Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 10 Jun 2007 11:25:11 +0800
From:      "Glen Prestidge" <tool_box@westnet.com.au>
To:        <freebsd-ipfw@freebsd.org>
Subject:   ipfw portfording problems
Message-ID:  <002501c7ab0e$f3fceec0$1e01a8c0@mars>

Next in thread | Raw E-Mail | Index | Archive | Help
HI all

I am trying to setup the SC VNC which i want to use for when i need to =
support my customers.=20

I am having problems placing these firewall rules so that it will allow =
the traffic.

Here are my rules=20

############################
#
# Define your variables
#
fwcmd=3D"/sbin/ipfw" #leave as is if using ipfw
oif=3D"vr0" #set to outside interface name
onwr=3D"10.1.1.0/8" #set to outside network range
oip=3D"10.1.1.4" #set to outside ip address

iif=3D"re0" #set to internal interface name
inwr=3D"192.168.1.0/24" #set to internal network range
iip=3D"192.168.1.1" #set to internal ip address


ntp=3D"202.72.191.202"
ns1=3D"203.10.1.17" #set to primary name server best if =3D oif

#
# End of required user input if you only intend to allow ssh connections =
to
# this box from the outside. If other services are required, edit line =
96
# as necessary.
#
# Rules with descriptions
#
#
# Force a flush of the current firewall rules before we reload
$fwcmd -f flush
#
# Allow your loop back to work
$fwcmd add allow all from any to any via lo0
#
# Prevent spoofing of your loopback
$fwcmd add deny log all from any to 127.0.0.0/8
#
# Stop spoofing of your internal network range
$fwcmd add deny log ip from $inwr to any in via $oif
#
# Stop spoofing from inside your private ip range
$fwcmd add deny log ip from not $inwr to any in via $iif
#
# Stop private networks (RFC1918) from entering the outside interface.
$fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
$fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
# $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
$fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
$fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
# $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif

#
# Stop draft-manning-dsua-01.txt nets on the outside interface
$fwcmd add deny all from 0.0.0.0/8 to any in via $oif
$fwcmd add deny all from 169.254.0.0/16 to any in via $oif
$fwcmd add deny all from 192.0.2.0/24 to any in via $oif
$fwcmd add deny all from 224.0.0.0/4 to any in via $oif
$fwcmd add deny all from 240.0.0.0/4 to any in via $oif
$fwcmd add deny all from any to 0.0.0.0/8 in via $oif
$fwcmd add deny all from any to 169.254.0.0/16 in via $oif
$fwcmd add deny all from any to 192.0.2.0/24 in via $oif
$fwcmd add deny all from any to 224.0.0.0/4 in via $oif
$fwcmd add deny all from any to 240.0.0.0/4 in via $oif
$fwcmd add deny all from 210.22.175.130 to any in via $oif

# Divert all packets through natd
$fwcmd add divert natd all from any to any via $oif
# Checks packets against dynamic rule set below.
$fwcmd add check-state
#
#
# Allow all established connections to persist (setup required
# for new connections).
$fwcmd add allow tcp from any to any established


#ALL VNC
$fwcmd add fwd 192.168.1.30,5900 tcp from any to any dst-port 5900=20

# Allow packets in via the VPN interface
$fwcmd add allow ip from any to any in recv ng0

# Allow the rest of the VPN data through
$fwcmd add allow gre from any to any
#
# Allow incoming requests to reach the following services:
# To allow multiple services you may list them separated
# by a coma, for example ...to $oip 22,25,110,80 setup
$fwcmd add allow log tcp from any to $oip 22 setup
# $fwcmd add allow log tcp from any to $oip 80 setup
$fwcmd add allow tcp from any to $oip 25,53 setup
$fwcmd add allow tcp from any to #oip 21 setup
$fwcmd add allow tcp from any to $oip 110 setup=20
$fwcmd add allow log tcp from any to $oip dst-port 5900 setup
# $fwcmd add allow log tcp from any to any dst-port 5900 setup=20
$fwcmd add allow log tcp from any to any $iop setup
$fwcmd add allow log tcp from any to $iop setup
$fwcmd add allow log tcp from any to any dst-port 1723 setup
#
# Allow DNS traffic from internet to query your DNS (for reverse
# lookups etc).
$fwcmd add allow udp from any to $ns1 53
#
# Allow time update traffic
$fwcmd add allow udp from $ntp 123 to $oip 123
#
# Allow UDP from local extrernal network so I can tracert from local =
servers

$fwcmd add allow udp from any 53 to any
$fwcmd add allow udp from any to any 53

# Allow icmp packets for diagnostic purposes (ping traceroute)
# you may wish to leave commented out.
# $fwcmd add allow icmp from any to any
#
# Allow required ICMP
$fwcmd add allow icmp from any to any icmptypes 0
$fwcmd add allow icmp from any to any icmptypes 3
$fwcmd add allow icmp from any to any icmptypes 4
$fwcmd add allow icmp from any to any icmptypes 8
$fwcmd add allow icmp from any to any icmptypes 11
#
# Rules to allow VNC access through the FW (is this needed here? )
$fwcmd add allow tcp from any to any dst-port 5900 in via vr0
$fwcmd add allow tcp from any to any dst-port 5900 out via re0=20

# Allow any traffic from firewall ip to any going out the
# external interface
$fwcmd add allow ip from $oip to any keep-state out via $oif
#
# Allow any traffic from local network to any passing through the
# internal interface
$fwcmd add allow ip from $inwr to any keep-state via $iif
#
# Deny everything else
$fwcmd add 65435 deny log ip from any to any
#
#####################################################
#
# End firewall script.

The lines in bold are the lines i have entered. 192.168.1.30 is the =
machine in my internal network running the VNC viewer in listen mode =
listening on port 5900.=20

as you can see when a ipfw sh is done

00100 3 144 allow ip from any to any via lo0
00200 0 0 deny log logamount 100 ip from any to 127.0.0.0/8
00300 0 0 deny log logamount 100 ip from 192.168.1.0/24 to any in via =
vr0
00400 0 0 deny log logamount 100 ip from not 192.168.1.0/24 to any in =
via re0
00500 0 0 deny log logamount 100 ip from 192.168.0.0/16 to any in via =
vr0
00600 0 0 deny log logamount 100 ip from 172.16.0.0/12 to any in via vr0
00700 0 0 deny log logamount 100 ip from any to 192.168.0.0/16 in via =
vr0
00800 0 0 deny log logamount 100 ip from any to 172.16.0.0/12 in via vr0
00900 0 0 deny ip from 0.0.0.0/8 to any in via vr0
01000 0 0 deny ip from 169.254.0.0/16 to any in via vr0
01100 0 0 deny ip from 192.0.2.0/24 to any in via vr0
01200 0 0 deny ip from 224.0.0.0/4 to any in via vr0
01300 0 0 deny ip from 240.0.0.0/4 to any in via vr0
01400 0 0 deny ip from any to 0.0.0.0/8 in via vr0
01500 0 0 deny ip from any to 169.254.0.0/16 in via vr0
01600 0 0 deny ip from any to 192.0.2.0/24 in via vr0
01700 0 0 deny ip from any to 224.0.0.0/4 in via vr0
01800 0 0 deny ip from any to 240.0.0.0/4 in via vr0
01900 0 0 deny ip from 210.22.175.130 to any in via vr0
02000 288 28799 divert 8668 ip from any to any via vr0
02100 0 0 check-state
02200 185 18064 allow tcp from any to any established
02300 3 144 fwd 192.168.1.30,5900 tcp from any to any dst-port 5900
02400 0 0 allow ip from any to any in recv ng0
02500 288 32928 allow gre from any to any
02600 0 0 allow log logamount 100 tcp from any to 10.1.1.4 dst-port 22 =
setup
02700 0 0 allow tcp from any to 10.1.1.4 dst-port 25,53 setup
02800 0 0 allow tcp from any to 10.1.1.4 dst-port 110 setup
02900 0 0 allow log logamount 100 tcp from any to 10.1.1.4 dst-port 5900 =
setup ( packets aren't getting here)
03000 6 384 allow log logamount 100 tcp from any to any setup
03100 0 0 allow log logamount 100 tcp from any to any dst-port 1723 =
setup
03200 0 0 allow udp from any to 203.10.1.17 dst-port 53
03300 0 0 allow udp from 202.72.191.202 123 to 10.1.1.4 dst-port 123
03400 12 1178 allow udp from any 53 to any
03500 12 780 allow udp from any to any dst-port 53
03600 0 0 allow icmp from any to any icmptypes 0
03700 0 0 allow icmp from any to any icmptypes 3
03800 0 0 allow icmp from any to any icmptypes 4
03900 0 0 allow icmp from any to any icmptypes 8
04000 0 0 allow icmp from any to any icmptypes 11
04100 0 0 allow tcp from any to any dst-port 5900 in via vr0
04200 0 0 allow tcp from any to any dst-port 5900 out via re0
04300 0 0 allow ip from 10.1.1.4 to any out via vr0 keep-state
04400 0 0 allow ip from 192.168.1.0/24 to any via re0 keep-state
65435 3 1457 deny log logamount 100 ip from any to any
65535 1586 192759 allow ip from any to any

any ideas?

Glen



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?002501c7ab0e$f3fceec0$1e01a8c0>