From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 18:14:06 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D258106566B for ; Mon, 18 Jul 2011 18:14:05 +0000 (UTC) (envelope-from david@pcnetwork.co.za) Received: from webserv.cybersmart.co.za (ns05.pcnetwork.co.za [196.41.124.223]) by mx1.freebsd.org (Postfix) with ESMTP id D851B8FC08 for ; Mon, 18 Jul 2011 18:14:04 +0000 (UTC) Received: from [41.177.245.140] (port=16783 helo=pcnetwork.pcnetwork.local) by webserv.cybersmart.co.za with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QirpH-000JFd-4W for freebsd-ipfw@freebsd.org; Mon, 18 Jul 2011 19:41:51 +0200 Received: from pcnetwork.pcnetwork.local ([fe80::586f:4435:ed17:d4f9]) by pcnetwork.pcnetwork.local ([fe80::586f:4435:ed17:d4f9%13]) with mapi; Mon, 18 Jul 2011 19:41:37 +0200 From: David van Rensburg - PC Network To: "freebsd-ipfw@freebsd.org" Thread-Topic: ipfw and nat problem Thread-Index: AcxFcRpJzW2jcAkkSCSm/igXARS5zA== Date: Mon, 18 Jul 2011 17:41:36 +0000 Message-ID: Accept-Language: en-ZA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: MIME-Version: 1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - webserv.cybersmart.co.za X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [26 6] / [26 6] X-AntiAbuse: Sender Address Domain - pcnetwork.co.za Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw and nat problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 18:14:06 -0000 Hi Ive been having a problem with ipfw and nat. I can get nat to work but I wa= nt the following: My lan must only have access to outgoing port 80 I want to be able to allow some lan users access to ftp and outgoing 3389 (= remote desktop), but by default only port 80 I have transparent proxy work in ipfw. I want to be able to limit outgoing and incoming to the freebsd server acco= rding to port. I want a default deny. ANY help or point me in the right direction would be great. I have been goo= gling for a week now and cant find anything similar. Most examples don't us= e a default deny and don't allow certain services to the lan users. oif=3D"rl0" freebsd box with 2 network cards 192.168.1.3 - lan side (all lan clients 192.168.1.x) 192.168.0.2 - router side of card (machine default gateways to 192.168.0.1 = which is the router) Rc.conf: gateway_enable=3D"YES" natd_enable=3D"YES" natd_interface=3D"rl0" natd_flags=3D"-s -u -m" firewall_enable=3D"YES" firewall_logging_enable=3D"YES" firewall_quiet=3D"NO" #firewall_type=3D"simple blah" firewall_script=3D"/etc/firewall.local" natd_flags=3D"-f /etc/natd.conf" Im using the following rules which isn't working properly eg the actual fre= ebsd can ftp out for some reason. 00100 0 0 divert 8668 ip from not me to any via rl0 00150 0 0 fwd 192.168.1.3,3128 tcp from not me to any dst-port 80 00250 24 1440 allow ip from any to any via lo0 00350 0 0 deny ip from any to 127.0.0.0/8 00450 0 0 deny ip from 127.0.0.0/8 to any 00550 0 0 deny tcp from any to any frag 00650 0 0 check-state 00750 241 27480 allow tcp from any to any established 00850 24 5676 allow ip from any to any out keep-state 00950 0 0 allow tcp from any to any dst-port 22 in 01050 0 0 allow tcp from any to any dst-port 22 out 01150 0 0 allow udp from any to any dst-port 53 in 01250 0 0 allow tcp from any to any dst-port 53 in 01350 0 0 allow udp from any to any dst-port 53 out 01450 0 0 allow tcp from any to any dst-port 53 out 01550 0 0 allow tcp from 192.168.1.99 to any dst-port 3389 01650 462 53744 deny ip from any to any 65535 122 12588 allow ip from any to any David van Rensburg PC Network Tel: 0215107600 Fax: 0215104165 www.pcnetwork.co.za This electronic communication and the attached file(s) are subject to terms= and conditions which can be accessed on the following link: http://www.pcnetwork.co.za/terms as well as the acceptable usage policy whi= ch can be accessed on: http://www.pcnetwork.co.za/aup If you are unable to view the above, please contact support@pcnetwork.co.za= for a copy.