From owner-freebsd-questions@FreeBSD.ORG Tue Jun 29 21:24:56 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3905E16A4CE for ; Tue, 29 Jun 2004 21:24:56 +0000 (GMT) Received: from ns1.valuedj.com (adsl-216-100-130-21.dsl.snfc21.pacbell.net [216.100.130.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC59443D2F for ; Tue, 29 Jun 2004 21:24:55 +0000 (GMT) (envelope-from whizkid@ValueDJ.com) Received: from localhost (localhost.valuedj.com [127.0.0.1]) by ns1.valuedj.com (Postfix) with ESMTP id 96FE0612E; Tue, 29 Jun 2004 14:24:12 -0700 (PDT) Received: from ns1.valuedj.com ([127.0.0.1]) by localhost (ns1.valuedj.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12696-06; Tue, 29 Jun 2004 14:24:11 -0700 (PDT) Received: by ns1.valuedj.com (Postfix, from userid 80) id C57176128; Tue, 29 Jun 2004 14:24:11 -0700 (PDT) Received: from 207.13.174.37 (SquirrelMail authenticated user whizkid) by www.ValueDJ.com with HTTP; Tue, 29 Jun 2004 14:24:11 -0700 (PDT) Message-ID: <4315.207.13.174.37.1088544251.squirrel@www.ValueDJ.com> In-Reply-To: <4149.209.167.16.15.1088539719.squirrel@209.167.16.15> References: <3443.207.13.174.37.1088538748.squirrel@www.ValueDJ.com> <4149.209.167.16.15.1088539719.squirrel@209.167.16.15> Date: Tue, 29 Jun 2004 14:24:11 -0700 (PDT) From: whizkid@ValueDJ.com To: "Steve Bertrand" User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal X-Virus-Scanned: by amavisd-new at ValueDJ.com cc: freebsd-questions@freebsd.org Subject: Re: IPFW acting weird OR invalid ruleset? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2004 21:24:56 -0000 [snip] > Ok, I jumped earlier, but actually re-RTF ruleset, I've got a couple > questions: > > - Is it only one pc that can't get through? > - Do other services work from behind NAT? (http etc) > > It looks like rule 4109 should be BEFORE 4090, as 4090 denies all traffic > and stops, and internal traffic can't go anywhere (or so it appears). > > Steve > [snip] steve, Yes everything else seems to work fine. There are currently 2 PCs with this issue. 1 is XP the other is Win2k. This ruleset worked fine on FreeBSD 5.1, but I reformatted the box, and install 5.2.1 uploaded the rc.firewall.rules and natd.conf files, since the network interfaces where the same I didn't really have to change anything. I found these rules on this website: http://www.lugbe.ch/lostfound/contrib/freebsd_router/ here is the sample I used from the website: # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via ep0 add 00302 deny ip from 172.16.0.0/12 to any in via ep0 add 00303 deny ip from 192.168.0.0/16 to any in via ep0 # check if incoming packets belong to a natted session, allow through if yes add 01000 divert natd ip from any to me in via ep0 add 01001 check-state # allow some traffic from the local net to the router # SSH add 04000 allow tcp from 192.168.1.0/24 to me dst-port 22 in via ep1 setup keep-state # ICMP add 04001 allow icmp from 192.168.1.0/24 to me in via ep1 # NTP add 04002 allow tcp from 192.168.1.0/24 to me dst-port 123 in via ep1 setup keep-state add 04003 allow udp from 192.168.1.0/24 to me dst-port 123 in via ep1 keep-state # DNS add 04006 allow udp from 192.168.1.0/24 to me dst-port 53 in via ep1 # drop everything else add 04009 deny ip from 192.168.1.0/24 to me # pass outgoing packets (to be natted) on to a special NAT rule add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via ep1 keep-state # allow all outgoing traffic from the router (maybe you should be more restrictive) add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 59999 deny ip from any to me dst-port 135,137-139,445,4665 add 60000 deny log tcp from any to any established add 60000 deny log ip from any to any # this is the NAT rule. Only outgoing packets from the local net will come here. # First, nat them, then pass them on (again, you may choose to be more restrictive) add 61000 divert natd ip from 192.168.1.0/24 to any out via ep0 add 61001 allow ip from any to any