ipnat RDR rules
Hi,
I'm wondering how does ipnat RDR rules operate. I tried to get an answer
using Google, but nothing really accurate.
I have set a RDR rule like this:
rdr tun0 0.0.0.0/0 port 2245 -> 192.168.0.45 port ssh
This works perfectly, but when I try prevent theses packets to go through my
FreeBSD box (the ont which shares my connection and filter incoming packets)
with ipfilter, I encounter a strange behaviour (I cannot explain it in fact).
With the following rule,
block in quick on tun0 from any to 192.168.0.2/32
absolutly no incoming TCP SYN packet can reach my computer on the internal
network. Indeed, even if ipnat -l shows a RDR mapping, the packet seems
to be immediatly dropped after translation (RDR rules imply a destination
adress translation, in order to go through the kernel IPv4 stack, so it must
be done just after being received.)
On the other hand, when I use this rule,
block out quick on ep0 from ! 192.168.0.0/24 to 192.168.0.2/32
which should drop any packet that doesn't come from the gateway itself, just
before going out from my internal interface. With this rule, I assumed that
1) packet arrives on my external interface
2) its IP destination address is modified in order to be correctly routed
3) ipfilter then looks for any rule on tun0 interface to apply before sending
the packet to the kernel
4) packet is routed to the correct interface
5) ipfilter looks for any rule on ep0 interface to apply, it should normally
stops on the rule above, since the packet source address is not from
my internal network and its destination address as been replaced by
192.168.0.2
In my point of view, the packet should be dropped here. But in fact, the
packet is not blocked at all.
Does anyone can explain the precedence between ipfilter and ipnat,
particularly in case of a RDR rule. It seems that the following diagram is
not exactly the same than the one applied for RDR rules:
ext_if -> dnat -> ipf -> kernel -> ipf -> snat -> int_if
Thanks.
Regards,
--
Jeremie aka T{ata,t}Z
[EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
routed
Not sure this is the correct list, as this question is only semi-technical, but I'm going to try anyway. A quick note though, I don't think there is a charter for this list on the freebsd site. Anyway, I have two questions about routed: 1) Is there a way to force certain interfaces (or RIP as a whole) to only send RIP responses and to not process incoming router responses from other routers? 2) Is it possible to configure individual interfaces so that RIP responses are neither sent or processed, but to still advertise those interfaces when sending RIP responses out other interfaces?? I have read the man page quite thoroughly, as well as searching on the web, but to no avail. thanks, matt To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: freebsd 4.7-stable kernel gre support for squid's wccp cisco interaction
I know its an ugly hack, but it works for me. Try building the gre interface and than destroying it, and then again rebuild, with enough pause betwine each action. I am running this in a script called from crontab, with timing set @reboot, but i guess its the same if you put it in rc.d or similar place. G-le /bin/sleep 20 /sbin/ifconfig gre0 create /bin/sleep 20 /sbin/ifconfig gre0 212.110.x.y 212.110.m.n netmask 255.255.255.255 link0 up /bin/sleep 20 /sbin/ifconfig gre0 tunnel 212.110.x.y 212.110.m.n /bin/sleep 20 /sbin/ifconfig gre0 destroy /bin/sleep 20 /sbin/ifconfig gre0 create /bin/sleep 20 /sbin/ifconfig gre0 212.110.x.y 212.110.m.n netmask 255.255.255.255 link0 up /bin/sleep 20 /sbin/ifconfig gre0 tunnel 212.110.x.y 212.110.m.n To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
[PATCH] ipsec esp ipfw interaction
Hello,
in early January this year there was a discussion about the way ipfw
interacts with ipsec. Last November ipfw was changed to process ipsec
datagrams twice: Once before and a second time after the decoding
procedure. This makes life easier for people who use gif tunnels with
ipsec transport mode, but it makes life harder for people (like myself)
who use native ipsec tunnel mode.
Someone suggested to make the ipfw behavior adjustable through a sysctl,
another approach was to port the Open(/Net)BSD enc0 virtual interface.
I made up a refined sysctl solution for a FreeBSD machine that is acting
as a IPsec tunnel endpoint for roadwarriors in a WLAN environment. The idea
is simple: I introduced a new sysctl "net.inet.ip.fw.ipsec_reinject" which
defaults to "1". The value is an integer and defines at which rule number
ipsec datagrams should be reinjected into the ipfw ruleset. Set it to "0",
and it won't be reinjected at all. Set it to "1" (default) and the datagram
would be reinjected at the very beginning. You also can put your post ipsec
filter rules put at 1+ and set the sysctl to "1". Flexible?
This is a first patch against -STABLE to demonstrate the concept.
Any comments?
I may provide a patch that includes ip_fw2.c and check whether it applies
to -CURRENT.
"
Bjorn Fischer
diff -ur sys/netinet/ip_fw.c /sys/netinet/ip_fw.c
--- sys/netinet/ip_fw.c Thu Nov 21 01:27:30 2002
+++ /sys/netinet/ip_fw.cWed Jan 15 17:48:23 2003
@@ -106,6 +106,8 @@
&fw_verbose, 0, "Log matches to ipfw rules");
SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW,
&fw_verbose_limit, 0, "Set upper limit of matches of ipfw rules logged");
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, ipsec_reinject, CTLFLAG_RW,
+&fw_ipsec_reinject, 1, "Reinject decoded IPsec datagrams at this rule");
/*
* Extension for stateful ipfw.
@@ -1088,7 +1090,7 @@
u_short src_port = 0, dst_port = 0;
struct in_addr src_ip, dst_ip;
u_int8_t proto= 0, flags = 0;
- u_int16_t skipto;
+ u_int16_t skipto = 0;
u_int16_t ip_len=0;
int dyn_checked = 0 ; /* set after dyn.rules have been checked. */
@@ -1106,9 +1108,18 @@
} else
hlen = ip->ip_hl << 2;
+#ifdef IPSEC
+ if (ipsec_gethist(*m, NULL) &&
+ args->divert_rule == 0 &&
+ fw_ipsec_reinject > 1)
+ skipto = fw_ipsec_reinject - 1;
+#endif
+
/* Grab and reset cookie */
- skipto = *cookie;
- *cookie = 0;
+ if (*cookie != 0) {
+ skipto = *cookie;
+ *cookie = 0;
+ }
#define PULLUP_TO(len) do {\
if ((*m)->m_len < (len)) { \
diff -ur sys/netinet/ip_fw.h /sys/netinet/ip_fw.h
--- sys/netinet/ip_fw.h Tue Jul 9 09:11:42 2002
+++ /sys/netinet/ip_fw.hWed Jan 15 16:56:38 2003
@@ -367,6 +367,7 @@
extern ip_fw_ctl_t *ip_fw_ctl_ptr;
extern int fw_one_pass;
extern int fw_enable;
+extern int fw_ipsec_reinject;
extern struct ipfw_flow_id last_pkt;
#define IPFW_LOADED(ip_fw_chk_ptr != NULL)
#endif /* _KERNEL */
diff -ur sys/netinet/ip_input.c /sys/netinet/ip_input.c
--- sys/netinet/ip_input.c Mon Nov 25 05:23:00 2002
+++ /sys/netinet/ip_input.c Wed Jan 15 17:01:58 2003
@@ -193,6 +193,7 @@
ip_fw_chk_t *ip_fw_chk_ptr;
int fw_enable = 1 ;
int fw_one_pass = 1;
+int fw_ipsec_reinject = 1;
/* Dummynet hooks */
ip_dn_io_t *ip_dn_io_ptr;
@@ -422,6 +423,11 @@
* - Wrap: fake packet's addr/port
* - Encapsulate: put it in another IP and send out.
*/
+
+#ifdef IPSEC
+ if (ipsec_gethist(m, NULL) && fw_ipsec_reinject == 0)
+ goto pass;
+#endif
iphack:
/*
