FreeBSD Router/Firewall und Apple iChat(!!Länger!!)

Alexco

Alexco

Well-Known Member
Hallo Forum,



hier noch mal passend zu Weihnachten die übliche Firewall/Port_Forwarding Frage :D.

Ich möchte mit meinem Apple iBook chatten, und zwar mittels iChat-AV. Dazu müssen auf meiner Firewall (FreeBSD 5.1) ein paar UDP/TCP Ports freigeschaltet bzw. weitergeleitet werden.

Leider klappt dies nur bedingt.

Ich kann zwar peer-to-peer chatten, aber keine Chaträume betreten (iChat nutzt das AIM von AOL). Mein iBook ist über WLAN am FreeBSD Rechner dran mit der IP 192.168.1.60.

Es sollen die UDP-Ports 5060,5190,5298,17421, 16384-16403

und die TCP-Ports 5190, 5298 an die IP 192.168.1.60 umgeleitet werden. Macht es das auch oder liegt der Fehler vielleicht wo anders?



Schon mal Danke für Eure Mühe,

Alex





Hier erst mal meine beteiligten Dateien:



/etc/rc.conf:

ifconfig_fxp0="inet 192.168.6.200 netmask 255.255.255.0"

ifconfig_rl0="inet 192.168.1.200 netmask 255.255.255.0"

ifconfig_ed0="up"

rc_debug="NO"

devd_enable="YES"

update_motd="NO"

ipv6_enable="NO"

gateway_enable="YES"

proftpd_enable="YES"

ppp_enable="YES"

ppp_mode="auto"

ppp_profile="tonline"

ppp_nat="NO"

natd_enable="YES"

natd_interface="tun0"

natd_flags="-dynamic -l -f/etc/firewall/natd.conf"



firewall_enable="YES"

firewall_type="OPEN"

firewall_script="/etc/firewall/fwrules"

firewall_logging="YES"



named_enable="YES"

named_flags="-u bind -g bind"

hostname="warpgate.empire"

kern_securelevel_enable="NO"

keymap="german.cp850"

linux_enable="YES"

moused_enable="YES"

moused_port="/dev/cuaa0"

moused_type="auto"

ntpdate_enable="NO"

ntpdate_flags="ntp0.uk.uu.net"

saver="daemon"

sshd_enable="YES"

usbd_enable="YES"

sendmail_enable="NO"

syslogd_flags="-ss"

inetd_enable="YES"

tcp_extensions="YES"



An rl0 hängt ein WLAN AccessPoint mit der Adresse 192.168.1.1, über den das iBook (192.168.1.60) am Netz hängt.



/etc/firewall/natd.conf:

#ftp redirect

redirect_port tcp 192.168.6.200:22 22

redirect_port udp 192.168.6.200:22 22

redirect_port tcp 192.168.6.200:21 21

redirect_port udp 192.168.6.200:21 21

#iChat-AV redirect

redirect_port udp 192.168.1.60:5060 5060

redirect_port udp 192.168.1.60:16384-16403 16384-16403

#iChat/AOL File Transfers

redirect_port tcp 192.168.1.60:5190 5190

redirect_port udp 192.168.1.60:5190 5190

#iChat/Rendezvous file-transfers

redirect_port tcp 192.168.1.60:5298 5298

redirect_port udp 192.168.1.60:5298 5298

redirect_port udp 192.168.1.60:17421 17421



/etc/firewall/fwrules:

#!/bin/sh

#



# Mach "Quiet"

fwcmd="/sbin/ipfw -d"



# Erstmal alles saubermachen bevor wir anfangen

${fwcmd} -f flush

#${fwcmd} add check-state



# Das setzen unserer eigenen Variabeln

int_if1="fxp0" # Internes Interface

int_if2="rl0" # Internes Interface

out_if1="tun0" # Externes Interface

nat_if1="tun0" # Externes Interface fuer NAT

open_tcp="20, 21, 22, 113, 5190, 5298, 6881-6999, 17421" # Offene Ports fuer tcp

open_udp="20, 21, 5060, 5190, 5298, 16384-16403" # Offene Ports fuer udp



int_net1="192.168.6.0/24"

int_msk1="255.255.255.0"



# Setup Loopback

${fwcmd} add 100 pass all from any to any via lo0

${fwcmd} add 200 deny all from any to 127.0.0.0/8

${fwcmd} add 300 deny ip from 127.0.0.0/8 to any



# Stop spoofing

${fwcmd} add deny ip from any to any not verrevpath in



# Stop RFC1918 nets on the outside interface

${fwcmd} add deny all from any to 10.0.0.0/8 via ${out_if1}

${fwcmd} add deny all from any to 172.16.0.0/12 via ${out_if1}

${fwcmd} add deny all from any to 192.168.0.0/16 via ${out_if1}



# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1

# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)

