Re: building a firewall using Mason

[William Stearns <wstearns () pobox com>]

Good afternoon, Chris and Bob,

On Tue, 7 Mar 2000, Chris Brenton wrote:

> Bob posted the message below to the Firewall-Wizards mailing list. Not
> sure if you monitor this list or now. Thought the problem below was

        Belatedly - many thanks for the nudge.

> Air Traffic Engineers wrote:
> > I am currently building a firewall using the Mason package. This has
> > an auto learn facility and seems to work fine. It has built a firewall
> > which allows our internal Apache server to provide proxy based
> > internet access for all on our internal network.
> >
> > The firewall is a standard "dual homed" set-up with 2 nics, one to
> > our ISP's router, and one to our internal network. The problem I have
> > is that incoming www connections are being refused and blocked by the
> > firewall. I need obviously to be able to overcome this problem. I
> > suspect that the difficulties lie in the fact that I have no base rule
> > in the Mason configuration to allow for any incoming traffic, it cant
> > therefore learn this procedure and write the rules. There was a

        Port forwarding is an exception to Mason's usual method of "listen
for it, then create a matching rule".  You have to manually specify the
combinations of ports you want forwarded to a machine behind the firewall.

> > default base rule to allow for masquerading out, which merely needed
> > our IP address range entering to allow the learning process for the
> > creation of the outgoing rules.
> >
> > What I need is some help with a rule to allow all incoming www
> > traffic to be forwarded to the IP address of our Apache server.
> >
> > I do not have an understanding of ipchains and the principles of
> > writing this code myself, nor do I wish to have to learn it!.

        <shameless Mason plug>
        You shouldn't have to!
        </plug>

> > I am just trying to set-up a one of firewall that works!

        Allowing incoming connections to masqueraded IPs (which are
generally rfc1918 addresses) behind your firewall requires the use of
Linux' port forwarding.  More information on this tool can be found at
http://ipmasq.cjb.net and the ip masquerade mailing list (info at cjb).
        The section on port forwarding is at (reachable from cjb):
http://members.home.net/ipmasq/ipmasq-HOWTO-1.82-6.html#ss6.8
        The example from that page takes all requests that arrive on port
80 of your external IP address and sends them back to port 80 of the
private IP'd web server (192.168.0.10):

/usr/local/sbin/ipportfw -C
/usr/local/sbin/ipportfw -A -t$extip/80 -R 192.168.0.10/80

> > Any help appreciated, please e-mail if you can help!

        My skills in port forwarding are limited, but please feel free to
write me or the IP-masquerading mailing list if more information is
needed.
        Either way, let us know how it went.
        Cheers,
        - Bill

---------------------------------------------------------------------------
Windows NT: n.
    32-bit extensions and a graphical shell for a 16-bit patch to an 8-bit
    operating system originally coded for a 4-bit microprocessor,  written
    by a 2-bit company that can't stand for 1 bit of competition.
(Courtesy of Michael Neuffer <neuffer () trudi zdv Uni-Mainz DE>)
--------------------------------------------------------------------------
William Stearns (wstearns () pobox com).  Mason, Buildkernel, named2hosts, 
and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/
--------------------------------------------------------------------------