aboutsummaryrefslogtreecommitdiff
path: root/en_US.ISO8859-1/books/handbook/firewalls
diff options
context:
space:
mode:
authorDru Lavigne <dru@FreeBSD.org>2014-02-23 16:11:36 +0000
committerDru Lavigne <dru@FreeBSD.org>2014-02-23 16:11:36 +0000
commit0fc636eba0c1db13734532d5cda3b6ebf2076b57 (patch)
treeb1e6cac20f4b3cefde03a6f07a79e3d9edb2d3ad /en_US.ISO8859-1/books/handbook/firewalls
parentb7cdb56eaa982d565ec413f24662d14142fbd47d (diff)
downloaddoc-0fc636eba0c1db13734532d5cda3b6ebf2076b57.tar.gz
doc-0fc636eba0c1db13734532d5cda3b6ebf2076b57.zip
Initial shuffle to improve flow of IPF NAT section.
Next commit will review actual content. Sponsored by: iXsystems
Notes
Notes: svn path=/head/; revision=44037
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/firewalls')
-rw-r--r--en_US.ISO8859-1/books/handbook/firewalls/chapter.xml444
1 files changed, 205 insertions, 239 deletions
diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
index 5b4388810f..03b6e874e8 100644
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
@@ -226,6 +226,40 @@
advanced matching abilities capable of defending against the
flood of different attack methods employed by attackers.</para>
+ <para><acronym>NAT</acronym> stands for <emphasis>Network
+ Address Translation</emphasis>.
+ <acronym>NAT</acronym> function enables the private LAN behind
+ the firewall to share a single ISP-assigned IP address, even
+ if that address is dynamically assigned. NAT allows each
+ computer in the LAN to have Internet access, without
+ having to pay the ISP for multiple Internet accounts or IP
+ addresses.</para>
+
+ <para><acronym>NAT</acronym> will automatically translate the
+ private LAN IP address for each system on the LAN to the
+ single public IP address as packets exit the firewall bound
+ for the public Internet. It also performs the reverse
+ translation for returning packets.</para>
+
+ <para>According to RFC 1918, the following IP address ranges are
+ reserved for private networks which will never be routed
+ directly to the public Internet, and therefore are available
+ for use with NAT:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><literal>10.0.0.0/8</literal>.</para>
+ </listitem>
+
+ <listitem>
+ <para><literal>172.16.0.0/12</literal>.</para>
+ </listitem>
+
+ <listitem>
+ <para><literal>192.168.0.0/16</literal>.</para>
+ </listitem>
+ </itemizedlist>
+
<warning>
<para>When working with the firewall rules, be <emphasis>very
careful</emphasis>. Some configurations <emphasis>can
@@ -2158,117 +2192,6 @@ pass in quick on dc0 proto tcp from any to x.x.x.x port = 80 flags S keep state
block in log first quick on dc0 all</programlisting>
</sect2>
- <sect2 xml:id="firewalls-ipf-rules-script">
- <title>Building the Rule Script with Symbolic
- Substitution</title>
-
- <para>Some experienced IPF users create a file containing the
- rules and code them in a manner compatible with running them
- as a script with symbolic substitution. The major benefit
- of doing this is that only the value associated with the
- symbolic name needs to be changed, and when the script is
- run all the rules containing the symbolic name will have the
- value substituted in the rules. Being a script, symbolic
- substitution can be used to code frequently used values and
- substitute them in multiple rules. This can be seen in the
- following example.</para>
-
- <para>The script syntax used here is compatible with the
- &man.sh.1;, &man.csh.1;, and &man.tcsh.1; shells.</para>
-
- <para>Symbolic substitution fields are prefixed with a
- <literal>&dollar;</literal>.</para>
-
- <para>Symbolic fields do not have the &dollar; prefix.</para>
-
- <para>The value to populate the symbolic field must be enclosed
- between double quotes (<literal>"</literal>).</para>
-
- <para>Start the rule file with something like this:</para>
-
- <programlisting>############# Start of IPF rules script ########################
-
-oif="dc0" # name of the outbound interface
-odns="192.0.2.11" # ISP's DNS server IP address
-myip="192.0.2.7" # my static IP address from ISP
-ks="keep state"
-fks="flags S keep state"
-
-# You can choose between building /etc/ipf.rules file
-# from this script or running this script "as is".
