os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Initial shuffle to improve flow of IPF NAT section.

Browse source 
Next commit will review actual content.

Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne 2014-02-23 16:11:36 +00:00
parent b7cdb56eaa
commit 0fc636eba0
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44037
1 changed files with 264 additions and 298 deletions

562
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
View file

@ -226,6 +226,40 @@
advanced matching abilities capable of defending against the
flood of different attack methods employed by attackers.</para>
<para><acronym>NAT</acronym> stands for <emphasis>Network
Address Translation</emphasis>.
<acronym>NAT</acronym> function enables the private LAN behind
the firewall to share a single ISP-assigned IP address, even
if that address is dynamically assigned. NAT allows each
computer in the LAN to have Internet access, without
having to pay the ISP for multiple Internet accounts or IP
addresses.</para>
<para><acronym>NAT</acronym> will automatically translate the
private LAN IP address for each system on the LAN to the
single public IP address as packets exit the firewall bound
for the public Internet. It also performs the reverse
translation for returning packets.</para>
<para>According to RFC 1918, the following IP address ranges are
reserved for private networks which will never be routed
directly to the public Internet, and therefore are available
for use with NAT:</para>
<itemizedlist>
<listitem>
<para><literal>10.0.0.0/8</literal>.</para>
</listitem>
<listitem>
<para><literal>172.16.0.0/12</literal>.</para>
</listitem>
<listitem>
<para><literal>192.168.0.0/16</literal>.</para>
</listitem>
</itemizedlist>
<warning>
<para>When working with the firewall rules, be <emphasis>very
careful</emphasis>. Some configurations <emphasis>can
@ -2158,6 +2192,236 @@ pass in quick on dc0 proto tcp from any to x.x.x.x port = 80 flags S keep state
block in log first quick on dc0 all</programlisting>
</sect2>
<sect2>
<title>Configuring <acronym>NAT</acronym></title>
<indexterm><primary>NAT</primary></indexterm>
<indexterm>
<primary>IP masquerading</primary>
<see>NAT</see>
</indexterm>
<indexterm>
<primary>network address translation</primary>
<see>NAT</see>
</indexterm>
<indexterm><primary><command>ipnat</command></primary></indexterm>
<para>To enable <acronym>NAT</acronym>, add these statements
to <filename>/etc/rc.conf</filename> and specify the name of
the file containing the <acronym>NAT</acronym> rules:</para>
<programlisting>gateway_enable="YES"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"</programlisting>
<para><acronym>NAT</acronym> rules are flexible and can
accomplish many different things to fit the needs of
commercial and home users. The rule syntax presented here has been simplified to
demonstrate common usage.
For a complete rule syntax description, refer to
&man.ipnat.5;.</para>
<para>The syntax for a <acronym>NAT</acronym> rule looks like
this, where <literal>map</literal> starts the rule and
<replaceable>IF</replaceable> should be replaced with the
name of the external
interface:</para>
<programlisting>map <replaceable>IF</replaceable> <replaceable>LAN_IP_RANGE</replaceable> -&gt; <replaceable>PUBLIC_ADDRESS</replaceable></programlisting>
<para>The <replaceable>LAN_IP_RANGE</replaceable> is used by the
internal clients use for IP Addressing. Usually, this is
something like <systemitem
class="ipaddress">192.168.1.0/24</systemitem>. The <replaceable>PUBLIC_ADDRESS</replaceable> can either
be the static external IP address or the special keyword
<literal>0/32</literal> which uses the IP address assigned to
<replaceable>IF</replaceable>.</para>
<para>In IPF, when a packet arrives at the firewall from the LAN
with a public destination, it passes through the outbound
filter rules. <acronym>NAT</acronym> gets its turn at the
packet and applies its rules top down, where the first
matching rule wins. <acronym>NAT</acronym> tests each of its
rules against the packet's interface name and source IP
address. When a packet's interface name matches a
<acronym>NAT</acronym> rule, the packet's source IP address in
the private LAN is checked to see if it falls within the IP
address range specified to the left of the arrow symbol on the
<acronym>NAT</acronym> rule. On a match, the packet has its
source IP address rewritten with the public IP address
obtained by the <literal>0/32</literal> keyword.
