From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 11 16:43:55 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0EC251065675 for ; Sun, 11 Mar 2012 16:43:55 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 637048FC0C for ; Sun, 11 Mar 2012 16:43:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id q2BGhAsk091270; Mon, 12 Mar 2012 03:43:11 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 12 Mar 2012 03:43:10 +1100 (EST) From: Ian Smith To: Da Rock In-Reply-To: <4F5BDBF9.4000807@herveybayaustralia.com.au> Message-ID: <20120312025251.W10482@sola.nimnet.asn.au> References: <4F5A161C.8060407@herveybayaustralia.com.au> <4F5B2348.2080405@freebsd.org> <4F5B5187.2010303@herveybayaustralia.com.au> <20120311020742.G10482@sola.nimnet.asn.au> <4F5BDBF9.4000807@herveybayaustralia.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: newbie IPFW user X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2012 16:43:55 -0000 On Sun, 11 Mar 2012 08:55:53 +1000, Da Rock wrote: > On 03/11/12 02:28, Ian Smith wrote: > > On Sat, 10 Mar 2012 23:05:11 +1000, Da Rock wrote: > > > On 03/10/12 19:47, Julian Elischer wrote: > > > > On 3/9/12 6:39 AM, Da Rock wrote: [..] > > > I'm using it for voip currently (and vpn on the same client): voip requires > > > 5060 remote _and_ connection ports, and needs to be forwarded as is > > > (excepting ip address) and not appear to be natted os as not to confuse the > > > client. VPN uses 500/4500 and requires an untouched packet payload (ipsec). > > > > So this particular box has its own unique external routable IP address, > > distinct from the router's external IP? Does it also want to do regular > > NAT for other than VoIP/VPN port traffic? Just trying to follow .. > NP. I have only one external address (considered more, but nothing has quite > convinced me as yet to part with more moula for them), and the binat only > works for these services (ipsec/l2tp/vpn/voip), but essentially it appears > this box is in the open - directly on the external address. However, I can > still send other services (smtp/imap/www/dns) to other boxes. Ah, I thought pf.conf(5) implied it was for a separate external address? So apart from needing static NAT for those services it's pretty standard looks like? I haven't done just that myself so should shuttup here, but would likely tend to use a separate nat instance for those, with some rules before and after the NAT to keep that traffic distinct from the more general mapping for other clients, to be sure other clients don't get to use those ports 'accidentally' (beating same_ports to the punch) > The firewall is also running the show with ppp as well, the modem is running > 'dumb'. Way to go. I prefer mpd for PPPoE, toss a coin. > From other posts, I'd say static NAT could be what I'm looking for. I'll give > it a shot anyway... Let us know. > > > Are there any sources for documentation on the advanced uses of ipfw? > > I > > > stumbled on just one that goes into more detail so far > > > http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO. > > > > I vaguely recall that one from years ago. "www.freebsd-howto.com could > > not be found. Please check the name and try again." tonight anyway. > I said this before: what can I say? It works for me... :) I just used it > tonight, so I can't say what would be going on (planets aligned, or > something?). Or something. Even digging @ its listed primary nameserver is broken. ; <<>> DiG 9.6.-ESV-R3 <<>> @NS1.ERUDITION.NET freebsd-howto.com any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5627 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;freebsd-howto.com. IN ANY But google found http://freebsdhowto.com/Ipfw-HOWTO.txt from Romania :) This looks very like one of Joe Barbish's expositions; it contains many of the same factual errors and questionable advice as the IPFW section in the Handbook, and it only covers FreeBSD 4 anyway. Truly, ipfw(8) is pretty near complete and authoritative, and rc.firewall is a much better basis for a good firewall; a smart boy like you can handle the truth :) cheers, Ian [PS whitespace, like a smile, costs nothing; who prints email anymore?]