From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 10 03:50:09 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A467116A41F for ; Sun, 10 Jun 2007 03:50:09 +0000 (UTC) (envelope-from tool_box@westnet.com.au) Received: from vscan01.westnet.com.au (vscan01.westnet.com.au [203.10.1.131]) by mx1.freebsd.org (Postfix) with ESMTP id 8AD3213C455 for ; Sun, 10 Jun 2007 03:50:08 +0000 (UTC) (envelope-from tool_box@westnet.com.au) Received: from localhost (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with ESMTP id 97C457632D9 for ; Sun, 10 Jun 2007 11:23:40 +0800 (WST) Received: from vscan01.westnet.com.au ([127.0.0.1]) by localhost (vscan01.westnet.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32063-18 for ; Sun, 10 Jun 2007 11:23:40 +0800 (WST) Received: from mars (dsl-202-72-152-173.wa.westnet.com.au [202.72.152.173]) by vscan01.westnet.com.au (Postfix) with SMTP id 8510E763257 for ; Sun, 10 Jun 2007 11:23:39 +0800 (WST) Message-ID: <002501c7ab0e$f3fceec0$1e01a8c0@mars> From: "Glen Prestidge" To: Date: Sun, 10 Jun 2007 11:25:11 +0800 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw portfording problems X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jun 2007 03:50:09 -0000 HI all I am trying to setup the SC VNC which i want to use for when i need to = support my customers.=20 I am having problems placing these firewall rules so that it will allow = the traffic. Here are my rules=20 ############################ # # Define your variables # fwcmd=3D"/sbin/ipfw" #leave as is if using ipfw oif=3D"vr0" #set to outside interface name onwr=3D"10.1.1.0/8" #set to outside network range oip=3D"10.1.1.4" #set to outside ip address iif=3D"re0" #set to internal interface name inwr=3D"192.168.1.0/24" #set to internal network range iip=3D"192.168.1.1" #set to internal ip address ntp=3D"202.72.191.202" ns1=3D"203.10.1.17" #set to primary name server best if =3D oif # # End of required user input if you only intend to allow ssh connections = to # this box from the outside. If other services are required, edit line = 96 # as necessary. # # Rules with descriptions # # # Force a flush of the current firewall rules before we reload $fwcmd -f flush # # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif # $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif # $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via $oif $fwcmd add deny all from 169.254.0.0/16 to any in via $oif $fwcmd add deny all from 192.0.2.0/24 to any in via $oif $fwcmd add deny all from 224.0.0.0/4 to any in via $oif $fwcmd add deny all from 240.0.0.0/4 to any in via $oif $fwcmd add deny all from any to 0.0.0.0/8 in via $oif $fwcmd add deny all from any to 169.254.0.0/16 in via $oif $fwcmd add deny all from any to 192.0.2.0/24 in via $oif $fwcmd add deny all from any to 224.0.0.0/4 in via $oif $fwcmd add deny all from any to 240.0.0.0/4 in via $oif $fwcmd add deny all from 210.22.175.130 to any in via $oif # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # Checks packets against dynamic rule set below. $fwcmd add check-state # # # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established #ALL VNC $fwcmd add fwd 192.168.1.30,5900 tcp from any to any dst-port 5900=20 # Allow packets in via the VPN interface $fwcmd add allow ip from any to any in recv ng0 # Allow the rest of the VPN data through $fwcmd add allow gre from any to any # # Allow incoming requests to reach the following services: # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup $fwcmd add allow log tcp from any to $oip 22 setup # $fwcmd add allow log tcp from any to $oip 80 setup $fwcmd add allow tcp from any to $oip 25,53 setup $fwcmd add allow tcp from any to #oip 21 setup $fwcmd add allow tcp from any to $oip 110 setup=20 $fwcmd add allow log tcp from any to $oip dst-port 5900 setup # $fwcmd add allow log tcp from any to any dst-port 5900 setup=20 $fwcmd add allow log tcp from any to any $iop setup $fwcmd add allow log tcp from any to $iop setup $fwcmd add allow log tcp from any to any dst-port 1723 setup # # Allow DNS traffic from internet to query your DNS (for reverse # lookups etc). $fwcmd add allow udp from any to $ns1 