<acronym>NAT</acronym> posts an entry in its internal
<acronym>NAT</acronym> table so when the packet returns from
the public Internet it can be mapped back to its original
private IP address and then passed to the filter rules for
processing.</para>
<para>For networks that have large numbers of systems on the
LAN or networks with more than a single LAN, the process of
funneling all those private IP addresses into a single
public IP address becomes a resource problem that may cause
problems with the same port numbers being used many times
across many connections, causing collisions. This section
describes two ways to relieve this resource problem.</para>
<para>The first method is to assign ports to use. A normal
NAT rule would look like:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 0/32</programlisting>
<para>In the above rule, the packet's source port is unchanged
as the packet passes through IP<acronym>NAT</acronym>. By
adding the <literal>portmap</literal> keyword,
IP<acronym>NAT</acronym> can be directed to only use
source ports in the specified range. For example, the
following rule will tell IP<acronym>NAT</acronym> to modify
the source port to be within the range shown:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 0/32 portmap tcp/udp 20000:60000</programlisting>
<para>Additionally, the <literal>auto</literal> keyword tells
IP<acronym>NAT</acronym> to determine which ports are
available for use:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 0/32 portmap tcp/udp auto</programlisting>
<para>The second method is to use a pool of public addresses.
In very large LANs there comes a point where there are
just too many LAN addresses to fit into a single public
address. If a block of public IP addresses is available,
these addresses can be used as a <quote>pool</quote>, and
IP<acronym>NAT</acronym> may pick one of the public IP
addresses as packet addresses are mapped on their way
out.</para>
<para>For example, instead of mapping all packets through a
single public IP address:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 204.134.75.1</programlisting>
<para>A range of public IP addresses can be specified either
with a netmask:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 204.134.75.0/255.255.255.0</programlisting>
<para>or using CIDR notation:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 204.134.75.0/24</programlisting>
<para>A common practice is to have a web server, email server,
database server, and DNS server each segregated to a
different system on the LAN. In this case, the traffic from
these servers still has to undergo <acronym>NAT</acronym>,
but port redirection is also needed to direct the inbound traffic
to the correct server. For example, a web server operating
on LAN address <systemitem
class="ipaddress">10.0.10.25</systemitem> and using a
single public IP address of <systemitem
class="ipaddress">20.20.20.5</systemitem>, would use this
rule:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 80 -&gt; 10.0.10.25 port 80</programlisting>
<para>or:</para>
<programlisting>rdr dc0 0.0.0.0/0 port 80 -&gt; 10.0.10.25 port 80</programlisting>
<para>For a LAN DNS server on a private address of
<systemitem class="ipaddress">10.0.10.33</systemitem> that
needs to receive public DNS requests:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 53 -&gt; 10.0.10.33 port 53 udp</programlisting>
<para>FTP has two modes: active mode and passive mode. The
difference is in how the data channel is acquired. Passive
mode is more secure as the data channel is acquired by the
ordinal ftp session requester. For a good explanation of
FTP and the different modes, see <uri
xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
<para>IP<acronym>NAT</acronym> has a built in FTP proxy option
which can be specified on the <acronym>NAT</acronym> map
rule. It can monitor all outbound packet traffic for FTP
active or passive start session requests and dynamically
create temporary filter rules containing the port number
being used by the data channel. This eliminates the
security risk FTP normally exposes the firewall to as it no
