White space fix only. Translators can ignore.
Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne
parent
07e37e24de
commit
c9a9287d57
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44039
1 changed files with 136 additions and 136 deletions
|
|
@ -179,11 +179,11 @@
|
||||||
xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para>
|
xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para>
|
||||||
|
|
||||||
<para>FTP has two modes: active mode and passive mode. The
|
<para>FTP has two modes: active mode and passive mode. The
|
||||||
difference is in how the data channel is acquired. Passive
|
difference is in how the data channel is acquired. Passive
|
||||||
mode is more secure as the data channel is acquired by the
|
mode is more secure as the data channel is acquired by the
|
||||||
ordinal ftp session requester. For a good explanation of
|
ordinal ftp session requester. For a good explanation of FTP
|
||||||
FTP and the different modes, see <uri
|
and the different modes, see <uri
|
||||||
xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
|
xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
|
||||||
|
|
||||||
<para>A firewall ruleset can be either
|
<para>A firewall ruleset can be either
|
||||||
<quote>exclusive</quote> or <quote>inclusive</quote>. An
|
<quote>exclusive</quote> or <quote>inclusive</quote>. An
|
||||||
|
|
@ -234,38 +234,37 @@
|
||||||
flood of different attack methods employed by attackers.</para>
|
flood of different attack methods employed by attackers.</para>
|
||||||
|
|
||||||
<para><acronym>NAT</acronym> stands for <emphasis>Network
|
<para><acronym>NAT</acronym> stands for <emphasis>Network
|
||||||
Address Translation</emphasis>.
|
Address Translation</emphasis>. <acronym>NAT</acronym>
|
||||||
<acronym>NAT</acronym> function enables the private LAN behind
|
function enables the private LAN behind the firewall to share a
|
||||||
the firewall to share a single ISP-assigned IP address, even
|
single ISP-assigned IP address, even if that address is
|
||||||
if that address is dynamically assigned. NAT allows each
|
dynamically assigned. NAT allows each computer in the LAN to
|
||||||
computer in the LAN to have Internet access, without
|
have Internet access, without having to pay the ISP for multiple
|
||||||
having to pay the ISP for multiple Internet accounts or IP
|
Internet accounts or IP addresses.</para>
|
||||||
addresses.</para>
|
|
||||||
|
|
||||||
<para><acronym>NAT</acronym> will automatically translate the
|
<para><acronym>NAT</acronym> will automatically translate the
|
||||||
private LAN IP address for each system on the LAN to the
|
private LAN IP address for each system on the LAN to the
|
||||||
single public IP address as packets exit the firewall bound
|
single public IP address as packets exit the firewall bound for
|
||||||
for the public Internet. It also performs the reverse
|
the public Internet. It also performs the reverse translation
|
||||||
translation for returning packets.</para>
|
for returning packets.</para>
|
||||||
|
|
||||||
<para>According to RFC 1918, the following IP address ranges are
|
<para>According to RFC 1918, the following IP address ranges are
|
||||||
reserved for private networks which will never be routed
|
reserved for private networks which will never be routed
|
||||||
directly to the public Internet, and therefore are available
|
directly to the public Internet, and therefore are available
|
||||||
for use with NAT:</para>
|
for use with NAT:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><literal>10.0.0.0/8</literal>.</para>
|
<para><literal>10.0.0.0/8</literal>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><literal>172.16.0.0/12</literal>.</para>
|
<para><literal>172.16.0.0/12</literal>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><literal>192.168.0.0/16</literal>.</para>
|
<para><literal>192.168.0.0/16</literal>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>When working with the firewall rules, be <emphasis>very
|
<para>When working with the firewall rules, be <emphasis>very
|
||||||
|
|
@ -2228,145 +2227,146 @@ ipnat_rules="/etc/ipnat.rules"</programlisting>
|
||||||
|
|
||||||
<para><acronym>NAT</acronym> rules are flexible and can
|
<para><acronym>NAT</acronym> rules are flexible and can
|
||||||
accomplish many different things to fit the needs of both
|
accomplish many different things to fit the needs of both
|
||||||
commercial and home users. The rule syntax presented here has been simplified to
|
commercial and home users. The rule syntax presented here has
|
||||||
demonstrate common usage.
|
been simplified to demonstrate common usage. For a complete
|
||||||
For a complete rule syntax description, refer to
|
rule syntax description, refer to &man.ipnat.5;.</para>
|
||||||
&man.ipnat.5;.</para>
|
|
||||||
|
|
||||||
<para>The basic syntax for a <acronym>NAT</acronym> rule is as
|
<para>The basic syntax for a <acronym>NAT</acronym> rule is as
|
||||||
follows, where <literal>map</literal> starts the rule and
|
follows, where <literal>map</literal> starts the rule and
|
||||||
<replaceable>IF</replaceable> should be replaced with the
|
<replaceable>IF</replaceable> should be replaced with the
|
||||||
name of the external
|
name of the external interface:</para>
|
||||||
interface:</para>
|
|
||||||
|
|
||||||
<programlisting>map <replaceable>IF</replaceable> <replaceable>LAN_IP_RANGE</replaceable> -> <replaceable>PUBLIC_ADDRESS</replaceable></programlisting>
|
<programlisting>map <replaceable>IF</replaceable> <replaceable>LAN_IP_RANGE</replaceable> -> <replaceable>PUBLIC_ADDRESS</replaceable></programlisting>
|
||||||
|
|
||||||
<para>The <replaceable>LAN_IP_RANGE</replaceable> is the range
|
<para>The <replaceable>LAN_IP_RANGE</replaceable> is the range
|
||||||
of <acronym>IP</acronym> addresses used by
|
of <acronym>IP</acronym> addresses used by internal clients.
|
||||||
internal clients. Usually, it is a private address range
|
Usually, it is a private address range such as <systemitem
|
||||||
such as <systemitem
|
class="ipaddress">192.168.1.0/24</systemitem>. The
|
||||||
class="ipaddress">192.168.1.0/24</systemitem>. The <replaceable>PUBLIC_ADDRESS</replaceable> can either
|
<replaceable>PUBLIC_ADDRESS</replaceable> can either be the
|
||||||
be the static external <acronym>IP</acronym> address or the keyword
|
static external <acronym>IP</acronym> address or the keyword
|
||||||
<literal>0/32</literal> which represents the <acronym>IP</acronym> address assigned to
|
<literal>0/32</literal> which represents the
|
||||||
|
<acronym>IP</acronym> address assigned to
|
||||||
<replaceable>IF</replaceable>.</para>
|
<replaceable>IF</replaceable>.</para>
|
||||||
|
|
||||||
<para>In <application>IPF</application>, when a packet arrives
|
<para>In <application>IPF</application>, when a packet arrives
|
||||||
at the firewall from the <acronym>LAN</acronym>
|
at the firewall from the <acronym>LAN</acronym> with a public
|
||||||
with a public destination, it first passes through the outbound
|
destination, it first passes through the outbound rules of the
|
||||||
rules of the firewall ruleset. Then, the packet is passed to the <acronym>NAT</acronym> ruleset
|
firewall ruleset. Then, the packet is passed to the
|
||||||
which is read from the top down, where the first
|
<acronym>NAT</acronym> ruleset which is read from the top
|
||||||
matching rule wins. <application>IPF</application> tests each
|
down, where the first matching rule wins.
|
||||||
<acronym>NAT</acronym> rule against the packet's interface name and source <acronym>IP</acronym>
|
<application>IPF</application> tests each
|
||||||
address. When a packet's interface name matches a
|
<acronym>NAT</acronym> rule against the packet's interface
|
||||||
<acronym>NAT</acronym> rule, the packet's source <acronym>IP</acronym> address in
|
name and source <acronym>IP</acronym> address. When a
|
||||||
the private <acronym>LAN</acronym> is checked to see if it falls within the <acronym>IP</acronym>
|
packet's interface name matches a <acronym>NAT</acronym> rule,
|
||||||
address range specified in <replaceable>LAN_IP_RANGE</replaceable>.
|
the packet's source <acronym>IP</acronym> address in the
|
||||||
On a match, the packet has its
|
private <acronym>LAN</acronym> is checked to see if it falls
|
||||||
source <acronym>IP</acronym> address rewritten with the public <acronym>IP</acronym> address
|
within the <acronym>IP</acronym> address range specified in
|
||||||
specified by <replaceable>PUBLIC_ADDRESS</replaceable>.
|
<replaceable>LAN_IP_RANGE</replaceable>. On a match, the
|
||||||
|
packet has its source <acronym>IP</acronym> address rewritten
|
||||||
|
with the public <acronym>IP</acronym> address specified by
|
||||||
|
<replaceable>PUBLIC_ADDRESS</replaceable>.
|
||||||
<application>IPF</application> posts an entry in its internal
|
<application>IPF</application> posts an entry in its internal
|
||||||
<acronym>NAT</acronym> table so that when the packet returns from
|
<acronym>NAT</acronym> table so that when the packet returns
|
||||||
the Internet, it can be mapped back to its original
|
from the Internet, it can be mapped back to its original
|
||||||
private <acronym>IP</acronym> address before being passed to the firewall rules for
|
private <acronym>IP</acronym> address before being passed to
|
||||||
further processing.</para>
|
the firewall rules for further processing.</para>
|
||||||
|
|
||||||
<para>For networks that have large numbers of internal systems
|
<para>For networks that have large numbers of internal systems
|
||||||
or multiple subnets, the process of
|
or multiple subnets, the process of funneling every private
|
||||||
funneling every private <acronym>IP</acronym> address into a single
|
<acronym>IP</acronym> address into a single public
|
||||||
public <acronym>IP</acronym> address becomes a resource problem. Two methods
|
<acronym>IP</acronym> address becomes a resource problem.
