Re: Firewall with FreeBSD 3.3

[Saso <Saso () vsecureit net>]

In message <19991209175846.6570.qmail () hotmail com>, "Adidas Boy" writes:

> It recently decided I wanted to create a machine that had the above features 
> but also did more firewall type of stuff. I have been trying to do some 
> reasearch and learned a little about natd and ipfw which does some type of 
> ruleset things. I'm trying to accomplish the following and wanted some help 
> from anyone of you that could help me. What i want to achieve is all 
> external real ips on the internet be mapped to a certain fake ip and so all 
> requests would have to go thru the firewall so for instance.
>
> computer 1:
>  internal ip: 10.0.0.1
>
> computer 2:
>  internal ip: 10.0.0.2
>
> then have the firewall have something like this:
>
> 205.1.2.1 => 10.0.0.1
> 205.1.2.2 -> 10.0.0.2
>
> so in essence the firewall would listen to 205.1.2.1, 205.1.2.2, etc.
> and then route to the appropriate machine so the person on the outside could 
> never really talk directly to the machine. can this be done with natd and 
> what would i need to do to the configuration to make this work?
>
> Any help would be appreciated!

First, it can be done.

I know you said you tried ipfw and natd already, but some things can be done a 
lot faster and easier with a better (I'm biased.) set of tools.

Ipfw doesn't keep internal table of connection states, which can be spelled as 
trouble, because it means you have to keep outgoing rules wide open to let 
simple things like DNS queries to work.

I would suggest you give IPFilter a try. It keeps packet state information for 
TCP, UDP and ICMP packets as well as fragment state information for any IP 
packet, meaning it applies the same rule to all fragments.

Good starting points for IPFilter would be: http://coombs.anu.edu.au/~avalon/ 
and you certainly have to check the how-to page for IPFilter on 
http://www.obfuscation.org/ipf/

Hope this will help you started.

Regards,

Saso