longer needs to open large ranges of high order ports for
FTP connections.</para>
<para>This rule will handle all the traffic for the internal
LAN:</para>
<programlisting>map dc0 10.0.10.0/29 -&gt; 0/32 proxy port 21 ftp/tcp</programlisting>
<para>This rule handles the FTP traffic from the
gateway:</para>
<programlisting>map dc0 0.0.0.0/0 -&gt; 0/32 proxy port 21 ftp/tcp</programlisting>
<para>This rule handles all non-FTP traffic from the internal
LAN:</para>
<programlisting>map dc0 10.0.10.0/29 -&gt; 0/32</programlisting>
<para>The FTP <literal>map</literal> rules go before the
<acronym>NAT</acronym> rule so that when a packet matches an
FTP rule, the FTP proxy creates temporary filter rules to
let the FTP session packets pass and undergo
<acronym>NAT</acronym>. All LAN packets that are not FTP
will not match the FTP rules but will undergo
<acronym>NAT</acronym> if they match the third rule.</para>
<para>Only one filter rule is needed for FTP if the
<acronym>NAT</acronym> FTP proxy is used.</para>
<para>Without the FTP proxy, the following three rules will be
needed:</para>
<programlisting># Allow out LAN PC client FTP to public Internet
# Active and passive modes
pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state
# Allow out passive mode data channel high order port numbers
pass out quick on rl0 proto tcp from any to any port &gt; 1024 flags S keep state
# Active mode let data channel in from FTP server
pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</programlisting>
<para>When the file containing the <acronym>NAT</acronym> rules
is edited after <acronym>NAT</acronym> has been started, run
<command>ipnat</command> with <option>-CF</option> to delete
the internal in use <acronym>NAT</acronym> rules and flush the
contents of the translation table of all active
entries.</para>
<para>To reload the <acronym>NAT</acronym> rules, issue a
command like this:</para>
<screen>&prompt.root; <userinput>ipnat -CF -f
/etc/ipnat.rules</userinput></screen>
<para>To display some <acronym>NAT</acronym> statistics, use
this command:</para>
<screen>&prompt.root; <userinput>ipnat -s</userinput></screen>
<para>To list the <acronym>NAT</acronym> table's current
mappings, use this command:</para>
<screen>&prompt.root; <userinput>ipnat -l</userinput></screen>
<para>To turn verbose mode on and display information relating
to rule processing and active rules/table entries:</para>
<screen>&prompt.root; <userinput>ipnat -v</userinput></screen>
</sect2>
<sect2 xml:id="firewalls-ipf-rules-script">
<title>Building the Rule Script with Symbolic
Substitution</title>
@ -2269,304 +2533,6 @@ sh /etc/ipf.rules.script</programlisting>
loaded.</para>
</sect2>
<sect2>
<title>Configuring <acronym>NAT</acronym></title>
<indexterm><primary>NAT</primary></indexterm>
<indexterm>
<primary>IP masquerading</primary>
<see>NAT</see>
</indexterm>
<indexterm>
<primary>network address translation</primary>
<see>NAT</see>
</indexterm>
<para><acronym>NAT</acronym> stands for <emphasis>Network
Address Translation</emphasis>. The IPF
<acronym>NAT</acronym> function enables the private LAN behind
the firewall to share a single ISP-assigned IP address, even
if that address is dynamically assigned. NAT allows each
computer in the LAN to have Internet access, without
having to pay the ISP for multiple Internet accounts or IP
addresses.</para>
<para>In IPF, when a packet arrives at the firewall from the LAN
with a public destination, it passes through the outbound
filter rules. <acronym>NAT</acronym> gets its turn at the
packet and applies its rules top down, where the first
matching rule wins. <acronym>NAT</acronym> tests each of its
rules against the packet's interface name and source IP
address. When a packet's interface name matches a
<acronym>NAT</acronym> rule, the packet's source IP address in
the private LAN is checked to see if it falls within the IP
address range specified to the left of the arrow symbol on the
<acronym>NAT</acronym> rule. On a match, the packet has its
source IP address rewritten with the public IP address
obtained by the <literal>0/32</literal> keyword.
