    > the other, though, and could get no response. tcpdump shows the
    > 63.204.237.xxx machine's echo request on both it, and on the firewall, but
    > no replies are sent. My firewall rules allow ICMP, and I can ping
    > elsewhere just fine, even through NAT.
    >
    > OpenBSD begins to log messages, too:
    >
    > Apr 1 12:43:17 muspell /bsd: arplookup: unable to enter address for 63.205.237.xxx
    > Apr 1 12:43:17 muspell /bsd: arpresolve: can't allocate llinfo
    >
    > It seems to be unable to install the arp entry for the static routed
    > machine. I don't know why it wouldn't be able to.
    >
    > Can anybody suggest what I might be doing wrong, or another way to allow
    > access to a machine through the firewall?
    >
    > I've been messing with this on and off for a week now, and have no other
    > ideas on how I might get what I need to work. Thank you for any
    > suggestions you can give. I hope I haven't confused everybody terribly
    > with this long message.
    >
    >
    Allso, be sure to check out www.obfuscation.org/ipf for a great ipf intro. 

    --
regards/mvh
Stein B. Sylvarnes
stein.sylvarnesstudent.uib.no