Site Navigation

Date:      Wed, 26 Feb 2003 02:25:12 +0200
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Joshua Lokken <bsdaemon@eudoramail.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Fwd: ipfw rule placement
Message-ID:  <20030226002512.GD68877@gothmog.gr>
In-Reply-To: <AHFLKLPGOOMEHBAA@whowhere.com>
References:  <AHFLKLPGOOMEHBAA@whowhere.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On 2003-02-25 16:09, Joshua Lokken <bsdaemon@eudoramail.com> wrote:
> When I remove the default deny rule from the list, nat works fine,
> port redirections and all, but with the deny rule in place, nat
> isn't working, so I'm thinking I have a rule in the wrong place.
> Can anyone point out any obvious missing/misplaced rules here?

For NAT to be working, you hav to make sure natd(8) is running and has
a proper configuration file.

Now, as far as the ipfw(8) rules are concerned, try using the
following ruleset:

# $fwcmd -f flush
# $fwcmd add allow all from any to any via lo0
# $fwcmd add divert natd all from any to any via $oif
# $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
# $fwcmd add check-state
# $fwcmd add allow udp from $oip to any via $oif keep-state
# $fwcmd add allow tcp from any to $oip 22,80,443,6346,22002,22003,22010 setup via $oif keep-state
# $fwcmd add allow ip from $oip to any keep-state out via $oif
# $fwcmd add allow ip from $inwr to any keep-state via $iif
# $fwcmd add 65435 deny log ip from any to any

The changes from your own set of rules are summarized below:

  - moved icmp checking higher, since they're unrelated to tcp or udp
    and state checking

  - added a rule for udp packets, since DNS resolving and a few other
    useful things depend on them

  - moved check-state higher, to minimise the delay for packets that
    are parts of an existing connection (ipfw rules are checked
    sequentially, from start to end)

  - added keep-state in your 'setup' rule for incoming connections to
    $oip and 'via $oif' to make sure that packets destined for $oip
    are only accepted on $oif (good measure against spoofing)

Before using this set of rules, make sure you give proper values to
$iip, $oip, $iif, $oif and $inwr.

- Giorgos

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030226002512.GD68877>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact