From owner-freebsd-questions@FreeBSD.ORG Thu Oct 30 02:25:58 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 565021065672 for ; Thu, 30 Oct 2008 02:25:58 +0000 (UTC) (envelope-from jackbarnett@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by mx1.freebsd.org (Postfix) with ESMTP id 000B38FC0A for ; Thu, 30 Oct 2008 02:25:57 +0000 (UTC) (envelope-from jackbarnett@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so117849ywe.13 for ; Wed, 29 Oct 2008 19:25:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=PU5VljGazo2v4SO+bJq04hmrnhJX2bXj9yhBbyMh30M=; b=tKYBtRQIbsMO5b96A+voS9yAQ6dxnn8Bm2YRVp2Y8jyoIZzSehpvcru/hI+UaQm8G1 GP8fNkGuU7e2KrposVrz9gfMU1wLdQHvzYHQfx2TOup/udHxOYO7opNomLvrAqyIwxPf qelBX4M/EIz7Jso5nG3xpycC/Oxpwf8kB+8NE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=VcE2SEodX8hPyolKwnLD5ZP5yfsilN+rvA9fvTfnuaj/Os9SXzNdNfigENn6+oDQC3 OPX5idGcG8ZVRciVGJqLfQFSxBhFtBJfdG3AjzoWIX6ADcfQsGkXi4gllhX9Lk4yaJ+M q6o6vHQYf6R3o8VttmUJlnYpCIJerd9HQXovI= Received: by 10.64.180.15 with SMTP id c15mr10046288qbf.82.1225333556723; Wed, 29 Oct 2008 19:25:56 -0700 (PDT) Received: from ?192.168.17.10? (c-98-240-159-248.hsd1.mn.comcast.net [98.240.159.248]) by mx.google.com with ESMTPS id s30sm1072054qbs.8.2008.10.29.19.25.55 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 29 Oct 2008 19:25:55 -0700 (PDT) Message-ID: <49091B32.9060306@gmail.com> Date: Wed, 29 Oct 2008 21:25:54 -0500 From: Jack Barnett User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) To: Polytropon References: <49090BA3.5090407@gmail.com> <20081030031231.8a5fccb9.freebsd@edvax.de> In-Reply-To: <20081030031231.8a5fccb9.freebsd@edvax.de> Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Freebsd questions Subject: Re: Firewalls in FreeBSD? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jackbarnett@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2008 02:25:58 -0000 yes, that is my setup. hrm... well, I disabled the firewall completely, restarted, but still doesn't work. I have gateway and natd both enabled. x10 is the "external" interface (the one that is dhcp and connects to the cable modem). I don't want to redirect anything to my windows box. I just want anything that connects out from my windows box to be able to connect or send data back in. For example, I load up a client (game) and it connects out on XYZ port. The server will send data back on ABC. The problem, from what I can tell; is that I can get a connection out - but when the server tries to send data back on ABC it is discarded. Polytropon wrote: If I understood you correctly, your setting is: (Modem/Router)---DHCP---(FreeBSD)---("Windows") I may respond directly on your configuration settings: On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett [1] wro te: gateway_enable="YES" #firewall_enable="YES" #firewall_type="open" firewall_type="simple" #firewall_type="open" firewall_logging="YES" Use instead: gateway_enable="YES" natd_enable="YES" natd_interface="xl0" You may add special redirect directives to NATD's settings, such as natd_flags="-redirect_port tcp 192.168.1.2:5900 5900" natd_flags="-redirect_port tcp 192.168.1.5:23 6666" or natd_flags="-redirect_address 192.168.1.2 141.44.165.58 \ -redirect_address 192.168.1.5 141.44.165.58" Examples taken from a very old configuration. :-) Then, firewall_enable="YES" firewall_type="/etc/ipfw.conf" Then, be sure to have nice firewall settings, you can use things similar to this, enabling just the services you really need and want, it's easy to write your own one or to rewrite this: -f flush add divert natd ip from any to any via xl0 add allow tcp from any to any ftp in recv xl0 add allow tcp from any to any ssh in recv xl0 add allow tcp from any to any auth in recv xl0 add allow udp from any to any ntp in recv xl0 add allow udp from any to any ntalk in recv xl0 add deny udp from any to any x11 in recv xl0 add reset tcp from any to any x11 in recv xl0 add allow ipencap from any to any add allow ip from any to any This should work fine. NB to use the correct interface names. References 1. mailto:jackbarnett@gmail.com