From 0fc636eba0c1db13734532d5cda3b6ebf2076b57 Mon Sep 17 00:00:00 2001 From: Dru Lavigne Date: Sun, 23 Feb 2014 16:11:36 +0000 Subject: Initial shuffle to improve flow of IPF NAT section. Next commit will review actual content. Sponsored by: iXsystems --- .../books/handbook/firewalls/chapter.xml | 444 ++++++++++----------- 1 file changed, 205 insertions(+), 239 deletions(-) (limited to 'en_US.ISO8859-1/books/handbook/firewalls') diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml index 5b4388810f..03b6e874e8 100644 --- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml @@ -226,6 +226,40 @@ advanced matching abilities capable of defending against the flood of different attack methods employed by attackers. + NAT stands for Network + Address Translation. + NAT function enables the private LAN behind + the firewall to share a single ISP-assigned IP address, even + if that address is dynamically assigned. NAT allows each + computer in the LAN to have Internet access, without + having to pay the ISP for multiple Internet accounts or IP + addresses. + + NAT will automatically translate the + private LAN IP address for each system on the LAN to the + single public IP address as packets exit the firewall bound + for the public Internet. It also performs the reverse + translation for returning packets. + + According to RFC 1918, the following IP address ranges are + reserved for private networks which will never be routed + directly to the public Internet, and therefore are available + for use with NAT: + + + + 10.0.0.0/8. + + + + 172.16.0.0/12. + + + + 192.168.0.0/16. + + + When working with the firewall rules, be very careful. Some configurations can @@ -2158,117 +2192,6 @@ pass in quick on dc0 proto tcp from any to x.x.x.x port = 80 flags S keep state block in log first quick on dc0 all - - Building the Rule Script with Symbolic - Substitution - - Some experienced IPF users create a file containing the - rules and code them in a manner compatible with running them - as a script with symbolic substitution. The major benefit - of doing this is that only the value associated with the - symbolic name needs to be changed, and when the script is - run all the rules containing the symbolic name will have the - value substituted in the rules. Being a script, symbolic - substitution can be used to code frequently used values and - substitute them in multiple rules. This can be seen in the - following example. - - The script syntax used here is compatible with the - &man.sh.1;, &man.csh.1;, and &man.tcsh.1; shells. - - Symbolic substitution fields are prefixed with a - $. - - Symbolic fields do not have the $ prefix. - - The value to populate the symbolic field must be enclosed - between double quotes ("). - - Start the rule file with something like this: - - ############# Start of IPF rules script ######################## - -oif="dc0" # name of the outbound interface -odns="192.0.2.11" # ISP's DNS server IP address -myip="192.0.2.7" # my static IP address from ISP -ks="keep state" -fks="flags S keep state" - -# You can choose between building /etc/ipf.rules file -# from this script or running this script "as is". -# -# Uncomment only one line and comment out another. -# -# 1) This can be used for building /etc/ipf.rules: -#cat > /etc/ipf.rules << EOF -# -# 2) This can be used to run script "as is": -/sbin/ipf -Fa -f - << EOF - -# Allow out access to my ISP's Domain name server. -pass out quick on $oif proto tcp from any to $odns port = 53 $fks -pass out quick on $oif proto udp from any to $odns port = 53 $ks - -# Allow out non-secure standard www function -pass out quick on $oif proto tcp from $myip to any port = 80 $fks - -# Allow out secure www function https over TLS SSL -pass out quick on $oif proto tcp from $myip to any port = 443 $fks -EOF -################## End of IPF rules script ######################## - - The rules are not important in this example as it instead - focuses on how the symbolic substitution fields are populated. - If this example was in a file named - /etc/ipf.rules.script, these rules could - be reloaded by running: - - &prompt.root; sh /etc/ipf.rules.script - - There is one problem with using a rules file with embedded - symbolics: IPF does not understand symbolic substitution, and - cannot read such scripts directly. - - This script can be used in one of two ways: - - - - Uncomment the line that begins with - cat, and comment out the line that - begins with /sbin/ipf. Place - ipfilter_enable="YES" into - /etc/rc.conf, and run the script - once after each modification to create or update - /etc/ipf.rules. - - - - Disable IPFILTER in the - system startup scripts by adding - ipfilter_enable="NO"to - /etc/rc.conf. - - Then, add a script like the following to - /usr/local/etc/rc.d/. The script - should have an obvious name like - ipf.loadrules.sh, where the - .sh extension is mandatory. - - #!