[FUG-BR] Problems with fwd

Rodrigo Maues Rocha rmaues em argo.com.br
Ter Jan 25 12:29:21 BRST 2005 

Hi all,

Here I show my problem and I ask for a help.

Ok !! Now my questions :

1 - When a put de diver rules on my custon rc.firewall, I can't login, 
but if I delete this rule works normaly.

2 - Transparent proxy in other machine. My topology
      __________________________________
     |                                  |
[internet]----------[bsd]              |
                       /\               |
                      /  \          [proxy_net10]
                     /    \             |
              [net_172] [net_10]--------+


Well, in my net_10 i have a transparent proxy on linux working fine, 
without problems, this proxy have two nic's ( one in net10 an other to 
the internet). All my trafic from my net10 to any in port 80 are 
redirect to my proxy:8080, and through the nic to the internet make this 
work.

Now i trying t make the same but now with a Freebsd5.3. All my trafic to 
any 80 need to redirect to my proxy. The proxy is the same, just change 
the firewall linux for a freebsd firewall.

In my tests I see, with tcpdump that when I use fwd before the divert 
rules the request on the webserver come from 10.0.0.57(for example), and 
my webserve send the answer to same ip, but this ip it's from my 
internal net, so can't receiv the answer. If I put the divert before the 
fwd the packet pass direct to internet and don't pass from the proxy.

3 - In my net172 i have other client, and this client request a oracle 
conection to 172.19.0.3(my nic to net172) and this request need 
toredirect to a machine in my net10(10.0.0.8:1521), the same case of the 
internet, all traffic from my net172 need to redirect to proxy

Here is my rc.firewall

## Determinando o ip da interface xl0 e xl1
## Primeiro se determina uma varial para receber o valor do device (xl0
ou xl1)
## Em seguida usa-se o 'ifconfig' para atribuir um valor de ip para o device
## isto facilita o trabalho com dhcp, se necessario.
## Finalmente, para um melhor controle, eh mostrado o ip da interface.

## Definicao de interfaces

## Interface interna

INTDEV=xl0

INTIP=`ifconfig ${INTDEV} | grep -v inet6 | grep inet | awk '{print $2}'`

echo "INTDEV: ${INTDEV} com IP ${INTIP}"

## Interface Externa

EXTDEV=xl1

INTIP=`ifconfig ${EXTDEV} | grep -v inet6 | grep inet | awk '{print $2}'`

echo "EXTDEV: ${EXTDEV} com IP ${EXTIP}"


##--- O uso padrao do firewall sera com tudo bloqueado e somente a
liberacao de
# portas usadas.
#
# O uso de variaveis e importante para manutencao do script.

IPFW=/sbin/ipfw

##--- Definicao de variaveis de rede
#

REDE="10.0.0.0"

MASK="255.0.0.0"

#--- Identificacao das portas do X Window. Estas portas devem
#    ser fechadas na interface extena para evitar problemas de
#    seguranca.

XWIN="6000:6063"

#--- Portas normalmente utilizadas para traceroute
#

TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_SRC_DEST="33434:33523"

#--- Portas utilizadas para conexao IRC
#

PORTAS_IRC="6667"
#--- Endereco do servidor de ntp. Este servico prove a atualizacao
#    do horario para o servido de ntp interno.
#    Eh preferivel que se direcione para o canonical name para evitar
#    possiveis problemas de mudanca de endereco ip
#

CAIS="200.144.121.33"

HIWAY="200.246.53.5"

##--- Adcionando rotas
#

##--- Rota default de saida

/sbin/route add default 200.216.68.17

#--- Aqui serao apagadas as regras ja gravadas nas tabelas e
#    configuras com as regras padroes de negacao. Este proce
#    dimento e uma garantia de que as regras que serao usdas
#    sao as escritas no scripts, limpando assim, qualquer re
#    gra criada por outros.

#--- Apagando as regras

${IPFW} -f flush

#--- R e g r a  SSH
#    Esta regra permite o acesso atraves do ssh direcionado para as
interfaces interna e
#    externa.
#

${IPFW} add 1 pass tcp from me 22 to any setup keep-state
${IPFW} add 2 pass tcp from any 22 to me setup keep-state
${IPFW} add 3 pass tcp from ${REDE}:${MASK} to any 22 setup keep-state
${IPFW} add 4 pass tcp from any 22 to ${REDE}:${MASK} setup keep-state

#--- Habilitando o mascaramento de saida dos pacotes para a
#    Internet.