<acronym>NAT</acronym> posts an entry in its internal
<acronym>NAT</acronym> table so when the packet returns from
the public Internet it can be mapped back to its original
private IP address and then passed to the filter rules for
processing.</para>
<para><acronym>NAT</acronym> will automatically translate the
private LAN IP address for each system on the LAN to the
single public IP address as packets exit the firewall bound
for the public Internet. It also performs the reverse
translation for returning packets.</para>
<para>According to RFC 1918, the following IP address ranges are
reserved for private networks which will never be routed
directly to the public Internet, and therefore are available
for use with NAT:</para>
<itemizedlist>
<listitem>
<para><literal>10.0.0.0/8</literal>.</para>
</listitem>
<listitem>
<para><literal>172.16.0.0/12</literal>.</para>
</listitem>
<listitem>
<para><literal>192.168.0.0/16</literal>.</para>
</listitem>
</itemizedlist>
<indexterm><primary><command>ipnat</command></primary></indexterm>
<para>To enable IP<acronym>NAT</acronym>, add these statements
to <filename>/etc/rc.conf</filename>.</para>
<para>To enable the machine to route traffic between
interfaces:</para>
<programlisting>gateway_enable="YES"</programlisting>
<para>To start IP<acronym>NAT</acronym> automatically each
time:</para>
<programlisting>ipnat_enable="YES"</programlisting>
<para>To specify where to load the IP<acronym>NAT</acronym>
rules from:</para>
<programlisting>ipnat_rules="/etc/ipnat.rules"</programlisting>
<para><acronym>NAT</acronym> rules are loaded using
<command>ipnat</command>. Typically, the
<acronym>NAT</acronym> rules are stored in
<filename>/etc/ipnat.rules</filename>. See &man.ipnat.8; for
details.</para>
<para>When the file containing the <acronym>NAT</acronym> rules
is edited after <acronym>NAT</acronym> has been started, run
<command>ipnat</command> with <option>-CF</option> to delete
the internal in use <acronym>NAT</acronym> rules and flush the
contents of the translation table of all active
entries.</para>
<para>To reload the <acronym>NAT</acronym> rules, issue a
command like this:</para>
<screen>&prompt.root; <userinput>ipnat -CF -f
/etc/ipnat.rules</userinput></screen>
<para>To display some <acronym>NAT</acronym> statistics, use
this command:</para>
<screen>&prompt.root; <userinput>ipnat -s</userinput></screen>
<para>To list the <acronym>NAT</acronym> table's current
mappings, use this command:</para>
<screen>&prompt.root; <userinput>ipnat -l</userinput></screen>
<para>To turn verbose mode on and display information relating
to rule processing and active rules/table entries:</para>
<screen>&prompt.root; <userinput>ipnat -v</userinput></screen>
<para><acronym>NAT</acronym> rules are flexible and can
accomplish many different things to fit the needs of
commercial and home users.</para>
<para>The rule syntax presented here has been simplified to
what is most commonly used in a non-commercial environment.
For a complete rule syntax description, refer to
&man.ipnat.5;.</para>
<para>The syntax for a <acronym>NAT</acronym> rule looks like
this:</para>
<programlisting>map <replaceable>IF</replaceable> <replaceable>LAN_IP_RANGE</replaceable> -&gt; <replaceable>PUBLIC_ADDRESS</replaceable></programlisting>
<para>The keyword <literal>map</literal> starts the rule.</para>
<para>Replace <replaceable>IF</replaceable> with the external
interface.</para>
<para>The <replaceable>LAN_IP_RANGE</replaceable> is used by the
internal clients use for IP Addressing. Usually, this is
something like <systemitem
class="ipaddress">192.168.1.0/24</systemitem>.</para>
<para>The <replaceable>PUBLIC_ADDRESS</replaceable> can either
be the static external IP address or the special keyword
<literal>0/32</literal> which uses the IP address assigned to
<replaceable>IF</replaceable>.</para>
<sect3>
<title><acronym>NAT</acronym> for a Large LAN</title>
<para>For networks that have large numbers of systems on the
LAN or networks with more than a single LAN, the process of
funneling all those private IP addresses into a single
public IP address becomes a resource problem that may cause
problems with the same port numbers being used many times
across many connections, causing collisions. This section
describes two ways to relieve this resource problem.</para>
<para>The first method is to assign ports to use. A normal
NAT rule would look like:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 0/32</programlisting>
<para>In the above rule, the packet's source port is unchanged
as the packet passes through IP<acronym>NAT</acronym>. By
adding the <literal>portmap</literal> keyword,
IP<acronym>NAT</acronym> can be directed to only use
source ports in the specified range. For example, the
following rule will tell IP<acronym>NAT</acronym> to modify
the source port to be within the range shown:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 0/32 portmap tcp/udp 20000:60000</programlisting>
<para>Additionally, the <literal>auto</literal> keyword tells
IP<acronym>NAT</acronym> to determine which ports are
available for use:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 0/32 portmap tcp/udp auto</programlisting>
<para>The second method is to use a pool of public addresses.
