ipfw+natd problema

Kiprobaltam a tun0-n is, ugyanaz az eredmeny.

whitebox# ipfw -d list
00100 12909 5098922 allow ip from any to any via xl0
00200 18 960 allow ip from any to any via lo0
00300 12949 5082421 divert 8668 ip from any to any via tun0
00400 0 0 check-state
00500 0 0 allow udp from any to 212.108.200.75 dst-port 53 out via tun0 setup keep-state
00600 0 0 allow udp from any to 212.108.200.77 dst-port 53 out via tun0 setup keep-state
00700 0 0 allow tcp from any to 212.108.200.75 dst-port 53 out via tun0 setup keep-state
00800 0 0 allow tcp from any to 212.108.200.77 dst-port 53 out via tun0 setup keep-state
00900 19 1140 allow icmp from any to any out via tun0 keep-state
01000 387 75700 allow tcp from any to any dst-port 80 out via tun0 setup keep-state
01100 0 0 allow tcp from any to any dst-port 22 out via tun0 setup keep-state
01200 79 28691 allow tcp from any to any dst-port 6881 out via tun0 setup keep-state
01300 0 0 allow tcp from any to any dst-port 2960 out via tun0 setup keep-state
01400 0 0 allow tcp from any to any dst-port 7000 out via tun0 setup keep-state
01500 0 0 deny ip from 192.168.0.0/24 to any
01600 12456 4974857 allow ip from any to any
65535 503 127276 deny ip from any to any
## Dynamic rules (5):
01000 0 0 (20s) STATE tcp 81.0.121.80 4538 <-> 83.140.65.130 80
00900 18 1080 (4s) STATE icmp 81.0.121.80 0 <-> 68.142.226.51 0
01200 43 26761 (19s) STATE tcp 81.0.121.80 4533 <-> 200.199.70.209 6881

Remelem, ez segit. A flush benne van, mert a rulesetet az rc.firewall-ba irtam bele.