#--- Mascarando acesso a Internet
#    O mascaramento da rede externa eh utilizado para esconder todos ip
da rede interna
#    assim, ficando um unico ip sainda da rede.
#


#${IPFW} add 5 divert natd ip from any to any via ${EXTDEV}
${IPFW} add 5 divert natd ip from any to any

#${IPFW} add 6 fwd 10.0.0.11,8080 tcp from 10.0.0.57 to any 80

##--- Setar regras para o loopback
#

${IPFW} add 7 pass all from any to any via lo0
${IPFW} add 8 pass all from 127.0.0.1 to 127.0.0.1
${IPFW} add 9 deny log ip from any to 127.0.0.0/8 in via xl1
${IPFW} add 10 deny log ip from 127.0.0.0/8 to any out via xl1

##--- Libera trafego interno rede para a propria rede interna
#

${IPFW} add 20 pass all from  ${REDE}:${MASK} to ${REDE}:${MASK}

##--- Check-State
#
${IPFW} add 30 check-state

##--- Libera conexoes com setup ok
#

${IPFW} add 40 pass tcp from any to any established

##--- Libera trafego TCP da rede interna pro mundo
#

${IPFW} add 50 pass tcp from ${REDE}:${MASK} to any setup
${IPFW} add 60 pass udp from ${REDE}:${MASK} to any keep-state
${IPFW} add 70 pass tcp from me to any setup

##--- Libera consulta DNS
#

${IPFW} add 80 pass udp from ${REDE}:${MASK} to any 53 keep-state
${IPFW} add 90 pass udp from any 53 to ${REDE}:${MASK} keep-state
${IPFW} add 100 pass udp from me to any 53 keep-state
${IPFW} add 110 pass udp from any 53 to me keep-state


##--- Liberando acesso HTTP e HTTPS
#

${IPFW} add 120 pass tcp from ${REDE}:${MASK} to any 80 keep-state
${IPFW} add 130 pass tcp from any 80 to ${REDE}:${MASK} keep-state
${IPFW} add 130 pass tcp from me 80 to any
${IPFW} add 130 pass tcp from any 80 to me


${IPFW} add 140 pass tcp from ${REDE}:${MASK} to any 443 keep-state
${IPFW} add 150 pass tcp from any 443 to ${REDE}:${MASK} keep-state
${IPFW} add 150 pass tcp from me 443 to any
${IPFW} add 150 pass tcp from any 443 to me
##--- Liberando acesso SMTP e POP
#

${IPFW} add 160 pass tcp from ${REDE}:${MASK} to any 25 keep-state
${IPFW} add 170 pass tcp from any 25 to ${REDE}:${MASK} keep-state

${IPFW} add 180 pass tcp from ${REDE}:${MASK} to any 110 keep-state
${IPFW} add 190 pass tcp from any 110 to ${REDE}:${MASK} keep-state

#--- R e g r a  NTP
#    Esta regra permite o acesso de nosso servidor interno de ntp ao
servidor
#    mantido pelo rnp-am
#    Deve-se manter uma atencao sobre o ip utilizado pelo servidor ntp
do rnp-am
#    para que nao ocorram mudancas de ip e ai o script ficaria
desatualizado.
#

${IPFW} add 200 pass udp from ${REDE}:${MASK} to ${CAIS} 123 keep-state
${IPFW} add 210 pass udp from ${CAIS} 123 to ${REDE}:${MASK} keep-state


#--- R E G R A S CVSUP
#    Regra que permite a conexao comservidores de cvsup para a atualizacao
#    do sistema.

${IPFW} add 260 pass tcp from ${REDE}:${MASK} to any cvsup keep-state
${IPFW} add 270 pass tcp from any cvsup to ${REDE}:${MASK} keep-state
${IPFW} add 280 pass tcp from me to any cvsup keep-state
${IPFW} add 290 pass tcp from any cvsup to me keep-state

#-- R e g r a s FTP
#   Regras que permitem o trafego de ftp entre a rede interna e a Internet
#

${IPFW} add 300 pass tcp from ${REDE}:${MASK} to any ftp keep-state
${IPFW} add 310 pass tcp from any ftp to ${REDE}:${MASK} keep-state
${IPFW} add 320 pass tcp from me to any ftp keep-state
${IPFW} add 330 pass tcp from any ftp to me keep-state


#--- R E G R A ICMP
#    Regras que permitem que maquinas de dentro da rede possam pingar
#    hosts externos.

${IPFW} add 340 pass icmp from ${REDE}:${MASK} to any icmptype 8 keep-state
${IPFW} add 350 pass icmp from any to ${REDE}:${MASK} icmptype 0 keep-state
${IPFW} add 360 pass icmp from me to any icmptype 8 keep-state
${IPFW} add 370 pass icmp from any to me icmptype 0 keep-state

##--- Nega restante das conexoes UDP
#

${IPFW} add 380 deny log udp from any to any
##--- restante das conexoes TCP
#

${IPFW} add 390 deny log tcp from any to any setup

##--- Bloqueando as demais conexoes
#

${IPFW} add 65535 deny any to any



-- 
--
+-------------------------------------+
| R o d r i g o  M a u e s  R o c h a |
+-------------------------------------+
| Contatos:                           |
| MSN : rmauesrocha em hotmail.com       |
| ICQ : 3679875                       |
| E-Mail : rmaues em argo.com.br         |
+-------------------------------------+
| FreeBSD User 5.3p2                  |
| Palm User                           |
+-------------------------------------+
| Pensamento:                         |
| "Sucesso e consequencia de esforco, |
| dedicacao e planejamento. Milagres  |
| existem mas, sao construidos."      |
+-------------------------------------+




_______________________________________________________________
Para enviar um novo email para a lista: freebsd em fug.com.br
Sair da Lista: http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd