IP-Filter, if installed as a package, puts its binaries and man pages under /opt/ipf and the configuration files under /etc/opt/ipf Once you have installed IP-Filter, there is very little you need to do to set up NAT.
To start using NAT, you will need to create a NAT configuration file, called /etc/opt/ipf/ipnat.conf A sample file is shown in figure 13. This file maps TCP and UDP messages coming from the 10.5.3. network (win95 and linux in the case of the example) onto a new port with the IP address of the dp0 interface. The IP address of the dp0 interface is assigned dynamically when the connection is made.
Note that connections from the solaris machine do not go through NAT. These connections are routed directly through the dp0 interface. You can make everything go through NAT by changing 10.5.3.0/24 to 0.0.0.0/0
# # Use the internal FTP proxy for outgoing FTP # map dp0 10.5.3.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp # # Map anything going though dpn onto # the dpn address # map dp0 10.5.3.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000 map dp0 10.5.3.0/24 -> 0.0.0.0/32 |
Unix systems tend to be very helpful when supplying services to the outside world. Naturally, these services are magnets to hackers and, now that you have a Unix system connected to the Internet, your private network is vulnerable.
Many ISPs (apparently including ORAC, bless them) already provide packet filtering that prevents some incoming connections to their dial-up systems. This may be all that you need. If this is the case with your ISP, then you can simply leave /etc/opt/ipf/ipf.conf empty.
If you have to do your own packet filtering and assuming that you simply want all your outgoing connections to work and any attempts at incoming connections to be blocked, you can set up a simple set of IP-Filter rules for just that purpose. These rules are shown in figure 14.
# # # -------------------------------------------------------------- # Nasty Packets: # Block any packets which are too short to be real. block in log quick all with short # Block any packets with source routing set block in log quick all with opt lsrr block in log quick all with opt ssrr # # -------------------------------------------------------------- # Private Network: # Allow traffic on le0 and lo0 to pass unimpeded pass in on le0 all pass out on le0 all pass in on lo0 all pass out on lo0 all # # -------------------------------------------------------------- # Public Network (dp0): # That which is not explicitly allowed is forbidden block in log on dp0 all block out log on dp0 all # # Invalid Internet packets # Deny reserved addresses block in log quick on dp0 from 10.0.0.0/8 to any block in log quick on dp0 from 192.168.0.0/16 to any block in log quick on dp0 from 172.16.0.0/12 to any # # ICMP Protocols # Allow pings out pass out log on dp0 proto icmp all keep state # # TCP/UDP Protocols # Allow TCP/UDP requests to go out and keep the results # flowing back in. pass out log on dp0 proto tcp/udp from any to any keep state # Allow FTP data channel back in pass in quick on dp0 proto tcp from any to any port = ftp-data keep state pass in quick on dp0 proto tcp from any port = ftp-data to any port > 1023 keep state # # Reset/Error for TCP/UDP services, send back TCP-Reset or # Network unreachable to attempts to initiate connections. block return-rst in log on dp0 proto tcp from any to any flags S/SA block return-icmp(net-unr) in log on dp0 proto udp from any to any |
If you wish to set up a more sophisticated set of packet filters than this, I suggest that you examine the example rules found in /opt/ipf/examples You should also consult Building Internet Firewalls, which gives tables of packet filtering rules.[1]
If you are using filtering rules, then you will need to inform IP-Filter of the fact that DP (section 4) has changed your IP address every time it dials up. To do this, you will need to add the line /sbin/ipf -y to /opt/dp/aux/aux_script This script is run every time DP makes a connection and the command tells IP-Filter to rebuild its filter tables.