In very large LANs there comes a point where there are
just too many LAN addresses to fit into a single public
address. If a block of public IP addresses is available,
these addresses can be used as a <quote>pool</quote>, and
IP<acronym>NAT</acronym> may pick one of the public IP
addresses as packet addresses are mapped on their way
out.</para>
<para>For example, instead of mapping all packets through a
single public IP address:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 204.134.75.1</programlisting>
<para>A range of public IP addresses can be specified either
with a netmask:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 204.134.75.0/255.255.255.0</programlisting>
<para>or using CIDR notation:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 204.134.75.0/24</programlisting>
</sect3>
<sect3>
<title>Port Redirection</title>
<para>A common practice is to have a web server, email server,
database server, and DNS server each segregated to a
different system on the LAN. In this case, the traffic from
these servers still has to undergo <acronym>NAT</acronym>,
but there has to be some way to direct the inbound traffic
to the correct server. For example, a web server operating
on LAN address <systemitem
class="ipaddress">10.0.10.25</systemitem> and using a
single public IP address of <systemitem
class="ipaddress">20.20.20.5</systemitem>, would use this
rule:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 80 -&gt; 10.0.10.25 port 80</programlisting>
<para>or:</para>
<programlisting>rdr dc0 0.0.0.0/0 port 80 -&gt; 10.0.10.25 port 80</programlisting>
<para>For a LAN DNS server on a private address of
<systemitem class="ipaddress">10.0.10.33</systemitem> that
needs to receive public DNS requests:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 53 -&gt; 10.0.10.33 port 53 udp</programlisting>
</sect3>
<sect3>
<title>FTP and <acronym>NAT</acronym></title>
<para>FTP has two modes: active mode and passive mode. The
difference is in how the data channel is acquired. Passive
mode is more secure as the data channel is acquired by the
ordinal ftp session requester. For a good explanation of
FTP and the different modes, see <uri
xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
<para>IP<acronym>NAT</acronym> has a built in FTP proxy option
which can be specified on the <acronym>NAT</acronym> map
rule. It can monitor all outbound packet traffic for FTP
active or passive start session requests and dynamically
create temporary filter rules containing the port number
being used by the data channel. This eliminates the
security risk FTP normally exposes the firewall to as it no
longer needs to open large ranges of high order ports for
FTP connections.</para>
<para>This rule will handle all the traffic for the internal
LAN:</para>
<programlisting>map dc0 10.0.10.0/29 -&gt; 0/32 proxy port 21 ftp/tcp</programlisting>
<para>This rule handles the FTP traffic from the
gateway:</para>
<programlisting>map dc0 0.0.0.0/0 -&gt; 0/32 proxy port 21 ftp/tcp</programlisting>
<para>This rule handles all non-FTP traffic from the internal
LAN:</para>
<programlisting>map dc0 10.0.10.0/29 -&gt; 0/32</programlisting>
<para>The FTP <literal>map</literal> rules go before the
<acronym>NAT</acronym> rule so that when a packet matches an
FTP rule, the FTP proxy creates temporary filter rules to
let the FTP session packets pass and undergo
<acronym>NAT</acronym>. All LAN packets that are not FTP
will not match the FTP rules but will undergo
<acronym>NAT</acronym> if they match the third rule.</para>
<para>Only one filter rule is needed for FTP if the
<acronym>NAT</acronym> FTP proxy is used.</para>
<para>Without the FTP proxy, the following three rules will be
needed:</para>
<programlisting># Allow out LAN PC client FTP to public Internet
# Active and passive modes
pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state
# Allow out passive mode data channel high order port numbers
pass out quick on rl0 proto tcp from any to any port &gt; 1024 flags S keep state
# Active mode let data channel in from FTP server
pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</programlisting>
</sect3>
</sect2>
<sect2>
<title>IPFSTAT</title>