53 # # Allow time update traffic $fwcmd add allow udp from $ntp 123 to $oip 123 # # Allow UDP from local extrernal network so I can tracert from local = servers $fwcmd add allow udp from any 53 to any $fwcmd add allow udp from any to any 53 # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. # $fwcmd add allow icmp from any to any # # Allow required ICMP $fwcmd add allow icmp from any to any icmptypes 0 $fwcmd add allow icmp from any to any icmptypes 3 $fwcmd add allow icmp from any to any icmptypes 4 $fwcmd add allow icmp from any to any icmptypes 8 $fwcmd add allow icmp from any to any icmptypes 11 # # Rules to allow VNC access through the FW (is this needed here? ) $fwcmd add allow tcp from any to any dst-port 5900 in via vr0 $fwcmd add allow tcp from any to any dst-port 5900 out via re0=20 # Allow any traffic from firewall ip to any going out the # external interface $fwcmd add allow ip from $oip to any keep-state out via $oif # # Allow any traffic from local network to any passing through the # internal interface $fwcmd add allow ip from $inwr to any keep-state via $iif # # Deny everything else $fwcmd add 65435 deny log ip from any to any # ##################################################### # # End firewall script. The lines in bold are the lines i have entered. 192.168.1.30 is the = machine in my internal network running the VNC viewer in listen mode = listening on port 5900.=20 as you can see when a ipfw sh is done 00100 3 144 allow ip from any to any via lo0 00200 0 0 deny log logamount 100 ip from any to 127.0.0.0/8 00300 0 0 deny log logamount 100 ip from 192.168.1.0/24 to any in via = vr0 00400 0 0 deny log logamount 100 ip from not 192.168.1.0/24 to any in = via re0 00500 0 0 deny log logamount 100 ip from 192.168.0.0/16 to any in via = vr0 00600 0 0 deny log logamount 100 ip from 172.16.0.0/12 to any in via vr0 00700 0 0 deny log logamount 100 ip from any to 192.168.0.0/16 in via = vr0 00800 0 0 deny log logamount 100 ip from any to 172.16.0.0/12 in via vr0 00900 0 0 deny ip from 0.0.0.0/8 to any in via vr0 01000 0 0 deny ip from 169.254.0.0/16 to any in via vr0 01100 0 0 deny ip from 192.0.2.0/24 to any in via vr0 01200 0 0 deny ip from 224.0.0.0/4 to any in via vr0 01300 0 0 deny ip from 240.0.0.0/4 to any in via vr0 01400 0 0 deny ip from any to 0.0.0.0/8 in via vr0 01500 0 0 deny ip from any to 169.254.0.0/16 in via vr0 01600 0 0 deny ip from any to 192.0.2.0/24 in via vr0 01700 0 0 deny ip from any to 224.0.0.0/4 in via vr0 01800 0 0 deny ip from any to 240.0.0.0/4 in via vr0 01900 0 0 deny ip from 210.22.175.130 to any in via vr0 02000 288 28799 divert 8668 ip from any to any via vr0 02100 0 0 check-state 02200 185 18064 allow tcp from any to any established 02300 3 144 fwd 192.168.1.30,5900 tcp from any to any dst-port 5900 02400 0 0 allow ip from any to any in recv ng0 02500 288 32928 allow gre from any to any 02600 0 0 allow log logamount 100 tcp from any to 10.1.1.4 dst-port 22 = setup 02700 0 0 allow tcp from any to 10.1.1.4 dst-port 25,53 setup 02800 0 0 allow tcp from any to 10.1.1.4 dst-port 110 setup 02900 0 0 allow log logamount 100 tcp from any to 10.1.1.4 dst-port 5900 = setup ( packets aren't getting here) 03000 6 384 allow log logamount 100 tcp from any to any setup 03100 0 0 allow log logamount 100 tcp from any to any dst-port 1723 = setup 03200 0 0 allow udp from any to 203.10.1.17 dst-port 53 03300 0 0 allow udp from 202.72.191.202 123 to 10.1.1.4 dst-port 123 03400 12 1178 allow udp from any 53 to any 03500 12 780 allow udp from any to any dst-port 53 03600 0 0 allow icmp from any to any icmptypes 0 03700 0 0 allow icmp from any to any icmptypes 3 03800 0 0 allow icmp from any to any icmptypes 4 03900 0 0 allow icmp from any to any icmptypes 8 04000 0 0 allow icmp from any to any icmptypes 11 04100 0 0 allow tcp from any to any dst-port 5900 in via vr0 04200 0 0 allow tcp from any to any dst-port 5900 out via re0 04300 0 0 allow ip from 10.1.1.4 to any out via vr0 keep-state 04400 0 0 allow ip from 192.168.1.0/24 to any via re0 keep-state 65435 3 1457 deny log logamount 100 ip from any to any 65535 1586 192759 allow ip from any to any any ideas? Glen