Date: Tue, 29 Jun 2004 12:52:28 -0700 (PDT) From: whizkid@ValueDJ.com To: freebsd-questions@freebsd.org Subject: IPFW acting weird OR invalid ruleset? Message-ID: <3443.207.13.174.37.1088538748.squirrel@www.ValueDJ.com>
next in thread | raw e-mail | index | archive | help
Hey everyone. Below is my natd.conf file and my rc.firewall.rule file. I cannot figure it out, but if one of my machines that is behind my Masqurading Firewall tries to d/l a file that is on a FTP site, it fails to connect. FreeBSD 5.2.1 machine with 2 nics. xl0 outside Nic fxp0 inside Nic rc.conf: # enable firewall firewall_enable="YES" # set path to custom firewall config firewall_type="/etc/fw/rc.firewall.rules" # be non-verbose? set to YES after testing firewall_quiet="NO" # enable natd, the NAT daemon natd_enable="YES" # which is the interface to the internet that we hide behind? natd_interface="xl0" # flags for natd natd_flags="-f /etc/fw/natd.conf" natd.conf: unregistered_only interface xl0 use_sockets dynamic # dyamically open fw for ftp, irc punch_fw 2000:50 rc.firewall.rules: # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via xl0 add 00302 deny ip from 172.16.0.0/12 to any in via xl0 add 00303 deny ip from 192.168.0.0/16 to any in via xl0 # check if incoming packets belong to a natted session, allow through if yes add 01000 divert natd ip from any to me in via xl0 add 01001 check-state # allow some traffic from the local net to the router #SMTP add 02000 allow tcp from any to any 25 setup keep-state # SSH add 04000 allow tcp from any to me dst-port 22 in via fxp0 setup keep-state add 04001 allow tcp from any to me dst-port 22 in via xl0 setup keep-state #IMAP-SSL add 04010 allow tcp from any to me dst-port 143 in via fxp0 setup keep-state add 04011 allow tcp from any to me dst-port 143 in via xl0 setup keep-state # NTP add 04020 allow tcp from any to me dst-port 123 in via fxp0 setup keep-state add 04021 allow udp from any to me dst-port 123 in via fxp0 keep-state add 04020 allow tcp from any to me dst-port 123 in via xl0 setup keep-state add 04021 allow udp from any to me dst-port 123 in via xl0 keep-state #webmin add 04030 allow tcp from any to me dst-port 10000 in via fxp0 setup keep-state add 04031 allow tcp from any to me dst-port 10000 in via xl0 setup keep-state #http add 04040 allow tcp from any to me dst-port 80 in via fxp0 setup keep-state add 04041 allow tcp from any to me dst-port 80 in via xl0 setup keep-state # DNS add 04050 allow udp from any to me dst-port 53 in via fxp0 add 04051 allow udp from any to me dst-port 53 in via xl0 add 04052 allow tcp from any to me dst-port 53 in via fxp0 add 04053 allow tcp from any to me dst-port 53 in via xl0 #POP add 04060 allow tcp from any to me dst-port 110 in via fxp0 setup keep-state add 04061 allow tcp from any to me dst-port 110 in via xl0 setup keep-state #HTTPS add 04070 allow tcp from any to me dst-port 443 in via fxp0 setup keep-state add 04071 allow tcp from any to me dst-port 443 in via xl0 setup keep-state #IMAPS add 04080 allow tcp from any to me dst-port 993 in via fxp0 setup keep-state add 04081 allow tcp from any to me dst-port 993 in via xl0 setup keep-state # drop everything else add 04090 deny ip from any to me # pass outgoing packets (to be natted) on to a special NAT rule add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via fxp0 keep-state # allow all outgoing traffic from the router add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an # established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 59999 deny ip from any to me dst-port 135,137-139,445,4665 add 60000 deny log tcp from any to any established add 60001 deny log ip from any to any # this is the NAT rule. Only outgoing packets from the local net will come here. # First, nat them, then pass them on (again, you may choose to be more restrictive) add 61000 divert natd ip from 192.168.1.0/24 to any out via xl0 add 61001 allow ip from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3443.207.13.174.37.1088538748.squirrel>