Date: Wed, 26 Feb 2003 11:25:02 -0800 From: "Joshua Lokken" <bsdaemon@eudoramail.com> To: "Questions" <freebsd-questions@freebsd.org> Subject: ipfw troubleshooting (was ipfw rule placement) Message-ID: <NCPGCOKPJPLIHBAA@whowhere.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. You need a MIME compliant mail reader to completely decode it. --=_-=_-OFJHBOEFHNKIHBAA Content-Language: en Content-Type: text/plain; charset=us-ascii Content-Language: en Content-Length: 1029 Content-Transfer-Encoding: 7bit Hello I am running 4.7-release p6 as a gateway (ipfw+natd). Thanks to those of you who helped me firm up my ruleset. Natd is running and configured, however, I am not able to do port redirection or http from the outside. (Firewall disk crashed over the weekend, and I didn't have things properly backed up). My firewall log is flooded with this message: [date and time]churgeon /kernel: ipfw: Deny UDP 10.142.240.1:67 255.255.255.255:68 in via ed1 When I run sockstat, I see that dhclient is listening for udp packets on port 68: root dhclient 62 4 udp4 *:68 *:* Attached is my ipfw ruleset. I'd like to know if I need to allow these packets (if they're required by dhclient, etc.). Just in case, I've attached natd.conf and rc.conf, as well. Thanks for any help. --- Joshua Lokken FreeBSD: The Power to Serve! bsdaemon@eudoramail.com --------------------------------> Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com --=_-=_-OFJHBOEFHNKIHBAA Content-Type: text/plain; charset=us-ascii; name="firewall.conf" Content-Language: en Content-Length: 753 Content-Transfer-Encoding: 7bit #!/bin/sh fwcmd="/sbin/ipfw" oif="ed1" oip="xxx.xxx.xxx.xxx" iif="rl0" inwr="10.0.0.0/8" iip="10.0.0.1" ns1="204.127.198.4" ns2="216.148.227.68" ns3="207.228.252.107" ns4="64.246.26.64" $fwcmd -f flush $fwcmd add allow all from any to any via lo0 $fwcmd add divert natd all from any to any via $oif $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 $fwcmd add check-state $fwcmd add allow udp from $oip to any via $oif keep-state $fwcmd add allow tcp from any to $oip 22,25,80,110,443,6346,22002,22003,22010 setup via $oif keep-state $fwcmd add allow ip from $oip to any keep-state out via $oif $fwcmd add allow ip from $inwr to any keep-state via $iif $fwcmd add 65435 deny log ip from any to any --=_-=_-OFJHBOEFHNKIHBAA Content-Type: text/plain; charset=us-ascii; name="natd.conf" Content-Language: en Content-Length: 581 Content-Transfer-Encoding: 7bit # natd.conf # flags interface ed1 dynamic yes unregistered_only yes # Web and mail redirect_port tcp 10.0.0.10:8080 80 redirect_port udp 10.0.0.10:8080 80 redirect_port tcp 10.0.0.10:443 443 redirect_port udp 10.0.0.10:443 443 # SSH redirect_port tcp 10.0.0.2:22 22002 redirect_port udp 10.0.0.2:22 22002 redirect_port tcp 10.0.0.3:22 22003 redirect_port udp 10.0.0.3:22 22003 redirect_port tcp 10.0.0.10:22 22010 redirect_port udp 10.0.0.10:22 22010 # VNC redirect_port tcp 10.0.0.2:5900-5910 5900-5910 redirect_port udp 10.0.0.2:5900-5910 5900-5910 --=_-=_-OFJHBOEFHNKIHBAA Content-Type: text/plain; charset=us-ascii; name="rc.conf" Content-Language: en Content-Length: 645 Content-Transfer-Encoding: 7bit # -- sysinstall generated deltas -- # Sat Feb 15 13:14:18 2003 # Created: Sat Feb 15 13:14:18 2003 network_interfaces="lo0 ed1 rl0" hostname="churgeon.joshualokken.com" ifconfig_ed1="DHCP" ifconfig_rl0="inet 10.0.0.1 netmask 255.0.0.0" inetd_enable="NO" kern_securelevel_enable="YES" kern_securelevel="1" nfs_reserved_port_only="YES" sendmail_enable="NONE" sshd_enable="YES" syslogd_enable="YES" syslogd_flags="-ss" gateway_enable="YES" firewall_enable="YES" natd_enable="YES" natd_interface="ed1" natd_flags="-f /etc/natd.conf" firewall_script="/etc/firewall.conf" tcp_extensions="YES" icmp_drop_redirect="YES" --=_-=_-OFJHBOEFHNKIHBAA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NCPGCOKPJPLIHBAA>