Date: Mon, 02 Dec 2002 09:34:52 +0200 From: Nelis Lamprecht <nelis@brabys.co.za> To: freebsd-questions@freebsd.org Subject: NAT & IPFW Message-ID: <5.1.0.14.2.20021202092622.012af578@192.96.48.11>
next in thread | raw e-mail | index | archive | help
Hi People I've recently run out of ip's on our class C network and have now setup NAT on my FreeBSD 4.7 Stable machine. I am having difficulty configuring ipfw ( after reading several howto's ) to enable my NAT clients to connect through my firewall. I am able to ping the outside world ( from NAT client ) using the below ruleset but unable to telnet to any port on the outside. Please could someone give me an example of how to configure my ipfw ruleset to enable my NAT clients connectivity. I am able to connect from the ipfw machine to any host with the following ruleset but not from my NAT clients. If for example I were to give my NAT clients IRC connectivity what rule would I need to add ? Your suggestions, help would be much appreciated. Kind regards, Nelis My ruleset: #allow all outbound and only inbound TCP connections I've created add 0301 divert natd all from any to any via rl0 add 00302 check-state add 00303 allow tcp from any to any established add 00304 allow tcp from any to any out setup keep-state add 00305 allow tcp from any to 192.x.x.0/24 22,25,53,80,443 setup add 00306 allow tcp from 192.x.x.125 to 192.x.x.0/24 161,162 setup add 00307 allow tcp from any to 192.168.x.0/27 in recv rl1 #allow all outbound and only inbound UDP connections I've created add 00400 allow udp from 192.x.x.0/24 to any 53,123 keep-state out via rl0 add 00401 allow udp from any to 192.x.x.0/24 53,123 keep-state in via rl0 add 00402 allow udp from 192.x.x.0/24 to 192.x.x.125 161,162 keep-state out via rl0 add 00403 allow udp from 192.x.x.125 to 192.x.x.0/24 161,162 keep-state in via rl0 add 00404 allow udp from any to 192.168.x.0/27 in recv rl1 add 00405 allow udp from any to any out #allow some icmp types (codes not supported) ##allow path-mtu in both directions add 00600 allow icmp from any to any icmptypes 3 ##allow source quench in and out add 00601 allow icmp from any to any icmptypes 4 ##allow me to ping out and receive response back add 00602 allow icmp from any to any icmptypes 8 out add 00603 allow icmp from any to any icmptypes 0 in ##allow people to ping me add 00604 allow icmp from any to any icmptypes 8 in add 00605 allow icmp from any to any icmptypes 0 out ##allow me to run traceroute add 00606 allow icmp from any to any icmptypes 11 in #allow ident requests add 00700 allow tcp from any to any 113 keep-state setup #deny syn and fin bits used for OS finger printing using nmap add 00701 deny log tcp from any to any in tcpflags syn,fin #log anything that falls through add 09000 deny log ip from any to any My NAT config: pandora# cat /etc/natd.cf unregistered_only log To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.2.20021202092622.012af578>