全球主机交流论坛

标题: 请教FreeBSD ipfw nat 内核级端口转发问题... [打印本页]

作者: KDE 时间: 2021-7-15 20:39
标题: 请教FreeBSD ipfw nat 内核级端口转发问题...
cat /etc/rc.conf
firewall_enable="YES"
firewall_type="open"
gateway_enable="YES"

#!/bin/sh
kldload ipfw_nat
ipfw -q -f flush
ipfw nat 1 config if em0 redirect_port tcp 10.1.1.254:80 80
ipfw -q -add 65535 deny ip from any to any

防火墙打算以白名单模式运行,所以最后是拒绝没有允许的流量.

FreeBSD 系统版本12.2 运行在家里局域网esxi
FreeBSD 网络接口 "em0"
FreeBSD IP地址 "10.1.1.230"
需要转发的地址 "10.1.1.254"
需要转发的端口 "TCP 80"

当我关闭防火墙,转发命令才生效,我想知道转发端口还需要什么规则的???
关闭防火墙的命令,在拒绝前插入.
ipfw -q -add 65534 allow ip from any to any

-------------

cat <<EOF> /root/ipfw
#!/bin/sh
kldload ipfw_nat
ipfw -q -f flush
ipfw nat 1 config if em0 redirect_port tcp 10.1.1.254:80 80
ipfw -q add 00100 allow all from any to any via lo0
ipfw -q add 00200 allow icmp from any to any
ipfw -q add 00300 allow tcp from any to any 22,2222,80,443,8443,53,853 setup keep-state
ipfw -q add 00400 allow udp from any to any 53,853,4000,5000 keep-state
ipfw -q -add 65535 deny ip from any to any
EOF

这是白名单模式....

关了防火墙ipfw转发才生效....

作者: optimism 时间: 2021-7-15 20:40
这就要等个大佬了

作者: KDE 时间: 2021-7-15 20:41

optimism 发表于 2021-7-15 20:40
这就要等个大佬了

官方论坛也问了,在等回复.....

https://forums.freebsd.org/threa ... ward-ports.81337///

作者: LiuJia 时间: 2021-7-16 15:42
楼主您好，

是否可能是：

Sometimes you may want to mix NAT and dynamic rules.  It could be
   achieved with record-state and defer-action options.  Problem is, you
   need to create dynamic rule before NAT and check it after NAT actions (or
   vice versa) to have consistent addresses and ports.  Rule with keep-state
   option will trigger activation of existing dynamic state, and action of
   such rule will be performed as soon as rule is matched.  In case of NAT
   and allow rule packet need to be passed to NAT, not allowed as soon is
   possible.

   There is example of set of rules to achieve this. Bear in mind that this
   is example only and it is not very useful by itself.

   On way out, after all checks place this rules:

   ipfw add allow record-state skip-action
   ipfw add nat 1

   And on way in there should be something like this:

   ipfw add nat 1
   ipfw add check-state

   Please note, that first rule on way out doesn't allow packet and doesn't
   execute existing dynamic rules.  All it does, create new dynamic rule
   with allow action, if it is not created yet.  Later, this dynamic rule is
   used on way in by check-state rule.

https://www.freebsd.org/cgi/man.cgi?ipfw(8)

作者: KDE 时间: 2021-7-16 21:16

LiuJia 发表于 2021-7-16 15:42
楼主您好，

是否可能是：

ipfw nat 1 config redirect_port tcp 10.1.1.254:80 80
ipfw add nat 1 all from any to any
ipfw add allow record-state skip-action
ipfw add nat 1
ipfw add check-state

再次复习ipfw官网man,还是老问题...
加了ipfw add nat 1 all from any to any才通,然而加了这个防火墙就相当于关闭了,没开放的端口泄露出去了...

作者: LiuJia 时间: 2021-7-25 11:29

KDE 发表于 2021-7-16 21:16
ipfw nat 1 config redirect_port tcp 10.1.1.254:80 80
ipfw add nat 1 all from any to any
ipfw add a ...

您好，

我在我本地的FreeBSD机试了一下，或许重点是需要设置skipto的规则。即用skipto来放行nat的的相应通讯，但拦截其它。

例子一：https://docs.freebsd.org/doc/12.2-RELEASE/usr/local/share/doc/freebsd/zh_CN.UTF-8/books/handbook/firewalls-ipfw.html

例子二：https://www.neelc.org/posts/freebsd-ipfw-nat/

作者: KDE 时间: 2021-7-25 21:20

LiuJia 发表于 2021-7-25 11:29
您好，

我在我本地的FreeBSD机试了一下，或许重点是需要设置skipto的规则。即用skipto来放行nat的的相应 ...

谢谢大佬答复

官方说ipfw的NAT一般用户LAN之后的,感觉没有firewalld iptables方便

现在转RHEL系了...注册了开发者账户,可以免费使用1年,无限续签...

欢迎光临全球主机交流论坛 (https://sunk.eu.org/)

Powered by Discuz! X3.4