/bin/sh -sh /etc/ipf.rules.script - - The permissions on this script file must be read, - write, execute for owner - root: - - &prompt.root; chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh - - - - Now, when the system boots, the IPF rules will be - loaded. - - Configuring <acronym>NAT</acronym> @@ -2286,144 +2209,57 @@ sh /etc/ipf.rules.script NAT - NAT stands for Network - Address Translation. The IPF - NAT function enables the private LAN behind - the firewall to share a single ISP-assigned IP address, even - if that address is dynamically assigned. NAT allows each - computer in the LAN to have Internet access, without - having to pay the ISP for multiple Internet accounts or IP - addresses. - - In IPF, when a packet arrives at the firewall from the LAN - with a public destination, it passes through the outbound - filter rules. NAT gets its turn at the - packet and applies its rules top down, where the first - matching rule wins. NAT tests each of its - rules against the packet's interface name and source IP - address. When a packet's interface name matches a - NAT rule, the packet's source IP address in - the private LAN is checked to see if it falls within the IP - address range specified to the left of the arrow symbol on the - NAT rule. On a match, the packet has its - source IP address rewritten with the public IP address - obtained by the 0/32 keyword. - NAT posts an entry in its internal - NAT table so when the packet returns from - the public Internet it can be mapped back to its original - private IP address and then passed to the filter rules for - processing. - - NAT will automatically translate the - private LAN IP address for each system on the LAN to the - single public IP address as packets exit the firewall bound - for the public Internet. It also performs the reverse - translation for returning packets. - - According to RFC 1918, the following IP address ranges are - reserved for private networks which will never be routed - directly to the public Internet, and therefore are available - for use with NAT: - - - - 10.0.0.0/8. - - - - 172.16.0.0/12. - - - - 192.168.0.0/16. - - - ipnat - To enable IPNAT, add these statements - to /etc/rc.conf. - - To enable the machine to route traffic between - interfaces: - - gateway_enable="YES" - - To start IPNAT automatically each - time: - - ipnat_enable="YES" - - To specify where to load the IPNAT - rules from: + To enable NAT, add these statements + to /etc/rc.conf and specify the name of + the file containing the NAT rules: - ipnat_rules="/etc/ipnat.rules" - - NAT rules are loaded using - ipnat. Typically, the - NAT rules are stored in - /etc/ipnat.rules. See &man.ipnat.8; for - details. - - When the file containing the NAT rules - is edited after NAT has been started, run - ipnat with to delete - the internal in use NAT rules and flush the - contents of the translation table of all active - entries. - - To reload the NAT rules, issue a - command like this: - - &prompt.root; ipnat -CF -f - /etc/ipnat.rules - - To display some NAT statistics, use - this command: - - &prompt.root; ipnat -s - - To list the NAT table's current - mappings, use this command: - - &prompt.root; ipnat -l - - To turn verbose mode on and display information relating - to rule processing and active rules/table entries: - - &prompt.root; ipnat -v + gateway_enable="YES" +ipnat_enable="YES" +ipnat_rules="/etc/ipnat.rules" NAT rules are flexible and can accomplish many different things to fit the needs of - commercial and home users. - - The rule syntax presented here has been simplified to - what is most commonly used in a non-commercial environment. + commercial and home users. The rule syntax presented here has been simplified to + demonstrate common usage. For a complete rule syntax description, refer to &man.ipnat.5;. The syntax for a NAT rule looks like - this: + this, where map starts the rule and + IF should be replaced with the + name of the external + interface: map IF LAN_IP_RANGE -> PUBLIC_ADDRESS - The keyword map starts the rule. - - Replace IF with the external - interface. - The LAN_IP_RANGE is used by the internal clients use for IP Addressing. Usually, this is something like 192.168.1.0/24. - - The PUBLIC_ADDRESS can either + class="ipaddress">192.168.1.0/24. The PUBLIC_ADDRESS can either be the static external IP address or the special keyword 0/32 which uses the IP address assigned to IF. - - <acronym>NAT</acronym> for a Large LAN + In IPF, when a packet arrives at the firewall from the LAN + with a public destination, it passes through the outbound + filter rules. NAT gets its turn at the + packet and applies its rules top down, where the first + matching rule wins. NAT tests each of its + rules against the packet's interface name and source IP + address. When a packet's interface name matches a + NAT rule, the packet's source IP address in + the private LAN is checked to see if it falls within the IP + address range specified to the left of the arrow symbol on the + NAT rule. On a match, the packet has its + source IP address rewritten with the public IP address + obtained by the 0/32 keyword. + NAT posts an entry in its internal + NAT table so when the packet returns from + the public Internet it can be mapped back to its original + private IP address and then passed to the filter rules for + processing. For networks that have large numbers