Hi all :)
I am trying to configure a freebsd gateway/firewall with ipfw/natd in replacement of an iptables gnu/linux box. just for fun, to try a *bsd.
I found a good documentation to do that: lugbe.ch/lostfound/contrib/freebsd_router/
All is OK except one thing, the port forwarding... and really, I need gurus help to make it working ! Here my network map [replaced my ext ip by 1.2.3.4] :
Code:
Internet <---- FreeBSD gateway/firewall ----> LAN
ep0 rl0
1.2.3.4 192.168.1.1
First, i recompiled a custom kernel with the above options added in it, and turning off nonnecessary things such as raid, scsi, firewire...
Code:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPDIVERT
Secondly, I update my /etc/rc.conf to this :
Code:
hostname="bambi.omk"
ifconfig_ep0="DHCP"
ifconfig_rl0="inet 192.168.1.1 netmask 255.255.255.0 broadcast
192.168.1.255"
keymap="fr.iso.acc"
linux_enable="YES"
saver="daemon"
scrnmap="NO"
sshd_enable="YES"
keyrate="normal"
# enable IP forwarding
gateway_enable="YES"
# enable firewall
firewall_enable="YES"
firewall_type="/etc/fw/rc.firewall.rules"
firewall_quiet="NO"
firewall_logging="YES"
# enable natd, the NAT daemon
natd_enable="YES"
natd_interface="ep0"
natd_flags="-f /etc/fw/natd.conf"
Next, here is my /etc/fw/rc.firewall.rules :
Code:
# be quiet and flush all rules on start
-q flush
# allow local traffic, deny RFC 1918 addresses on the outside
add 00100 allow ip from any to any via lo0
add 00110 deny ip from any to 127.0.0.0/8
add 00120 deny ip from any to any not verrevpath in
add 00301 deny ip from 10.0.0.0/8 to any in via ep0
add 00302 deny ip from 172.16.0.0/12 to any in via ep0
add 00303 deny ip from 192.168.0.0/16 to any in via ep0
# check if incoming packets belong to a natted session, allow through if yes
add 01000 divert natd ip from any to me in via ep0
add 01001 check-state
# allow some traffic from the local net to the router
# SSH
add 04000 allow tcp from 192.168.1.0/24 to me dst-port 22 in via rl0 setup keep-state
# ICMP
add 04001 allow icmp from 192.168.1.0/24 to me in via rl0
# NTP
add 04002 allow tcp from 192.168.1.0/24 to me dst-port 123 in via rl0 setup keep-state
add 04003 allow udp from 192.168.1.0/24 to me dst-port 123 in via rl0 keep-state
# DNS
add 04006 allow udp from 192.168.1.0/24 to me dst-port 53 in via rl0
# drop everything else
add 04009 deny ip from 192.168.1.0/24 to me
# pass outgoing packets (to be natted) on to a special NAT rule
add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via rl0 keep-state
# allow all outgoing traffic from the router
add 05010 allow ip from me to any out keep-state
# allow incoming connection to atlantis & sangoku (forwarding)
add 20000 allow ip from any to me dst-port 8000-8009 in via ep0 setup keep-state
add 20001 allow ip from any to me dst-port 9000-9009 in via ep0 setup keep-state
# drop everything that has come so far. This means it doesn't belong to an
# established connection, don't log the most noisy scans
add 59998 deny icmp from any to me
add 59999 deny ip from any to me dst-port 135,137-139,445,4665
add 60000 deny log tcp from any to any established
add 60001 deny log ip from any to any
# this is the NAT rule.
# Only outgoing packets from the local net will come here. First, nat them,
# then pass them on
add 61000 divert natd ip from 192.168.1.0/24 to any out via ep0
add 61001 allow ip from any to any
And my /etc/fw/natd.conf file :
Code:
unregistered_only
interface ep0
use_sockets
dynamic
# redirects for atlantis & sangoku
redirect_port tcp 192.168.1.11:8000-8009 8000-8009
redirect_port udp 192.168.1.11:8000-8009 8000-8009
redirect_port tcp 192.168.1.31:9000-9009 9000-9009
redirect_port udp 192.168.1.31:9000-9009 9000-9009
# dyamically open fw for ftp, irc
punch_fw 2000:50
As I wrote on top, the major problem is the ports forwarding don't works. Example, if I set up my ssh server on 192.168.1.11 to listen on 8000 port (debian sarge), and then I ssh my external ip 1.2.3.4 on port 8000 from a machine on the Internet, I don't get any response and get a timeout. Looking the logs show that the packets are deny but that is the problem [replaced internet machine ext ip by 3.4.5.6] :(
Code:
Oct 24 15:12:56 bambi kernel: ipfw: 60001 Deny TCP 3.4.5.6:2552 192.168.1.11:8000 in via ep0
Oct 24 15:12:59 bambi kernel: ipfw: 60001 Deny TCP 3.4.5.6:2552 192.168.1.11:8000 in via ep0
I don't know what I forget on my rules but I thing that having 192.168.1.11 in dst address is showing that forwading seams to be working. But why the rule 60001 deny it ? Why the packets are not accepted by the rule 20000 ?
I tested many things such as forwarding just one port, used redirect_port LAN_IP:8000 MY_EXT_IP:8000, and others but problem in all case is the same.
Another information, if I replace my two rules :
Code:
add 20000 allow ip from any to me dst-port 8000-8009 in via ep0 setup keep-state
add 20001 allow ip from any to me dst-port 9000-9009 in via ep0 setup keep-state
By the ones :
Code:
add 20000 allow ip from any to ANY dst-port 8000-8009 in via ep0 setup keep-state
add 20001 allow ip from any to ANY dst-port 9000-9009 in via ep0 setup keep-state
Then I got no deny packets in the logs, but it still doesn't work (timeout on the querying machine).
Could anybody help me please to make my forwarding working !? Other question : how to really reject packets (iptables drop) instead of no responding them.
Thanks & sorry for my bad english,
Julien