|
||||||
are available to relieve this issue.</para>
|
Two methods are available to relieve this issue.</para>
|
||||||
|
|
||||||
<para>The first method is to assign a range of ports to use
|
<para>The first method is to assign a range of ports to use as
|
||||||
as source ports. By
|
source ports. By adding the <literal>portmap</literal>
|
||||||
adding the <literal>portmap</literal> keyword,
|
keyword, <acronym>NAT</acronym> can be directed to only use
|
||||||
<acronym>NAT</acronym> can be directed to only use
|
source ports in the specified range:</para>
|
||||||
source ports in the specified range:</para>
|
|
||||||
|
|
||||||
<programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000</programlisting>
|
<programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000</programlisting>
|
||||||
|
|
||||||
<para>Alternately, use the <literal>auto</literal> keyword which tells
|
<para>Alternately, use the <literal>auto</literal> keyword
|
||||||
<acronym>NAT</acronym> to determine the ports that are
|
which tells <acronym>NAT</acronym> to determine the ports
|
||||||
available for use:</para>
|
that are available for use:</para>
|
||||||
|
|
||||||
<programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto</programlisting>
|
<programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto</programlisting>
|
||||||
|
|
||||||
<para>The second method is to use a pool of public addresses.
|
<para>The second method is to use a pool of public addresses.
|
||||||
This is useful when there are
|
This is useful when there are too many
|
||||||
too many <acronym>LAN</acronym> addresses to fit into a single public
|
<acronym>LAN</acronym> addresses to fit into a single public
|
||||||
address and a block of public <acronym>IP</acronym> addresses is available.
|
address and a block of public <acronym>IP</acronym> addresses
|
||||||
These public addresses can be used as a pool from which
|
is available. These public addresses can be used as a pool
|
||||||
<acronym>NAT</acronym> selects an <acronym>IP</acronym> address
|
from which <acronym>NAT</acronym> selects an
|
||||||
as a packet's address is mapped on its way
|
<acronym>IP</acronym> address as a packet's address is
|
||||||
out.</para>
|
mapped on its way out.</para>
|
||||||
|
|
||||||
<para>The range of public <acronym>IP</acronym> addresses can
|
<para>The range of public <acronym>IP</acronym> addresses can
|
||||||
be specified
|
be specified using a netmask or <acronym>CIDR</acronym>
|
||||||
using a netmask or <acronym>CIDR</acronym> notation. These
|
notation. These two rules are equivalent:</para>
|
||||||
two rules are equivalent:</para>
|
|
||||||
|
|
||||||
<programlisting>map dc0 192.168.1.0/24 -> 204.134.75.0/255.255.255.0
|
<programlisting>map dc0 192.168.1.0/24 -> 204.134.75.0/255.255.255.0
|
||||||
map dc0 192.168.1.0/24 -> 204.134.75.0/24</programlisting>
|
map dc0 192.168.1.0/24 -> 204.134.75.0/24</programlisting>
|
||||||
|
|
||||||
<para>A common practice is to have a publically accessible web server or mail server
|
<para>A common practice is to have a publically accessible web
|
||||||
segregated to an internal
|
server or mail server segregated to an internal network
|
||||||
network segment. The traffic from
|
segment. The traffic from these servers still has to undergo
|
||||||
these servers still has to undergo <acronym>NAT</acronym>,
|
<acronym>NAT</acronym>, but port redirection is needed to
|
||||||
but port redirection is needed to direct inbound traffic
|
direct inbound traffic to the correct server. For example, to
|
||||||
to the correct server. For example, to map a web server using
|
map a web server using the internal address <systemitem
|
||||||
the internal address <systemitem
|
class="ipaddress">10.0.10.25</systemitem> to its public
|
||||||
class="ipaddress">10.0.10.25</systemitem> to its
|
<acronym>IP</acronym> address of <systemitem
|
||||||
public <acronym>IP</acronym> address of <systemitem
|
class="ipaddress">20.20.20.5</systemitem>, use this
|
||||||
class="ipaddress">20.20.20.5</systemitem>, use this
|
rule:</para>
|
||||||
rule:</para>
|
|
||||||
|
|
||||||
<programlisting>rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80</programlisting>
|
<programlisting>rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80</programlisting>
|
||||||
|
|
||||||
<para>If it is the only web server, this rule would also work
|
<para>If it is the only web server, this rule would also work as
|
||||||
as it redirects all external <acronym>HTTP</acronym>
|
it redirects all external <acronym>HTTP</acronym> requests to
|
||||||
requests to <literal>10.0.10.25</literal>:</para>
|
<literal>10.0.10.25</literal>:</para>
|
||||||
|
|
||||||
<programlisting>rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80</programlisting>
|
<programlisting>rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80</programlisting>
|
||||||
|
|
||||||
<para><application>IPF</application> has a built in
|
<para><application>IPF</application> has a built in
|
||||||
<acronym>FTP</acronym> proxy
|
<acronym>FTP</acronym> proxy which can be used with
|
||||||
which can be used with <acronym>NAT</acronym>.