-#
-# Uncomment only one line and comment out another.
-#
-# 1) This can be used for building /etc/ipf.rules:
-#cat &gt; /etc/ipf.rules &lt;&lt; EOF
-#
-# 2) This can be used to run script "as is":
-/sbin/ipf -Fa -f - &lt;&lt; EOF
-
-# Allow out access to my ISP's Domain name server.
-pass out quick on &dollar;oif proto tcp from any to &dollar;odns port = 53 &dollar;fks
-pass out quick on &dollar;oif proto udp from any to &dollar;odns port = 53 &dollar;ks
-
-# Allow out non-secure standard www function
-pass out quick on &dollar;oif proto tcp from &dollar;myip to any port = 80 &dollar;fks
-
-# Allow out secure www function https over TLS SSL
-pass out quick on &dollar;oif proto tcp from &dollar;myip to any port = 443 &dollar;fks
-EOF
-################## End of IPF rules script ########################</programlisting>
-
- <para>The rules are not important in this example as it instead
- focuses on how the symbolic substitution fields are populated.
- If this example was in a file named
- <filename>/etc/ipf.rules.script</filename>, these rules could
- be reloaded by running:</para>
-
- <screen>&prompt.root; <userinput>sh /etc/ipf.rules.script</userinput></screen>
-
- <para>There is one problem with using a rules file with embedded
- symbolics: IPF does not understand symbolic substitution, and
- cannot read such scripts directly.</para>
-
- <para>This script can be used in one of two ways:</para>
-
- <itemizedlist>
- <listitem>
- <para>Uncomment the line that begins with
- <literal>cat</literal>, and comment out the line that
- begins with <literal>/sbin/ipf</literal>. Place
- <literal>ipfilter_enable="YES"</literal> into
- <filename>/etc/rc.conf</filename>, and run the script
- once after each modification to create or update
- <filename>/etc/ipf.rules</filename>.</para>
- </listitem>
-
- <listitem>
- <para>Disable <application>IPFILTER</application> in the
- system startup scripts by adding
- <literal>ipfilter_enable="NO"</literal>to
- <filename>/etc/rc.conf</filename>.</para>
-
- <para>Then, add a script like the following to
- <filename>/usr/local/etc/rc.d/</filename>. The script
- should have an obvious name like
- <filename>ipf.loadrules.sh</filename>, where the
- <filename>.sh</filename> extension is mandatory.</para>
-
- <programlisting>#!/bin/sh
-sh /etc/ipf.rules.script</programlisting>
-
- <para>The permissions on this script file must be read,
- write, execute for owner
- <systemitem class="username">root</systemitem>:</para>
-
- <screen>&prompt.root; <userinput>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</userinput></screen>
- </listitem>
- </itemizedlist>
-
- <para>Now, when the system boots, the IPF rules will be
- loaded.</para>
- </sect2>
-
<sect2>
<title>Configuring <acronym>NAT</acronym></title>
@@ -2286,144 +2209,57 @@ sh /etc/ipf.rules.script</programlisting>
<see>NAT</see>
</indexterm>
- <para><acronym>NAT</acronym> stands for <emphasis>Network
- Address Translation</emphasis>. The IPF
- <acronym>NAT</acronym> function enables the private LAN behind
- the firewall to share a single ISP-assigned IP address, even
- if that address is dynamically assigned. NAT allows each
- computer in the LAN to have Internet access, without
- having to pay the ISP for multiple Internet accounts or IP
- addresses.</para>
-
- <para>In IPF, when a packet arrives at the firewall from the LAN
- with a public destination, it passes through the outbound
- filter rules. <acronym>NAT</acronym> gets its turn at the
- packet and applies its rules top down, where the first
- matching rule wins. <acronym>NAT</acronym> tests each of its
- rules against the packet's interface name and source IP
- address. When a packet's interface name matches a
- <acronym>NAT</acronym> rule, the packet's source IP address in
- the private LAN is checked to see if it falls within the IP
- address range specified to the left of the arrow symbol on the
- <acronym>NAT</acronym> rule. On a match, the packet has its
- source IP address rewritten with the public IP address
- obtained by the <literal>0/32</literal> keyword.
- <acronym>NAT</acronym> posts an entry in its internal
- <acronym>NAT</acronym> table so when the packet returns from
- the public Internet it can be mapped back to its original
- private IP address and then passed to the filter rules for
- processing.</para>
-
- <para><acronym>NAT</acronym> will automatically translate the
- private LAN IP address for each system on the LAN to the
- single public IP address as packets exit the firewall bound
- for the public Internet. It also performs the reverse
- translation for returning packets.</para>
-
- <para>According to RFC 1918, the following IP address ranges are
- reserved for private networks which will never be routed
- directly to the public Internet, and therefore are available
- for use with NAT:</para>
-
- <itemizedlist>
- <listitem>
- <para><literal>10.0.0.0/8</literal>.</para>
- </listitem>
-
- <listitem>
- <para><literal>172.16.0.0/12</literal>.</para>
- </listitem>
-
- <listitem>
- <para><literal>192.168.0.0/16</literal>.</para>
- </listitem>
- </itemizedlist>
-
<indexterm><primary><command>ipnat</command></primary></indexterm>
- <para>To enable IP<acronym>NAT</acronym>, add these statements
- to <filename>/etc/rc.conf</filename>.</para>
-
- <para>To enable the machine to route traffic between
- interfaces:</para>
-
- <programlisting>gateway_enable="YES"</programlisting>
-
- <para>To start IP<acronym>NAT</acronym> automatically each
- time:</para>
-
- <programlisting>ipnat_enable="YES"</programlisting>
-
- <para>To specify where to load the IP<acronym>NAT</acronym>
- rules from:</para>
+ <para>To enable <acronym>NAT</acronym>, add these statements
+ to <filename>/etc/rc.conf</filename> and specify the name of
+ the file containing the <acronym>NAT</acronym> rules:</para>
- <programlisting>ipnat_rules="/etc/ipnat.rules"</programlisting>
-
- <para><acronym>NAT</acronym> rules are loaded using
- <command>ipnat</command>. Typically, the
- <acronym>NAT</acronym> rules are stored in
- <filename>/etc/ipnat.rules</filename>. See &man.ipnat.8; for
- details.</para>
-
- <para>When the file containing the <acronym>NAT</acronym> rules
- is edited after <acronym>NAT</acronym> has been started, run
- <command>ipnat</command> with <option>-CF</option> to delete
- the internal in use <acronym>NAT</acronym> rules and flush the
- contents of the translation table of all active
- entries.</para>
-
- <para>To reload the <acronym>NAT</acronym> rules, issue a
- command like this:</para>
-
- <screen>&prompt.root; <userinput>ipnat -CF -f
- /etc/ipnat.rules</userinput></screen>
-
- <para>To display some <acronym>NAT</acronym> statistics, use
- this command:</para>
-
- <screen>&prompt.root; <userinput>ipnat -s</userinput></screen>
-
- <para>To list the <acronym>NAT</acronym> table's current
- mappings, use this command:</para>
-
- <screen>&prompt.root; <userinput>ipnat -l</userinput></screen>
-
- <para>To turn verbose mode on and display information relating
- to rule processing and active rules/table entries:</para>
-
- <screen>&prompt.root; <userinput>ipnat -v</userinput></screen>
+ <programlisting>gateway_enable="YES"
+ipnat_enable="YES"
+ipnat_rules="/etc/ipnat.rules"</programlisting>
<para><acronym>NAT</acronym> rules are flexible and can
accomplish many different things to fit the needs of
- commercial and home users.</para>
-
- <para>The rule syntax presented here has been simplified to
- what is most commonly used in a non-commercial environment.
+ commercial and home users. The rule syntax presented here has been simplified to
+ demonstrate common usage.
