|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Gary MacKay (Gary
EdisonInfo.com)Date: Tue May 01 2001 - 11:46:07 CDT
Sorry to jump in here, but this post peeked the interest of a newbie. (me!)
You mentioned that IPNAT happens before IPF. Does that mean I don't have to
have rules in the ipf.rules file to "allow in", say, port 25 or port 80 if
I am nat'ing them to another machine behind the firewall?
> It's not clear whether these rules worked on your 2.8 machine or
> not.
>
> In General:
>
> IPNAT rule order.
>
> IPNAT rules are first match and quit EXCEPT they are also
> largest netmask first. This means that all x/32 rules are
> evaluated before any others. So in your case the order is not
> important.
>
> IPNAT happens before IPF.
>
> Change your rules to filter on your private addresses.
> To verify use ipfstat -hio to see which of your rules are actually
> being matched.
>
> Bruce
>
>> I installed the 2.9 snapshot on a machine yesterday, and configures
>> using the same rules I had applied to a 2.8 machine recently, and am
>> having serious problems use rdr to send SMTP/www traffice to a machine
>> on internal network.
>>
>> I have simplified the rules as much as possible, but no joy. I've also
>> read through www.obfuscation.org/ipf without any luck.
>>
>> Can someone see what is wrong ?? I have modified the file sysctl.conf
>> and rc.conf accordingly. All traffic behind the NAT machine works OK,
>> but when I try to telnet to port 25 from outside i get no response.
>>
>> In the ipnat.rules file I tried having the map rules after the rdr
>> rules, but no luck either way.
>> /etc/ipnat.rules
>> map ep0 10.1.1.7/24 -> 123.123.123.123/32 portmap tcp/udp 1025:65000
>> map ep0 10.1.1.7/24 -> 123.123.123.123/32
>>
>> #map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000
>> rdr ep0 123.123.123.123/32 port 25 -> 10.1.1.1 port 25
>> rdr ep0 123.123.123.123/32 port 80 -> 10.1.1.1 port 80
>> rdr ep0 123.123.123.123/32 port 110 -> 10.1.1.1 port 110
>> rdr ep0 123.123.123.123/32 port 143 -> 10.1.1.1 port 143
>> rdr ep0 123.123.123.123/32 port 993 -> 10.1.1.1 port 993
>>
>>
>> /etc/ipf.rules
>> pass in from any to any
>> pass out from any to any
>>
>> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port =
>> 25 keep state
>> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port =
>> 80 keep state
>> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port =
>> 143 keep state
>> pass out quick on ep0 proto tcp from any to any keep state
>>
>
>
> -*-*-*-*-*-*-*-*-*-*-*-*-*-
>
> All opinions are my own.
> All advice is worth what you pay for it.
> A little experience often upsets a lot of theory.
>
> -*-*-*-*-*-*-*-*-*-*-*-*-*-
-- Edison Information Technologies www.EdisonInfo.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]