|
<acronym>NAT</acronym>. It monitors all outbound traffic for
|
||||||
It monitors all outbound traffic for active or passive <acronym>FTP</acronym>
|
active or passive <acronym>FTP</acronym> connection requests
|
||||||
connection requests and dynamically
|
and dynamically creates temporary filter rules containing the
|
||||||
creates temporary filter rules containing the port number
|
port number used by the <acronym>FTP</acronym> data channel.
|
||||||
used by the <acronym>FTP</acronym> data channel. This eliminates the
|
This eliminates the need to open large ranges of high order
|
||||||
need to open large ranges of high order ports for
|
ports for <acronym>FTP</acronym> connections.</para>
|
||||||
<acronym>FTP</acronym> connections.</para>
|
|
||||||
|
|
||||||
<para>This rule will handle all the traffic for the internal
|
<para>This rule will handle all the traffic for the internal
|
||||||
LAN:</para>
|
LAN:</para>
|
||||||
|
|
||||||
<programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting>
|
<programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting>
|
||||||
|
|
||||||
<para>This rule handles the <acronym>FTP</acronym> traffic from the
|
<para>This rule handles the <acronym>FTP</acronym> traffic from
|
||||||
gateway:</para>
|
the gateway:</para>
|
||||||
|
|
||||||
<programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting>
|
<programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting>
|
||||||
|
|
||||||
<para>This rule handles all non-<acronym>FTP</acronym> traffic from the internal
|
<para>This rule handles all non-<acronym>FTP</acronym> traffic
|
||||||
LAN:</para>
|
from the internal LAN:</para>
|
||||||
|
|
||||||
<programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting>
|
<programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting>
|
||||||
|
|
||||||
<para>The <acronym>FTP</acronym> <literal>map</literal> rules go before the
|
<para>The <acronym>FTP</acronym> <literal>map</literal> rules go
|
||||||
<acronym>NAT</acronym> rule so that when a packet matches an
|
before the <acronym>NAT</acronym> rule so that when a packet
|
||||||
<acronym>FTP</acronym> rule, the <acronym>FTP</acronym> proxy creates temporary filter rules to
|
matches an <acronym>FTP</acronym> rule, the
|
||||||
let the <acronym>FTP</acronym> session packets pass and undergo
|
<acronym>FTP</acronym> proxy creates temporary filter rules to
|
||||||
<acronym>NAT</acronym>. All LAN packets that are not <acronym>FTP</acronym>
|
let the <acronym>FTP</acronym> session packets pass and
|
||||||
will not match the <acronym>FTP</acronym> rules but will undergo
|
undergo <acronym>NAT</acronym>. All LAN packets that are not
|
||||||
<acronym>NAT</acronym> if they match the third rule.</para>
|
<acronym>FTP</acronym> will not match the
|
||||||
|
<acronym>FTP</acronym> rules but will undergo
|
||||||
|
<acronym>NAT</acronym> if they match the third rule.</para>
|
||||||
|
|
||||||
<para>Only one filter rule is needed for <acronym>FTP</acronym> if the
|
<para>Only one filter rule is needed for <acronym>FTP</acronym>
|
||||||
<acronym>NAT</acronym> <acronym>FTP</acronym> proxy is used.</para>
|
if the <acronym>NAT</acronym> <acronym>FTP</acronym> proxy is
|
||||||
|
used.</para>
|
||||||
|
|
||||||
<para>Without the <acronym>FTP</acronym> proxy, the following three rules will be
|
<para>Without the <acronym>FTP</acronym> proxy, the following
|
||||||
needed:</para>
|
three rules will be needed:</para>
|
||||||
|
|
||||||
<programlisting># Allow out LAN PC client FTP to public Internet
|
<programlisting># Allow out LAN PC client FTP to public Internet
|
||||||
# Active and passive modes
|
# Active and passive modes
|
||||||
pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state
|
pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue