Thread: RE: Re[2]: [Fwbuilder-discussion] PopTop
Brought to you by:
mikehorn
From: LordInfidel <Lor...@di...> - 2004-10-26 12:21:29
|
for routing to work properly, your remote vpn clients (not ras clients), = need to be on a different subnet then your local network. So if your local internal subnet is 192.168.1.0/24 , your vpn users can = not be on the 192.168.1.0/24 network, they must be on a totally = different subnet. This is because hosts on the internal netwk, will not = use the gateway to contact the vpn user, it will assume that it is part = of the local network. This is *different* then a dial-in ras user, who *can* have a address on = the local network. Now in a NAT'd enviroment what happens is that your local internal = network will nat outbound to a public address. This will confuse the = routing table when trying to get to a vpn host located on another = non-routable netblock. So I defined a seperate "vpn network" or subnet, and assigned it to my = vpn users. Then in the NAT policy, I have to create a uniquely = unorthodox rules, by saying, when going to the vpn subnet from the = internal network, keep the src and dst IP's the same. Kind of like saying "DON'T Perform NAT" , which when you have to put it = in the NAT policy seems kind of counterintuitive. But if you just always remember that pre-route and post-route, depending = on which way you are coming, are either the very first thing that is = checked or the last. So with vpn's you have to rememeber these rules: 1. Inbound on the external if, the pre-route table get's checked first. 2. Outound on the external if, the post-route table get's checked first. 3. All packets go thru the policy, regardless if IPsec is used or not. When a packet leaves your internal network to the vpn network, it: 1. goes thru the policy to see if it is allowed. 2. goes thru the post-route table 3. the local routing table is checked, if it matches an IPSec route, it = is then given to IPSec for processing. -----Original Message----- From: fwb...@li... [mailto:fwb...@li...]On Behalf Of Randy Sent: Thursday, October 21, 2004 2:34 AM To: LordInfidel; Simon Chappell; fwb...@li... Subject: Re[2]: [Fwbuilder-discussion] PopTop Hi, I am looking to try poptop, for a client with a time-available problem. = Can you define what you refer to as the "vpn network" please? The installation will be on RH 7.3 any other tips or references would be = appreciated. Peter *********** REPLY SEPARATOR *********** On 12/10/2004 at 7:05 AM LordInfidel wrote: >a trick with IPSec and NAT..... > >you have to create 2 rules to be at the top of your NAT rules that say: > >src dstn service trans src trans dstn trans svc =09 >vpn networks internal any same same same >internal vpn networks any same same same > >then your real nat rules >=20 >What this does is basically say "Don't NAT" the connections when they = are >destined for vpn networks.... Without those 2 rules traffic from your >internal network will get nat'd as a public address, presented to your >IPSec implementation of choice, and then lost in routing hell. > >You "still" have to have rules in your global policy that allow for >traffic from the vpn networks to your internal netwokrs. > >-----Original Message----- >From: fwb...@li... >[mailto:fwb...@li...]On Behalf Of >Simon Chappell >Sent: Monday, October 11, 2004 6:50 AM >To: fwb...@li... >Subject: [Fwbuilder-discussion] PopTop > > >Hi All, > >I have a fwbuilder machine that has been inplace for about 6 months = now. >I was hoping to run poptop on it but although i have poptop running=20 >whenever anyone uses it it seems to break parts of the firewall. All = the=20 >nat ports lose there way and some of the rules just stop working until = I=20 >re-run the script. >I am looking at installing a poptop box behind the firewall instead but = >this is not ideal so I would rather getting running on the firewall=20 >itself if possible. > >details of the box > > >gentoo linux 2002 >kernel 2.4.25 >fwuilder 1.1.2 >iptables 1.2.9 >2 nics >Eth0 External, >Eth1 193.168.253.3 routes to 12 internal networks on 192.168.49-65.X=20 >subnets. >It also runs squid and dansguardian and DNS. > >I am wondering if i have to setup ppp0,pp1 etc in fwbuilder ? I tried=20 >adding ppp0 as unnumbered and it still went screwy. > >Any help appreciated. > >Simon > > > > > > > >------------------------------------------------------- >This SF.net email is sponsored by: IT Product Guide on = ITManagersJournal >Use IT products in your business? Tell us what you think of them. Give = us >Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out = more >http://productguide.itmanagersjournal.com/guidepromo.tmpl >_______________________________________________ >Fwbuilder-discussion mailing list >Fwb...@li... >https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > > >------------------------------------------------------- >This SF.net email is sponsored by: IT Product Guide on = ITManagersJournal >Use IT products in your business? Tell us what you think of them. Give = us >Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out = more >http://productguide.itmanagersjournal.com/guidepromo.tmpl >_______________________________________________ >Fwbuilder-discussion mailing list >Fwb...@li... >https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give = us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out = more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Fwbuilder-discussion mailing list Fwb...@li... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion |
From: LordInfidel <Lor...@di...> - 2004-10-27 00:56:30
|
cool.... never thought of doing it that way.... That is a much more efficent method then my way,(2 rules negating nat, = then the real nat rules for a total of 3 rules); the less rules the = better is the name of the game. I'm assuming though you have a second rule, for the inverse scenario = (this would be needed for 2way ipsec traffic, since state can not be = applied yet to a new inbound request)..... which you would still need = to say don't translate.... src: No NAT XLAT Group dst: LAN Network object trans src: orig trans dst: orig you know though, i'm kind of pissed that I did not think of it = (collapsing the 2 rules into 1) earlier...... -----Original Message----- From: fwb...@li... [mailto:fwb...@li...]On Behalf Of Jeremy T. Bouse Sent: Tuesday, October 26, 2004 12:53 PM To: fwb...@li... Subject: Re: Re[2]: [Fwbuilder-discussion] PopTop For brevity I've cut out the earlier posts so feel free to look back in the thread if you don't remember what was said. I would like to just comment how I have my firewall configured, which having worked with Vadim for some time he might consider my rules to use a good majority of the features of Fwbuilder. For the sake of those who are not familar with my network topography I have a three zone firewall (LAN, WAN, DMZ) in which the LAN using RFC1918 address space and the WAN and DMZ have public routable IP addresses. Further, I have a meshed VPN network with several nodes on the east coast which use RFC1918 address space as well. Now for my topography I don't want any NAT translation between the LAN<->DMZ nor from LAN<->VPN so my design has been to establish a group of hosts and networks to which no NAT translation is to be done when listed as the destination. Then in my NAT table after any static = SNAT entries and before any static DNAT (ie- middle of NAT table) I have one rule that states the following: Orig Src: LAN Network object Orig Dst: No NAT XLAT Group (Negated) Trans Src: Firewall object Now within the "No NAT XLAT" group I have my DMZ network, my local VPN network and remote VPN networks so when a host on my LAN tries to go to any of those networks the firewall/gateway does not perform any NAT translation; however, if a host on the LAN goes to a host not in that group (ie- www.yahoo.com) then it is NAT'd properly. Now my LAN and DMZ rules then limit what traffic is allowed between the zones. Typically I have all traffic originating from the LAN to either the WAN or DMZ allowed. Limited traffic allowed from DMZ->LAN and WAN->DMZ. No direct traffic from WAN->LAN possible. All VPN traffic is usually allowed as the connections are assigned with known nodes with a known security policy as well. Regards, Jeremy ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give = us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out = more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Fwbuilder-discussion mailing list Fwb...@li... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion |
From: Jeremy T. B. <jer...@un...> - 2004-10-26 16:53:17
|
For brevity I've cut out the earlier posts so feel free to look back in the thread if you don't remember what was said. I would like to just comment how I have my firewall configured, which having worked with Vadim for some time he might consider my rules to use a good majority of the features of Fwbuilder. For the sake of those who are not familar with my network topography I have a three zone firewall (LAN, WAN, DMZ) in which the LAN using RFC1918 address space and the WAN and DMZ have public routable IP addresses. Further, I have a meshed VPN network with several nodes on the east coast which use RFC1918 address space as well. Now for my topography I don't want any NAT translation between the LAN<->DMZ nor from LAN<->VPN so my design has been to establish a group of hosts and networks to which no NAT translation is to be done when listed as the destination. Then in my NAT table after any static SNAT entries and before any static DNAT (ie- middle of NAT table) I have one rule that states the following: Orig Src: LAN Network object Orig Dst: No NAT XLAT Group (Negated) Trans Src: Firewall object Now within the "No NAT XLAT" group I have my DMZ network, my local VPN network and remote VPN networks so when a host on my LAN tries to go to any of those networks the firewall/gateway does not perform any NAT translation; however, if a host on the LAN goes to a host not in that group (ie- www.yahoo.com) then it is NAT'd properly. Now my LAN and DMZ rules then limit what traffic is allowed between the zones. Typically I have all traffic originating from the LAN to either the WAN or DMZ allowed. Limited traffic allowed from DMZ->LAN and WAN->DMZ. No direct traffic from WAN->LAN possible. All VPN traffic is usually allowed as the connections are assigned with known nodes with a known security policy as well. Regards, Jeremy |