For a complete rule syntax description, refer to
&man.ipnat.5;.</para>
<para>The syntax for a <acronym>NAT</acronym> rule looks like
- this:</para>
+ this, where <literal>map</literal> starts the rule and
+ <replaceable>IF</replaceable> should be replaced with the
+ name of the external
+ interface:</para>
<programlisting>map <replaceable>IF</replaceable> <replaceable>LAN_IP_RANGE</replaceable> -&gt; <replaceable>PUBLIC_ADDRESS</replaceable></programlisting>
- <para>The keyword <literal>map</literal> starts the rule.</para>
-
- <para>Replace <replaceable>IF</replaceable> with the external
- interface.</para>
-
<para>The <replaceable>LAN_IP_RANGE</replaceable> is used by the
internal clients use for IP Addressing. Usually, this is
something like <systemitem
- class="ipaddress">192.168.1.0/24</systemitem>.</para>
-
- <para>The <replaceable>PUBLIC_ADDRESS</replaceable> can either
+ class="ipaddress">192.168.1.0/24</systemitem>. The <replaceable>PUBLIC_ADDRESS</replaceable> can either
be the static external IP address or the special keyword
<literal>0/32</literal> which uses the IP address assigned to
<replaceable>IF</replaceable>.</para>
- <sect3>
- <title><acronym>NAT</acronym> for a Large LAN</title>
+ <para>In IPF, when a packet arrives at the firewall from the LAN
+ with a public destination, it passes through the outbound
+ filter rules. <acronym>NAT</acronym> gets its turn at the
+ packet and applies its rules top down, where the first
+ matching rule wins. <acronym>NAT</acronym> tests each of its
+ rules against the packet's interface name and source IP
+ address. When a packet's interface name matches a
+ <acronym>NAT</acronym> rule, the packet's source IP address in
+ the private LAN is checked to see if it falls within the IP
+ address range specified to the left of the arrow symbol on the
+ <acronym>NAT</acronym> rule. On a match, the packet has its
+ source IP address rewritten with the public IP address
+ obtained by the <literal>0/32</literal> keyword.
+ <acronym>NAT</acronym> posts an entry in its internal
+ <acronym>NAT</acronym> table so when the packet returns from
+ the public Internet it can be mapped back to its original
+ private IP address and then passed to the filter rules for
+ processing.</para>
<para>For networks that have large numbers of systems on the
LAN or networks with more than a single LAN, the process of
@@ -2476,16 +2312,12 @@ sh /etc/ipf.rules.script</programlisting>
<para>or using CIDR notation:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 204.134.75.0/24</programlisting>
- </sect3>
-
- <sect3>
- <title>Port Redirection</title>
<para>A common practice is to have a web server, email server,
database server, and DNS server each segregated to a
different system on the LAN. In this case, the traffic from
these servers still has to undergo <acronym>NAT</acronym>,
- but there has to be some way to direct the inbound traffic
+ but port redirection is also needed to direct the inbound traffic
to the correct server. For example, a web server operating
on LAN address <systemitem
class="ipaddress">10.0.10.25</systemitem> and using a
@@ -2504,10 +2336,6 @@ sh /etc/ipf.rules.script</programlisting>
needs to receive public DNS requests:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 53 -&gt; 10.0.10.33 port 53 udp</programlisting>
- </sect3>
-
- <sect3>
- <title>FTP and <acronym>NAT</acronym></title>
<para>FTP has two modes: active mode and passive mode. The
difference is in how the data channel is acquired. Passive
@@ -2564,7 +2392,145 @@ pass out quick on rl0 proto tcp from any to any port &gt; 1024 flags S keep stat
# Active mode let data channel in from FTP server
pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</programlisting>
- </sect3>
+
+ <para>When the file containing the <acronym>NAT</acronym> rules
+ is edited after <acronym>NAT</acronym> has been started, run
+ <command>ipnat</command> with <option>-CF</option> to delete
+ the internal in use <acronym>NAT</acronym> rules and flush the
+ contents of the translation table of all active
+ entries.</para>
+
+ <para>To reload the <acronym>NAT</acronym> rules, issue a
+ command like this:</para>
+
+ <screen>&prompt.root; <userinput>ipnat -CF -f
+ /etc/ipnat.rules</userinput></screen>
+
+ <para>To display some <acronym>NAT</acronym> statistics, use
+ this command:</para>
+
+ <screen>&prompt.root; <userinput>ipnat -s</userinput></screen>
+
+ <para>To list the <acronym>NAT</acronym> table's current
+ mappings, use this command:</para>
+
