From owner-freebsd-questions@FreeBSD.ORG Tue Jun 29 19:58:46 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BCD7916A4CE for ; Tue, 29 Jun 2004 19:58:46 +0000 (GMT) Received: from mail.elvandar.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C2D343D45 for ; Tue, 29 Jun 2004 19:58:46 +0000 (GMT) (envelope-from remko@elvandar.org) Received: from [10.0.3.124] (aragorn.lan.elvandar.intranet [10.0.3.124]) by mail.elvandar.org (Postfix) with ESMTP id 9C933106882; Tue, 29 Jun 2004 21:58:43 +0200 (CEST) Message-ID: <40E1C9F5.2050100@elvandar.org> Date: Tue, 29 Jun 2004 21:58:45 +0200 From: Remko Lodder X-Accept-Language: en-us, en MIME-Version: 1.0 To: whizkid@ValueDJ.com References: <3443.207.13.174.37.1088538748.squirrel@www.ValueDJ.com> In-Reply-To: <3443.207.13.174.37.1088538748.squirrel@www.ValueDJ.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at elvandar.org cc: freebsd-questions@freebsd.org Subject: Re: IPFW acting weird OR invalid ruleset? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2004 19:58:46 -0000 whizkid@ValueDJ.com wrote: > Hey everyone. Below is my natd.conf file and my rc.firewall.rule file. I > cannot figure it out, but if one of my machines that is behind my > Masqurading Firewall tries to d/l a file that is on a FTP site, it fails > to connect. Does the ipfw offer logging (i dont know ipfw) perhaps you can see why it gets blocked there (ehm i presume it gets blocked) But perhaps a ipfw guru should help ;-) Cheers > > FreeBSD 5.2.1 machine with 2 nics. > > xl0 outside Nic > fxp0 inside Nic > > rc.conf: > > # enable firewall > firewall_enable="YES" > # set path to custom firewall config > firewall_type="/etc/fw/rc.firewall.rules" > # be non-verbose? set to YES after testing > firewall_quiet="NO" > # enable natd, the NAT daemon > natd_enable="YES" > # which is the interface to the internet that we hide behind? > natd_interface="xl0" > # flags for natd > natd_flags="-f /etc/fw/natd.conf" > > > natd.conf: > > unregistered_only > interface xl0 > use_sockets > dynamic > # dyamically open fw for ftp, irc > punch_fw 2000:50 > > > rc.firewall.rules: > > # be quiet and flush all rules on start > -q flush > > # allow local traffic, deny RFC 1918 addresses on the outside > add 00100 allow ip from any to any via lo0 > add 00110 deny ip from any to 127.0.0.0/8 > add 00120 deny ip from any to any not verrevpath in > add 00301 deny ip from 10.0.0.0/8 to any in via xl0 > add 00302 deny ip from 172.16.0.0/12 to any in via xl0 > add 00303 deny ip from 192.168.0.0/16 to any in via xl0 > > # check if incoming packets belong to a natted session, allow through if yes > add 01000 divert natd ip from any to me in via xl0 > add 01001 check-state > > # allow some traffic from the local net to the router > #SMTP > add 02000 allow tcp from any to any 25 setup keep-state > > # SSH > add 04000 allow tcp from any to me dst-port 22 in via fxp0 setup keep-state > add 04001 allow tcp from any to me dst-port 22 in via xl0 setup keep-state > > #IMAP-SSL > add 04010 allow tcp from any to me dst-port 143 in via fxp0 setup keep-state > add 04011 allow tcp from any to me dst-port 143 in via xl0 setup keep-state > > # NTP > add 04020 allow tcp from any to me dst-port 123 in via fxp0 setup keep-state > add 04021 allow udp from any to me dst-port 123 in via fxp0 keep-state > add 04020 allow tcp from any to me dst-port 123 in via xl0 setup keep-state > add 04021 allow udp from any to me dst-port 123 in via xl0 keep-state > > #webmin > add 04030 allow tcp from any to me dst-port 10000 in via fxp0 setup > keep-state > add 04031 allow tcp from any to me dst-port 10000 in via xl0 setup keep-state > > #http > add 04040 allow tcp from any to me dst-port 80 in via fxp0 setup keep-state > add 04041 allow tcp from any to me dst-port 80 in via xl0 setup keep-state > > # DNS > add 04050 allow udp from any to me dst-port 53 in via fxp0 > add 04051 allow udp from any to me dst-port 53 in via xl0 > add 04052 allow tcp from any to me dst-port 53 in via fxp0 > add 04053 allow tcp from any to me dst-port 53 in via xl0 > > #POP > add 04060 allow tcp from any to me dst-port 110 in via fxp0 setup keep-state > add 04061 allow tcp from any to me dst-port 110 in via xl0 setup keep-state > > #HTTPS > add 04070 allow tcp from any to me dst-port 443 in via fxp0 setup keep-state > add 04071 allow tcp from any to me dst-port 443 in via xl0 setup keep-state > > #IMAPS > add 04080 allow tcp from any to me dst-port 993 in via fxp0 setup keep-state > add 04081 allow tcp from any to me dst-port 993 in via xl0 setup keep-state > > # drop everything else > add 04090 deny ip from any to me > > # pass outgoing packets (to be natted) on to a special NAT rule > add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via fxp0 keep-state > > # allow all outgoing traffic from the router > add 05010 allow ip from me to any out keep-state > > # drop everything that has come so far. This means it doesn't belong to an > # established connection, don't log the most noisy scans. > add 59998 deny icmp from any to me > add 59999 deny ip from any to me dst-port 135,137-139,445,4665 > add 60000 deny log tcp from any to any established > add 60001 deny log ip from any to any > > # this is the NAT rule. Only outgoing packets from the local net will come > here. > # First, nat them, then pass them on (again, you may choose to be more > restrictive) > add 61000 divert natd ip from 192.168.1.0/24 to any out via xl0 > add 61001 allow ip from any to any -- Kind regards, Remko Lodder |remko@elvandar.org Reporter DSINet |remko@dsinet.org Projectleader Mostly-Harmless |remko@mostly-harmless.nl