of systems on the LAN or networks with more than a single LAN, the process of @@ -2476,16 +2312,12 @@ sh /etc/ipf.rules.script or using CIDR notation: map dc0 192.168.1.0/24 -> 204.134.75.0/24 - - - - Port Redirection A common practice is to have a web server, email server, database server, and DNS server each segregated to a different system on the LAN. In this case, the traffic from these servers still has to undergo NAT, - but there has to be some way to direct the inbound traffic + but port redirection is also needed to direct the inbound traffic to the correct server. For example, a web server operating on LAN address 10.0.10.25 and using a @@ -2504,10 +2336,6 @@ sh /etc/ipf.rules.script needs to receive public DNS requests: rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp - - - - FTP and <acronym>NAT</acronym> FTP has two modes: active mode and passive mode. The difference is in how the data channel is acquired. Passive @@ -2564,7 +2392,145 @@ pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep stat # Active mode let data channel in from FTP server pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state - + + When the file containing the NAT rules + is edited after NAT has been started, run + ipnat with to delete + the internal in use NAT rules and flush the + contents of the translation table of all active + entries. + + To reload the NAT rules, issue a + command like this: + + &prompt.root; ipnat -CF -f + /etc/ipnat.rules + + To display some NAT statistics, use + this command: + + &prompt.root; ipnat -s + + To list the NAT table's current + mappings, use this command: + + &prompt.root; ipnat -l + + To turn verbose mode on and display information relating + to rule processing and active rules/table entries: + + &prompt.root; ipnat -v + + + + Building the Rule Script with Symbolic + Substitution + + Some experienced IPF users create a file containing the + rules and code them in a manner compatible with running them + as a script with symbolic substitution. The major benefit + of doing this is that only the value associated with the + symbolic name needs to be changed, and when the script is + run all the rules containing the symbolic name will have the + value substituted in the rules. Being a script, symbolic + substitution can be used to code frequently used values and + substitute them in multiple rules. This can be seen in the + following example. + + The script syntax used here is compatible with the + &man.sh.1;, &man.csh.1;, and &man.tcsh.1; shells. + + Symbolic substitution fields are prefixed with a + $. + + Symbolic fields do not have the $ prefix. + + The value to populate the symbolic field must be enclosed + between double quotes ("). + + Start the rule file with something like this: + + ############# Start of IPF rules script ######################## + +oif="dc0" # name of the outbound interface +odns="192.0.2.11" # ISP's DNS server IP address +myip="192.0.2.7" # my static IP address from ISP +ks="keep state" +fks="flags S keep state" + +# You can choose between building /etc/ipf.rules file +# from this script or running this script "as is". +# +# Uncomment only one line and comment out another. +# +# 1) This can be used for building /etc/ipf.rules: +#cat > /etc/ipf.rules << EOF +# +# 2) This can be used to run script "as is": +/sbin/ipf -Fa -f - << EOF + +# Allow out access to my ISP's Domain name server. +pass out quick on $oif proto tcp from any to $odns port = 53 $fks +pass out quick on $oif proto udp from any to $odns port = 53 $ks + +# Allow out non-secure standard www function +pass out quick on $oif proto tcp from $myip to any port = 80 $fks + +# Allow out secure www function https over TLS SSL +pass out quick on $oif proto tcp from $myip to any port = 443 $fks +EOF +################## End of IPF rules script ######################## + + The rules are not important in this example as it instead + focuses on how the symbolic substitution fields are populated. + If this example was in a file named + /etc/ipf.rules.script, these rules could + be reloaded by running: + + &prompt.root; sh /etc/ipf.rules.script + + There is one problem with using a rules file with embedded + symbolics: IPF does not understand symbolic substitution, and + cannot read such scripts directly. + + This script can be used in one of two ways: + + + + Uncomment the line that begins with + cat, and comment out the line that + begins with /sbin/ipf. Place + ipfilter_enable="YES" into + /etc/rc.conf, and run the script + once after each modification to create or update + /etc/ipf.rules. + + + + Disable IPFILTER in the + system startup scripts by adding + ipfilter_enable="NO"to + /etc/rc.conf. + + Then, add a script like the following to + /usr/local/etc/rc.d/. The script + should have an obvious name like + ipf.loadrules.sh, where the + .sh extension is mandatory. + + #!/bin/sh +sh /etc/ipf.rules.script + + The permissions on this script file must be read, + write, execute for owner + root: + + &prompt.root; chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh + + + + Now, when the system boots, the IPF rules will be + loaded. -- cgit v1.2.3