News
:
This forum is now permanently frozen.
m0n0wall Forum
>
m0n0wall Support (English)
>
Firewall/NAT
Topic: Bridge & IP spoofing
Pages: [
1
]
Topic: Bridge & IP spoofing (Read 2398 times)
Bridge & IP spoofing
« on: May 15, 2007, 13:51:50 »
Mach
Posts: 2
Internal Side---M0N0---External Side
192.168.0.x (bridge)
172.x.x.x 172.x.x.x
Internal Side: 30 PC (2 IP for 1 machine), connected to switch, switch connected to netcard "Int" M0N0.
External Side: cable with 172.x.x.x network connected to netcard "Ext"
Bridge: broadcasting is necessary
Required:
Block access trom, to 192.168.0.x network through M0N0
Protect "Int" side machines with both net's (192.168.0.x, 172.18.x.x) from IP spoofing
used config:
<?xml version="1.0"?>
<m0n0wall>
<version>1.4</version>
<lastchange>1169699550</lastchange>
<system>
<shellcmd>kldload ipfw</shellcmd>
<shellcmd>ipfw add deny all from 192.168.0.0/31 to any out via lnc2</shellcmd>
<shellcmd>ipfw add deny all from any to 192.168.0.0/31 in via lnc2</shellcmd>
<shellcmd>arp -s 172.18.2.204 00:0a:48:10:18:db</shellcmd>
<shellcmd>arp -s 172.18.1.191 00:80:48:b5:a6:07</shellcmd>
<shellcmd>arp -s 172.18.1.221 00:0d:61:58:2f:81</shellcmd>
<shellcmd>arp -s 172.18.1.192 00:0d:61:58:2e:5b</shellcmd>
<shellcmd>arp -s 172.18.1.193 00:0d:61:91:c5:9c</shellcmd>
<shellcmd>arp -s 172.18.1.194 00:0d:61:91:b7:ab</shellcmd>
<shellcmd>arp -s 172.18.1.208 00:0d:61:58:0a:cf</shellcmd>
<shellcmd>arp -s 172.18.1.222 00:0d:61:58:2e:59</shellcmd>
<shellcmd>arp -s 172.18.1.209 00:0d:61:91:c3:3e</shellcmd>
<shellcmd>arp -s 172.18.1.210 00:0d:61:91:c4:50</shellcmd>
<shellcmd>arp -s 172.18.1.211 00:0d:61:58:oa:91</shellcmd>
<shellcmd>arp -s 172.18.1.212 00:0d:61:58:2e:5a</shellcmd>
<shellcmd>arp -s 172.18.1.223 00:0d:61:55:3a:69</shellcmd>
<shellcmd>arp -s 172.18.1.213 00:0d:61:58:09:47</shellcmd>
<shellcmd>arp -s 172.18.1.214 00:0d:61:58:oa:90</shellcmd>
<shellcmd>arp -s 172.18.1.215 00:0d:61:58:oa:92</shellcmd>
<shellcmd>arp -s 172.18.1.216 00:0d:61:58:2f:7f</shellcmd>
<shellcmd>arp -s 172.18.1.224 00:0d:61:58:oa:d0</shellcmd>
<shellcmd>arp -s 172.18.1.217 00:0d:61:91:ae:7b</shellcmd>
<shellcmd>arp -s 172.18.1.218 00:od:61:91:c4:2d</shellcmd>
<shellcmd>arp -s 172.18.1.219 00:0d:61:91:41:aa</shellcmd>
<shellcmd>arp -s 172.18.1.220 00:0d:61:55:22:6a</shellcmd>
<hostname>m0n0wall</hostname>
<domain>local</domain>
<dnsserver/>
<dnsallowoverride/>
<username>admin</username>
<password>$1$2xGLA75j$W/jiJc00HYBZX7kFjxjQv0</password>
<timezone>Etc/UTC</timezone>
<time-update-interval>300</time-update-interval>
<timeservers>pool.ntp.org</timeservers>
<webgui>
<noassigninterfaces/>
<protocol>http</protocol>
<certificate/>
<private-key/>
</webgui>
<disableconsolemenu/>
<disablefirmwarecheck/>
<harddiskstandby/>
