tech-security: NAT & IPFilter

Subject: NAT & IPFilter
To: NetBSD Tech-Security <tech-security@netbsd.org>
From: Sam Carleton <scarleton@miltonstreet.com>
List: tech-security
Date: 07/22/2001 14:56:37
Ok folks I simply do NOT understand this.  The firewall seems to be
working fine.  Standard NAT (allowing my workstations out) seems to be
working fine.  But I am completely unable to get NAT to redirect
incoming requests.  This is what I am using:


---------ipf.conf---------
block in on tun0
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 10.0.0.0/8 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 0.0.0.0/8 to any
block in quick on tun0 from 169.254.0.0/16 to any
block in quick on tun0 from 192.0.2.0/24 to any
block in quick on tun0 from 204.152.64.0/23 to any
block in quick on tun0 from 224.0.0.0/3 to any
block in log quick on tun0 from 192.168.0.0/24 to any
block in log quick on tun0 from any to 192.168.0.0/32
block in log quick on tun0 from any to 192.168.0.255/32
pass out quick on tun0 proto tcp/udp from 192.168.0.1/32 to any keep
state
pass out quick on tun0 proto icmp from 192.168.0.1/32 to any keep state

pass in quick on tun0 proto tcp from any to 192.168.0.1/32 port = 22
flags S keep state
pass in quick on tun0 proto tcp from any to 192.168.0.5/32 port = 22
flags S keep state

pass in quick on tun0 proto tcp from any to 192.168.0.1/32 port = 25
flags S keep state
pass in quick on tun0 proto tcp from any to 192.168.0.5/32 port = 25
flags S keep state

pass in quick on tun0 proto tcp from any to 192.168.0.1/32 port = 80
flags S keep state
pass in quick on tun0 proto tcp from any to 192.168.0.5/32 port = 80
flags S keep state

pass in quick on tun0 proto tcp from any to 192.168.0.1/32 port = 443
flags S keep state
pass in quick on tun0 proto tcp from any to 192.168.0.5/32 port = 443
flags S keep state
---------ipf.conf---------

---------ipnat.conf---------
map iy0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp
map iy0 192.168.0.1/24 -> 0/32 portmap tcp/udp 40000:60000
map iy0 192.168.0.1/24 -> 0/32

rdr iy0 0.0.0.0/32 port 22 -> 192.168.0.5 port 22
rdr iy0 0.0.0.0/32 port 25 -> 192.168.0.5 port 25
rdr iy0 0.0.0.0/32 port 80 -> 192.168.0.5 port 80
rdr iy0 0.0.0.0/32 port 443 -> 192.168.0.5 port 443
---------ipnat.conf---------

If my understanding is correct, the NAT rules get applied before the
packet goes through the IP FIlter.  These means that the rules I have
allowing things into 192.168.0.1 will never be used, I simply had them
there to make sure:)

Another question:  It is my understanding that when I get a new IP
address for my ISP, I need to have NAT update itself.  What is the best
way to do this considering the machine never disconnect?

Sam