+ <screen>&prompt.root; <userinput>ipnat -l</userinput></screen>
+
+ <para>To turn verbose mode on and display information relating
+ to rule processing and active rules/table entries:</para>
+
+ <screen>&prompt.root; <userinput>ipnat -v</userinput></screen>
+ </sect2>
+
+ <sect2 xml:id="firewalls-ipf-rules-script">
+ <title>Building the Rule Script with Symbolic
+ Substitution</title>
+
+ <para>Some experienced IPF users create a file containing the
+ rules and code them in a manner compatible with running them
+ as a script with symbolic substitution. The major benefit
+ of doing this is that only the value associated with the
+ symbolic name needs to be changed, and when the script is
+ run all the rules containing the symbolic name will have the
+ value substituted in the rules. Being a script, symbolic
+ substitution can be used to code frequently used values and
+ substitute them in multiple rules. This can be seen in the
+ following example.</para>
+
+ <para>The script syntax used here is compatible with the
+ &man.sh.1;, &man.csh.1;, and &man.tcsh.1; shells.</para>
+
+ <para>Symbolic substitution fields are prefixed with a
+ <literal>&dollar;</literal>.</para>
+
+ <para>Symbolic fields do not have the &dollar; prefix.</para>
+
+ <para>The value to populate the symbolic field must be enclosed
+ between double quotes (<literal>"</literal>).</para>
+
+ <para>Start the rule file with something like this:</para>
+
+ <programlisting>############# Start of IPF rules script ########################
+
+oif="dc0" # name of the outbound interface
+odns="192.0.2.11" # ISP's DNS server IP address
+myip="192.0.2.7" # my static IP address from ISP
+ks="keep state"
+fks="flags S keep state"
+
+# You can choose between building /etc/ipf.rules file
+# from this script or running this script "as is".
+#
+# Uncomment only one line and comment out another.
+#
+# 1) This can be used for building /etc/ipf.rules:
+#cat &gt; /etc/ipf.rules &lt;&lt; EOF
+#
+# 2) This can be used to run script "as is":
+/sbin/ipf -Fa -f - &lt;&lt; EOF
+
+# Allow out access to my ISP's Domain name server.
+pass out quick on &dollar;oif proto tcp from any to &dollar;odns port = 53 &dollar;fks
+pass out quick on &dollar;oif proto udp from any to &dollar;odns port = 53 &dollar;ks
+
+# Allow out non-secure standard www function
+pass out quick on &dollar;oif proto tcp from &dollar;myip to any port = 80 &dollar;fks
+
+# Allow out secure www function https over TLS SSL
+pass out quick on &dollar;oif proto tcp from &dollar;myip to any port = 443 &dollar;fks
+EOF
+################## End of IPF rules script ########################</programlisting>
+
+ <para>The rules are not important in this example as it instead
+ focuses on how the symbolic substitution fields are populated.
+ If this example was in a file named
+ <filename>/etc/ipf.rules.script</filename>, these rules could
+ be reloaded by running:</para>
+
+ <screen>&prompt.root; <userinput>sh /etc/ipf.rules.script</userinput></screen>
+
+ <para>There is one problem with using a rules file with embedded
+ symbolics: IPF does not understand symbolic substitution, and
+ cannot read such scripts directly.</para>
+
+ <para>This script can be used in one of two ways:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Uncomment the line that begins with
+ <literal>cat</literal>, and comment out the line that
+ begins with <literal>/sbin/ipf</literal>. Place
+ <literal>ipfilter_enable="YES"</literal> into
+ <filename>/etc/rc.conf</filename>, and run the script
+ once after each modification to create or update
+ <filename>/etc/ipf.rules</filename>.</para>
+ </listitem>
+
+ <listitem>
+ <para>Disable <application>IPFILTER</application> in the
+ system startup scripts by adding
+ <literal>ipfilter_enable="NO"</literal>to
+ <filename>/etc/rc.conf</filename>.</para>
+
+ <para>Then, add a script like the following to
+ <filename>/usr/local/etc/rc.d/</filename>. The script
+ should have an obvious name like
+ <filename>ipf.loadrules.sh</filename>, where the
+ <filename>.sh</filename> extension is mandatory.</para>
+
+ <programlisting>#!/bin/sh
+sh /etc/ipf.rules.script</programlisting>
+
+ <para>The permissions on this script file must be read,
+ write, execute for owner
+ <systemitem class="username">root</systemitem>:</para>
+
+ <screen>&prompt.root; <userinput>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</userinput></screen>
+ </listitem>
+ </itemizedlist>
+
+ <para>Now, when the system boots, the IPF rules will be
+ loaded.</para>
</sect2>
<sect2>