Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 29 Sep 2006 01:28:46 -0700
From:      Garrett Cooper <>
Subject:   Issues with configuring IPFW for NAT setup
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
    I'm trying to configure a lightweight router/gateway just to block 
bad SMTP requests; many virii/spyware apps on Windoze boxes on my 
network have forced our ISP to almost shut us down more than once now 
because people don't know how to manage their machines =\.
    The problem with my config is that all that's going through the NAT 
machine are ICMP packets (?!). Weird..
    Anyhow, here's the ipfw configuration so far:


# comment the line below and uncomment the line following that if you 
just want to test the rule output
cmd="ipfw $cmd_flags"
cmd_a="$cmd add"
cmd_d="$cmd del"

# just macros to simplify typing/reading
fata="from any to any"
aafat="allow all from any to"
daf="deny all from"
dafat="$daf any to"


# trusted subnet
# untrusted subnet

bad_ports="81, 113, 137-139, 445, 901, 1026, 1433-1434, 1900, 2283, 
2869, 3389, 5000, 8080"     # IRC IDENT, HTTP, Sun RPC ports, uPnP 
ports, RDP ports, etc
virus_ports="1080, 2283, 2535, 2745, 3127-3198, 3410, 5554, 8866, 
9898"                         # See /root/ports.html for a short list 
with explanations

$cmd -f flush

$cmd_a 001 $aafat any via lo*

$cmd_a 050 divert natd ip from any to me in via $puif # Properly direct 
all incoming NAT redirects

$cmd_a 081 $daf to any # reserved IPs
$cmd_a 082 $daf to any # reserved IPs
$cmd_a 083 $daf to any # loopback
$cmd_a 084 $daf to any # broadcast
$cmd_a 085 $daf to any # auto-DHCP
$cmd_a 086 deny tcp from to any # deny multicast TCP support

# private subnet firewall rules -- allow incoming SSH, HTTP, and HTTP-SSL
$cmd_a 160 allow all from any to me 22, 68-69, 80, 443 via $prif

# public SSH rules
$cmd_a 170 allow all from any to me 22 via $puif
$cmd_a 171 deny all from any to me 22, 68-69, 80, 443 via $puif

# SMTP rules -- basically allow SMTP traffic on port 25 to UW, Comcast, 
and Earthlink clients; block the rest to prevent mass spamming       
$cmd_a 200 $aafat 25 out via $puif
$cmd_a 201 $aafat 25 out via $puif
$cmd_a 202 $aafat 25 out via $puif
$cmd_a 203 $dafat any 25 out via $puif

$cmd_a 400 $dafat any $bad_ports, $virus_ports via $puif
# deny any TCP traffic trying to be forwarded on ports 10000-65535. 
Don't block UDP since MSN and other services like to randomly allocate 
ports in this range for UDP use.
$cmd_a 401 deny tcp $fata 10000-65535

$cmd_a 600 divert natd all from $tsu to any out via $puif # For outbound 
NAT translation

$cmd_a 605 deny all from $usu to not me via $prif

$cmd_a 611 allow all $fata

Some additional helpful information:

FreeBSD router:
su-2.05b# uname -a
FreeBSD hummer.localdomain 6.1-RELEASE-p5 FreeBSD 6.1-RELEASE-p5 #10: 
Wed Sep 27 00:17:54 PDT 2006     
root@hummer.localdomain:/usr/obj/usr/src/sys/HUMMER  i386
su-2.05b# sysctl -n net.inet.ip.forwarding

    Another interesting thing is that it appears that I've totally 
screwed up my TCP configuration or something (or firewalled a bunch of 
ports), so my machine cannot access the outside world (even from 
localhost). The only thing that appears to be working is DNS resolving.. =\.

My routing tables:

su-2.05b# netstat -r -f inet
Routing tables

Destination        Gateway            Flags    Refs      Use  Netif Expire
default          UGS         0     2389    xl0
localhost          localhost          UH          0        2    lo0
192.168.0          link#2             UC          0        0    xl0        00:09:5b:56:c4:b4  UHLW        2        0    xl0   1175
hoover             00:0a:e6:47:73:c7  UHLW        1        2    xl0    957
sprsd              00:e0:7d:f7:6e:2e  UHLW        1    16281    xl0   1117
192.168.1          link#1             UC          0        0   fxp0        00:a0:c9:5e:ba:2d  UHLW        1        0    lo0      00:11:24:2f:15:bc  UHLW        1       51   fxp0    306

    My static routes in /etc/rc.conf:


#Route defs
static_routes="router tsu usu"

#..end snip..

    Ping example of DNS resolving working:

su-2.05b# ping -c 3
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=246 time=84.567 ms
64 bytes from icmp_seq=1 ttl=246 time=107.181 ms
64 bytes from icmp_seq=2 ttl=246 time=84.443 ms

--- ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 84.443/92.064/107.181/10.690 ms

    IPFIREWALL sections of kernel config:

su-2.05b# grep IPFIREWALL /root/HUMMER
options         IPFIREWALL
options         IPFIREWALL_VERBOSE

    Anyone have an idea of what I'm doing wrong in this case?

Want to link to this message? Use this URL: <>