# on the outside interface

${fwcmd} add deny all from any to 0.0.0.0/8 via ${out_if1}

${fwcmd} add deny all from any to 169.254.0.0/16 via ${out_if1}

${fwcmd} add deny all from any to 192.0.2.0/24 via ${out_if1}

${fwcmd} add deny all from any to 224.0.0.0/4 via ${out_if1}

${fwcmd} add deny all from any to 240.0.0.0/4 via ${out_if1}



# Network Address Translation. This rule is placed here deliberately

# so that it does not interfere with the surrounding address-checking

# rules. If for example one of your internal LAN machines had its IP

# address set to 192.0.2.1 then an incoming packet for it after being

# translated by natd(8) would match the `deny' rule above. Similarly

# an outgoing packet originated from it before being translated would

# match the `deny' rule below.



${fwcmd} add divert natd all from any to any via ${nat_if1}





# Stop RFC1918 nets on the outside interface

${fwcmd} add deny all from 10.0.0.0/8 to any via ${out_if1}

${fwcmd} add deny all from 172.16.0.0/12 to any via ${out_if1}

${fwcmd} add deny all from 192.168.0.0/16 to any via ${out_if1}



# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1

# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)

# on the outside interface

${fwcmd} add deny all from 0.0.0.0/8 to any via ${out_if1}

${fwcmd} add deny all from 169.254.0.0/16 to any via ${out_if1}

${fwcmd} add deny all from 192.0.2.0/24 to any via ${out_if1}

${fwcmd} add deny all from 224.0.0.0/4 to any via ${out_if1}

${fwcmd} add deny all from 240.0.0.0/4 to any via ${out_if1}



# Allow ip

${fwcmd} add allow all from any to any via ${int_if1}

${fwcmd} add allow all from any to any via ${int_if2}

${fwcmd} add pass tcp from any to any established



# Allow IP fragments to pass through

${fwcmd} add pass all from any to any frag



# Allow access to specified services

${fwcmd} add pass tcp from any to any ${open_tcp} in via ${out_if1}

${fwcmd} add pass udp from any to any ${open_tcp} in via ${out_if1}

${fwcmd} add pass tcp from any to any ${open_tcp} out via ${out_if1}

${fwcmd} add pass udp from any to any ${open_tcp} out via ${out_if1}



# Reject&Log all setup of incoming connections from the outside

${fwcmd} add deny log tcp from any to any in via ${out_if1} setup



# Allow setup of any other TCP connection

${fwcmd} add check-state

${fwcmd} add deny tcp from any to any established

${fwcmd} add allow tcp from any to any setup keep-state



# Allow DNS queries out in the world

${fwcmd} add pass udp from any to any 53 keep-state



# Allow NTP queries out in the world

${fwcmd} add pass udp from any to any 123 keep-state



# Allow ping

${fwcmd} add pass icmp from any to any



# Everything else is denied by default, unless the

# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel

# config file.
 
Hmm, prinzipiell (so überflogen) sollte das so funktionieren. Allerdings sagst du in rc.conf "firewalltype open". Damit ist Dein fwscript hinfällig, welches ich mir im übrigen kaum angesehen habe, vielleicht wenn ich mal gar nicht weiss was ich tun soll;)

Als natd_flag würde ich noch ein "-u" anhängen (nur private werden genatd).

Bei so Logikfragen wird kaum jemand die Zeit und Muse haben sich für Dich den Kopf zu zerbrechen, insofern versuch es erstmal ganz simpel, wenn dann bestimmte Probleme auftreten ist die Wahrscheinlichkeit sehr viel höher diese beheben zu können.

Viel Glück,

-Kaeptn
 
Was mir auf die schnelle aufgefallen ist:

oben im Firewallscript schreibst du:

open_tcp="20, 21, 22, 113, 5190, 5298, 6881-6999, 17421" # Offene Ports fuer tcp

open_udp="20, 21, 5060, 5190, 5298, 16384-16403" # Offene Ports fuer udp

und unten wo du es anwendest:

# Allow access to specified services

${fwcmd} add pass tcp from any to any ${open_tcp} in via ${out_if1}

${fwcmd} add pass udp from any to any ${open_tcp} in via ${out_if1}

${fwcmd} add pass tcp from any to any ${open_tcp} out via ${out_if1}

${fwcmd} add pass udp from any to any ${open_tcp} out via ${out_if1}

Ich denke mal hier müsste eher: open_udp stehn oder?

Gruss
Jimbo
 
Hmmm.
Jetzt wo Du es sagst. Tssss. Bin ich blöd. (aber ich kauf auch nicht im MediaMarkt)

Danke.
 
Du musst dich einloggen oder registrieren, um hier zu antworten.
Zurück
Oben