port forwarding and ipfw rules
ktulu at net2000.com.au
ktulu at net2000.com.au
Thu Mar 18 20:14:29 PST 2004
Hi All,
I have posted this question before, but I don't think I made myself very clear
in what I was hoping to achieve. Hopefully, this post will help out.
I have a situation where I have one network interface (fxp1) connected to the
network with the IP address xxx.xxx.19.110 which is port forwarding (on port
443) to a host xxx.xxx.19.109. Currently, this situation works fine.
The problem I'm having is that I have two of these machines doing the same thing
and I require the ability for one machine to take over from the other in the
event of a hardware failure, etc. The diagram below basically shows what I want
to achieve:
Internet
----------
|
|
|
fxp1 | fxp1
.19.110 | .19.111
| (alias)
|
-----------------
| FW |
| Default route |
| xx.xx.19.225 |
| |
-----------------
|
/ \
fxp1 / \ fxp1
.19.110/ \.19.111 (alias)
/ \
/ \
/ \
/ \
/ \
/ \
/ \
----- -----
| | | |
| | | |
| | | |
| | | |
----- -----
Web Server Web Server
x.x.19.109:443 x.x.19.102:443
This configuration must be able to be added and removed dynamically without
effecting the existing network setup (other than changing ipfw rules). Below
are the relevant sections of my current configuration settings:
***BEGIN /etc/rc.conf:
network interfaces="fxp1 lo0"
ifconfig_lo0="inet 127.0.0.1"
ifconfig_fxp1="inet xxx.xxx.19.110 netmask 255.255.255.0"
defaultrouter="xxx.xxx.19.225"
gateway_enable="YES"
natd_enable="YES"
natd_interface="fxp1"
natd_flags="-l -m -redirect_port tcp xxx.xxx.19.109:443 443"
firewall_enable="YES"
firewall_type="custom"
firewall_script="/etc/rc.firewall"
firewall_quiet="NO"
tcp_extensions="YES"
*** END /etc/rc.conf
*** BEGIN /etc/rc.firewall
############
# Set the host IP address and the forwarding IP
#
# Set this to your ip address.
ip="xxx.xxx.19.110"
# Set this to the ip of the machine traffic on 443 is being forwarded to
fwd_ip="xxx.xxx.19.109"
# Set this to the IP of the machine this host is used as a failover for
fail_ip="xxx.xxx.19.111"
# Set this to the IP of the machine traffic on 443 of the failed host is being
forwarded to
fail_forward="xxx.xxx.19.102"
# Set this to the port of the new natd daemon for the failover
fail_natd="8669"
case ${firewall_type} in
[Cc][Uu][Ss][Tt][Oo][Mm])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd all from any to any via
${natd_interface}
fi
;;
esac
# Allow anything outbound from this address.
${fwcmd} add allow all from ${ip} to any out
# Deny anything outbound from other addresses.
${fwcmd} add deny log all from any to any out
# Allow TCP through if setup succeeded.
${fwcmd} add allow tcp from any to any established
# Allow IP fragments to pass through.
${fwcmd} add allow all from any to any frag
# Allow inbound ftp, ssh, email, tcp-dns, http, https, pop3, pop3s.
${fwcmd} add allow tcp from any to ${ip} 22 setup
${fwcmd} add allow tcp from any to ${ip} 80 setup
# This record has to be slightly different because this machine is
# not actually listening on port 443, but just forwarding traffic on
# port
${fwcmd} add allow tcp from any to ${fwd_ip} 443
# Deny inbound auth, netbios, ldap, and Microsoft's DB protocol
# without logging.
${fwcmd} add deny tcp from any to ${ip} 113 setup
${fwcmd} add deny tcp from any to ${ip} 139 setup
${fwcmd} add deny tcp from any to ${ip} 389 setup
${fwcmd} add deny tcp from any to ${ip} 445 setup
# Deny some chatty UDP broadcast protocols without logging.
${fwcmd} add deny udp from any 137 to any
${fwcmd} add deny udp from any to any 137
${fwcmd} add deny udp from any 138 to any
${fwcmd} add deny udp from any 513 to any
${fwcmd} add deny udp from any 525 to any
# Allow inbound DNS and NTP replies. This is somewhat of a hole,
# since we're looking at the incoming port number, which can be
# faked, but that's just the way DNS and NTP work.
${fwcmd} add allow udp from any 53 to ${ip}
${fwcmd} add allow udp from any 123 to ${ip}
# Allow inbound DNS queries.
${fwcmd} add allow udp from any to ${ip} 53
# Deny inbound NTP queries without logging.
${fwcmd} add deny udp from any to ${ip} 123
# Allow traceroute to function, but not to get in.
${fwcmd} add unreach port udp from any to ${ip} 33435-33524
# Allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
${fwcmd} add allow icmp from any to any icmptypes 0,3,4,8,11
# Everything else is denied and logged.
${fwcmd} add deny log all from any to any
;;
*** END /etc/rc.firewall
Basically, what I've done to try and add the other configuration to this box is
as follows:
1. Add the aliased IP to fxp1:
ifconfig fxp1 inet xxx.xxx.19.111 netmask 255.255.255.255 alias
2. Start the additional natd daemon:
/sbin/natd -same_ports -use_sockets -port 8669 -alias_address xxx.xxx.19.111
-redirect_port tcp xxx.xxx.19.102:443 xxx.xxx.19.111:443
3. Change the ipfw rules to allow this new configuration through. This is
basically the same as the firewall rules above, but each entry is doubled, where
${ip} becomes ${fail_ip}. In addition to this, another rule is entered in the
"natd_enable" section to divert the new natd:
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd all from any to any via
${natd_interface}
${fwcmd} add 50 divert ${fail_natd} all from any to any via ${natd_interface}
fi
;;
esac
Once I've added this, this port forwarding on xxx.xxx.19.110 still works, but
the port forwarding on the aliased IP (xxx.xxx.19.111) doesn't! I'm not sure
exactly where the problem lies, but I assume it has something to do with my ipfw
ruleset. I looked at a previous post here:
http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-March/000976.html that
looks similar to my situation, but still no love.
If any could help out with the config, it'd be much appreciated! I'm more than
happy to provide any further config details, tcp dumps, etc.
Regards,
Leigh
More information about the freebsd-net
mailing list