whitebox# ipfw -d list
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00201 0 0 deny ip from any to any not verrevpath in
00202 0 0 deny ip from 10.0.0.0/8 to any in via tun0
00204 0 0 deny ip from 192.168.0.0/16 to any in via tun0
00300 5554 1618551 divert 8668 ip from any to me in via tun0
00400 0 0 check-state
01000 232 20600 allow tcp from 192.168.0.0/24 to me dst-port 22 in via xl0 setup keep-state
01100 0 0 allow icmp from 192.168.0.0/24 to me in via xl0
01200 0 0 allow tcp from 192.168.0.0/24 to me dst-port 123 in via xl0 setup keep-state
01201 0 0 allow udp from 192.168.0.0/24 to me dst-port 123 in via xl0 keep-state
01300 0 0 allow udp from 192.168.0.0/24 to me dst-port 53 in via xl0
01400 0 0 allow tcp from 192.168.0.0/24 to me dst-port 80 in via xl0 setup keep-state
01500 24 1152 allow tcp from 192.168.0.0/24 to me dst-port 6881 in via xl0 setup keep-state
02000 11 2156 deny ip from 192.168.0.0/24 to me
03000 19720 10011020 skipto 61000 ip from 192.168.0.0/24 to any in via xl0 keep-state
04000 2 217 allow ip from me to any out keep-state
05000 7 1032 deny icmp from any to me
05001 0 0 deny ip from any to me dst-port 135,137-139,445,4665
05002 397 100196 deny log logamount 10 tcp from any to any established
05003 531 40535 deny log logamount 10 ip from any to any
61000 5241 3531815 divert 8668 ip from 192.168.0.0/24 to any out via tun0
61001 19717 10007536 allow ip from any to any
65535 515 135788 deny ip from any to any
## Dynamic rules (120):
03000 6669 4747800 (300s) STATE tcp 192.168.0.2 49386 <-> 209.81.100.103 7054
03000 5 240 (1s) STATE tcp 192.168.0.3 1488 <-> 83.140.65.134 80
03000 283 155322 (299s) STATE tcp 192.168.0.3 1451 <-> 83.23.98.79 6881
03000 5 240 (11s) STATE tcp 192.168.0.3 1503 <-> 83.140.65.134 80
03000 95 53098 (237s) STATE tcp 192.168.0.3 1420 <-> 72.0.224.10 2960
03000 7 928 (300s) STATE tcp 192.168.0.3 1505 <-> 83.140.65.134 80
03000 23 2364 (1s) STATE tcp 192.168.0.3 1504 <-> 83.140.65.134 80
03000 5 240 (2s) STATE tcp 192.168.0.3 1497 <-> 65.34.246.119 6881
01500 2 96 (2s) STATE tcp 192.168.0.3 1494 <-> 81.0.121.80 6881
03000 1383 190930 (300s) STATE tcp 192.168.0.3 1402 <-> 193.225.158.1 22
03000 5 240 (2s) STATE tcp 192.168.0.3 1495 <-> 66.215.83.91 6881
03000 1143 902174 (184s) STATE tcp 192.168.0.2 49384 <-> 72.0.224.10 2960
03000 1177 605952 (300s) STATE tcp 192.168.0.3 1493 <-> 81.206.254.174 6882
03000 5 240 (2s) STATE tcp 192.168.0.3 1499 <-> 81.179.39.75 1080
03000 637 453380 (298s) STATE tcp 192.168.0.3 1331 <-> 207.248.35.36 8101
01000 231 20552 (300s) STATE tcp 192.168.0.3 1489 <-> 192.168.0.1 22
03000 787 628692 (300s) STATE tcp 192.168.0.2 49390 <-> 66.28.250.122 80
03000 125 27138 (300s) STATE tcp 192.168.0.3 1452 <-> 195.242.255.132 6881
03000 17 4184 (277s) STATE tcp 192.168.0.3 1496 <-> 68.161.82.234 6881
03000 527 228324 (299s) STATE tcp 192.168.0.3 1490 <-> 165.254.149.234 6881
03000 5 240 (2s) STATE tcp 192.168.0.3 1498 <-> 210.49.105.193 10181

Megint varialtam rajta, de azt hiszem, itt megallok es megvarom a hozzaszolasod. A tuzfalkonnfiguralas kimerito tevekenyseg :?
A ruleset mintajaul http://www.lugbe.ch/lostfound/contrib/freebsd_router/ szolgalt.

Koszonom az eddigi turelmed :)

Koszonom szepen a segitseget. A szamlalokat kiprobalom. Remelem, sikerul megtalalni a hibat :)

Szep napot!

dozen: koszi a tippet, mar kicsereltem az elozo rulesetnel. A hatas gyakorlatilag 0 ... Az utolso bemasolt rulesettel vmiert annyira belassul egy ido utan a gep, hogy ihajj :cry: Ha hasznalsz natd-t, esetleg lennel olyan szives, hogy bemasolod a ruleseted?
Elore is koszi.

Sziasztok!

A FreeBSD Handbook alapjan konfiguraltam be FBSD 5.4-en az ipfw & natd parost. A IPFW szekcio Example ruleset #2 (amiben a NAT is szerepel) alapjan elkeszitettem a tuzfal szabalylistajat. Minden nagyon szep, minden nagyon jo, minden nagyon Gromek, de vhogy nem igazan szuri a forgalmat. Hibat nem jelez. Otlet? :(

FreeBSD biztonsaggal kapcsolatos tippeket, linkeket is nagy orommel fogadok.