</system>
<interfaces>
<lan>
<if>lnc0</if>
<ipaddr>10.0.0.1</ipaddr>
<subnet>24</subnet>
<media/>
<mediaopt/>
</lan>
<wan>
<if>lnc1</if>
<mtu/>
<media/>
<mediaopt/>
<spoofmac/>
<ipaddr>172.18.1.208</ipaddr>
<subnet>16</subnet>
<gateway>172.18.0.1</gateway>
</wan>
<opt1>
<if>lnc2</if>
<descr>bridge</descr>
<ipaddr>192.168.0.253</ipaddr>
<subnet>31</subnet>
<bridge>wan</bridge>
<enable/>
</opt1>
</interfaces>
<staticroutes/>
<pppoe/>
<pptp/>
<bigpond/>
<dyndns>
<type>dyndns</type>
<username/>
<password/>
<host/>
<mx/>
</dyndns>
<dnsupdate/>
<dhcpd>
<lan>
<range>
<from>192.168.0.251</from>
<to>192.168.0.253</to>
</range>
<defaultleasetime/>
<maxleasetime/>
</lan>
</dhcpd>
<pptpd>
<mode/>
<redir/>
<localip/>
<remoteip/>
</pptpd>
<ovpn/>
<dnsmasq>
<enable/>
</dnsmasq>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<diag>
<ipv6nat>
<ipaddr/>
</ipv6nat>
</diag>
<bridge>
<filteringbridge/>
</bridge>
<syslog/>
<nat/>
<filter>
<rule>
<type>pass</type>
<interface>wan</interface>
<source>
<any/>
</source>
<destination>
<any/>
</destination>
<descr/>
</rule>
<rule>
<type>block</type>
<interface>opt1</interface>
<protocol>tcp/udp</protocol>
<source>
<any/>
<port>67</port>
</source>
<destination>
<any/>
<port>67</port>
</destination>
<frags/>
<descr>block ext bootpc</descr>
</rule>
<rule>
<type>pass</type>
<interface>opt1</interface>
<source>
<address>192.168.0.0/31</address>
<not/>
</source>
<destination>
<address>192.168.0.0/31</address>
<not/>
</destination>
<descr/>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<network>lan</network>
</destination>
<frags/>
<descr>LAN to LAN subnet</descr>
</rule>
<tcpidletimeout/>
</filter>
<shaper/>
<ipsec/>
<aliases/>
<proxyarp>
<proxyarpnet>
<interface>wan</interface>
<network>172.18.0.0/31</network>
<descr/>
</proxyarpnet>
<proxyarpnet>
<interface>opt1</interface>
<network>192.168.0.0/31</network>
<descr/>
</proxyarpnet>
</proxyarp>
<wol/>
<captiveportal/>
<shellcmd>kldload ipfw</shellcmd>
</m0n0wall>
Please help!
Re: Bridge & IP spoofing
« Reply #1 on: May 16, 2007, 00:17:12 »
cmb
Posts: 851
First you should never manually add rules, especially if the GUI can handle your needs. In this case it can.
what you want to follow is this.
http://doc.m0n0.ch/handbook/examples-filtered-bridge.html
static ARP is mostly pointless in a bridge config as well. Your ISP (or whatever is on 'external side') is where you need to worry about ARP issues in this case.
Re: Bridge & IP spoofing
« Reply #2 on: May 23, 2007, 14:04:09 »
Mach
Posts: 2
Thank you Chris!
I've contacted to ISP & removed 192.168.x.x network.
Đ•vent log shows conflict with this net IP.
Firewall shows generated conflct message with ISP's gateway IP & mac.
I think that ISP implicated a bit
Pages: [
1
]