Date: Thu, 28 Apr 2005 08:32:15 -0700 From: perikillo <perikillo@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Nat problem Message-ID: <51d7a516050428083232cf9dcd@mail.gmail.com> In-Reply-To: <427038E2.5000106@searchy.nl> References: <427038E2.5000106@searchy.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Frank. I think you are using ipfilter, but what about the rules on ipfilter.conf?= =20 The handbook has a very good explanation about ipfilter, my rules are based= =20 on the handbook and the ipfilter how to. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.htm= l http://www.obfuscation.org/ipf/ipf-howto.txt Look this are my rules on ipfilter.conf, my connection is DSL, ed0 is my=20 internal interface and tun0 is my public interface on Freensd 4.11 p4. block in on tun0 all head 1 block in quick on tun0 from 192.168.0.0/16 <http://192.168.0.0/16>; to any= =20 group 1 block in quick on tun0 from 172.16.0.0/12 <http://172.16.0.0/12>; to any=20 group 1 block in quick on tun0 from 10.0.0.0/8 <http://10.0.0.0/8>; to any group 1 block in quick on tun0 from 127.0.0.0/8 <http://127.0.0.0/8>; to any group 1 block in quick on tun0 from 0.0.0.0/8 <http://0.0.0.0/8>; to any group 1 block in quick on tun0 from 169.254.0.0/16 <http://169.254.0.0/16>; to any= =20 group 1 block in quick on tun0 from 192.0.2.0/24 <http://192.0.2.0/24>; to any group= =20 1 block in quick on tun0 from 204.152.64.0/23 <http://204.152.64.0/23>; to any= =20 group 1 block in quick on tun0 from 224.0.0.0/3 <http://224.0.0.0/3>; to any group 1 block in quick on tun0 from 192.168.0.0/8 <http://192.168.0.0/8>; to any=20 group 1 block in quick on tun0 from 192.168.0.0/16 <http://192.168.0.0/16>; to any= =20 group 1=20 block in quick on tun0 from 192.168.0.0/24 <http://192.168.0.0/24>; to any= =20 group 1 block in quick on tun0 from 192.168.0.0/32 <http://192.168.0.0/32>; to any= =20 group 1 block in quick on tun0 from 192.168.0.255/32 <http://192.168.0.255/32>; to= =20 any group 1 block in quick on tun0 all with frags group 1 to any group 1 block in quick on tun0 proto tcp all with short group 1=20 block in quick on tun0 all with opt lsrr group 1 block in quick on tun0 all with opt ssrr group 1 block in quick on tun0 proto tcp from any to any flags FUP group 1 block in quick on tun0 all with ipopts group 1 block in quick on tun0 proto icmp all icmp-type 8 group 1 block in quick on tun0 proto tcp from any to any port =3D 113 group 1 block in quick on tun0 proto tcp/udp from any to any port =3D 135 group 1 block in quick on tun0 proto tcp/udp from any to any port =3D 137 group 1 block in quick on tun0 proto tcp/udp from any to any port =3D 138 group 1 block in quick on tun0 proto tcp/udp from any to any port =3D 139 group 1 block in quick on tun0 proto tcp/udp from any to any port =3D 81 group 1 block in quick on tun0 proto tcp/udp from any to any port =3D 445 group 1 block in quick on tun0 proto tcp/udp from any to any port =3D 500 group 1 block in quick on tun0 proto tcp/udp from any to any port =3D 593 group 1 block in log first quick on tun0 group 1 block out on tun0 all head 2 #DNS1_IP and DNS2_IP are my dns servers from my ISP. pass out quick on tun0 proto tcp from any to MYDNS1_IP/32 port=3D53 flags S= =20 keep state group 2 pass out quick on tun0 proto udp from any to MYDNS1_IP/32 port=3D53 keep st= ate=20 group 2 pass out quick on tun0 proto tcp from any to MYDNS2_IP/32 port=3D53 flags S= =20 keep state group 2 pass out quick on tun0 proto udp from any to MYDNS2_IP/32 port=3D53 keep st= ate=20 group 2 #With this rules i can connect to the webservers=20 pass out quick on tun0 proto tcp from any to any port =3D 80 flags S keep= =20 state group 2 pass out quick on tun0 proto tcp from any to any port =3D 443 flags S keep= =20 state group 2 pass out quick on tun0 proto tcp from any to any port =3D 21 flags S keep= =20 state group 2 pass out quick on tun0 proto tcp from any to any port =3D 23 flags S keep= =20 state group 2 pass out quick on tun0 proto tcp from any to any port =3D 5999 flags S keep= =20 state group 2 pass out quick on tun0 proto tcp from any to any port =3D 43 flags S keep= =20 state group 2 #With this rule i can ping the outside world pass out quick on tun0 proto icmp from any to any icmp-type 8 keep state=20 group 2 block out log first quick on tun0 all group 2 pass in quick on ed0 all pass out quick on ed0 all pass in quick on lo0 all pass out quick on lo0 all pass in quick on lp0 all pass out quick on lo0 all=20 block in quick all block out quick all And ipnat.rules map tun0 0/0 ->0/32 proxy port ftp ftp/tcp map tun0 0/0 ->0/32 portmap tcp/udp 20000/60000 map tun0 0/0 ->0/32 Hope this can help you Frank. On 4/27/05, Frank de Bot <freebsd@searchy.nl> wrote: >=20 > Hi, >=20 > I got my FreeBSD box set up as a NAT gateway. I got it working partialy; > icmp pinging from inside to the internet works. But as soon as I try to > make a tcp connection (loading a webpage or so) it just sits still! >=20 > The external interface is fxp0 > The internal interface is gif3 (this is a ipip tunnel) >=20 > ipnat.conf is: >=20 > map fxp0 10.0.1.0/24 <http://10.0.1.0/24>; -> 0.0.0.0/32<http://0.0.0.0/32= >portmap tcp/udp 1025:65000 > map fxp0 10.0.1.0/24 <http://10.0.1.0/24>; -> 0.0.0.0/32<http://0.0.0.0/32= > >=20 > I find it very odd, because pings travel and are natted without > problems. What can be wrong? >=20 > Thanks in advanced, >=20 > Frank de Bot! >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51d7a516050428083232cf9dcd>