Udv,

johnny

Gyakorlatilag mindent atenged.
Itt a ruleset:
# Kimeno halokari
oif="fxp0"

# Belso halokari
iif="xl0"

# Egyeb
skip="skipto 800"
ks="keep-state"

# Belso halozat
${fwcmd} add 005 allow all from any to any via ${iif}

# lo0
${fwcmd} add 010 allow all from any to any via lo0

# NAT
# ${fwcmd} add 014 divert natd ip from any to any via ${oif}

${fwcmd} add 015 check-state

#######################
### Kimeno forgalom ###
#######################

# DNS
${fwcmd} add 020 ${skip} tcp from any to 212.108.200.75 53 out via ${oif} setup ${ks}
${fwcmd} add 021 ${skip} tcp from any to 212.108.200.77 53 out via ${oif} setup ${ks}
${fwcmd} add 022 ${skip} udp from any to 212.108.200.75 53 out via ${oif} setup ${ks}
${fwcmd} add 023 ${skip} udp from any to 212.108.200.77 53 out via ${oif} setup ${ks}

# http
${fwcmd} add 030 ${skip} tcp from any to any 80 out via ${oif} setup ${ks}

# ping
${fwcmd} add 040 ${skip} icmp from any to any out via ${oif} ${ks}

#######################
### Bejovo forgalom ###
#######################

# RFC1918
${fwcmd} add 300 deny all from 10.0.0.0/8 to any in via ${oif}
${fwcmd} add 301 deny all from 172.16.0.0/12 to any in via ${oif}
${fwcmd} add 302 deny all from 192.168.0.0/16 to any in via ${oif}

# lo0
${fwcmd} add 303 deny all from 127.0.0.0/8 to any in via ${oif}
${fwcmd} add 304 deny all from 0.0.0.0/8 to any in via ${oif}

# Egyeb
${fwcmd} add 305 deny all from 169.254.0.0/16 to any in via ${oif}
${fwcmd} add 306 deny all from 192.0.2.0/24 to any in via ${oif}
${fwcmd} add 307 deny all from 204.152.64.0/23 to any in via ${oif}
${fwcmd} add 308 deny all from 224.0.0.0/3 to any in via ${oif}

# A keso csomagok tiltasa
${fwcmd} add 310 deny all from any to any in frag via ${oif}

# ACK csomagok tiltasa, amik nem passzolnak a szabalyokhoz
${fwcmd} add 320 deny tcp from any to any in established via ${oif}

#
${fwcmd} add 400 deny log all from any to any in via ${oif}
${fwcmd} add 401 deny log all from any to any out via ${oif}

# Ide ugrik a NAT miatt
${fwcmd} add 800 divert natd ip from any to any out via ${oif}
${fwcmd} add 801 allow ip from any to any

# Broadcast
${fwcmd} add 900 deny all from any to 255.255.255.255

# Totalis tiltas

${fwcmd} add 65000 deny log all from any to any
;;

A 014-nel a # sajtohiba. Anelkul is ugyanaz az eredmeny.
Ugy nez ki, mintha mindig a 005 es a 801 hajtodna vegre.

Az in szocska bepattintasa sem segitett. :(

A gepnel ulve tesztelek, de azert koszi a figyelmeztetest. :)

Igen, flush-oltem. Az ipfw show-ra azt kaptam, hogy gyakorlatilag csak a 005 es a 801 sorokban van valtozas, a tobbi sor csak 0-kat tartalmaz. A ruleset a /etc/rc.firewall fajlban csucsul es ha kezzel ujrainditom, akkor az elejen kiirja, hogy "Flushing rules."

Ha jol ertelmeztem a mukodeset, akkor azoknak a csomagoknak lenne szabad kijutniuk, amiket a 02x, 030, 040 sorokban engedelyezek. Ennek ellenere barmi kimegy, pl. BitTorrent, ssh. Persze lehet, hogy a hiba az en keszulekemben vanik.

Nincs. Nemi forgalom van meg az uccso soron (65535 deny ip from any to any), mivel a kernel alapjaraton nem enged at semmit.

A gepen ADSL kapcsolat van. Netet szeretnek megosztani vele a parom es a sajat gepemre. Ha vegre mukodni fog a tuzfal, szeretnek felhuzni ra jail-ben egy ftp szervert egy dinamikus dns klienssel (a no-ip.com-ot ajanlottak), mert a paromnak szuksege lenne ra a munkajahoz.

Remelem, ez segitett vagy mittomen ... :?