Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 7 May 2004 15:10:50 +0300
From:      Gregory Edigarov <greg@profi.kharkov.ua>
To:        freebsd-questions@freebsd.org
Subject:   ipfw q
Message-ID:  <20040507121050.GA15096@profi.kharkov.ua>
next in thread | raw e-mail | index | archive | help 
Hello, list.

Can anybody help me as I can really understand nothing.
The scenario:  
there is two nets: 192.168.5.0/24 and 192.168.7.0/24.
All users normally sit in 192.168.5.0/24, using 192.168.7.0/24 as
VPN addresses.
All VPN users have access to squid, socks, mail, and pop3.
everithing works fine, but now I need to give a "direct" access for
2 hosts: 192.168.5.220 and 192.168.7.70.
I wrote the following rc.firewall script (tun0 is my outside
interface):
---
#!/bin/sh
ipfw -f flush

ipfw add check-state
ipfw add allow all from me to any

ipfw add allow all from any to any via lo0

ipfw add deny all from 10.0.0.0/8 to any in via tun0
ipfw add deny all from 172.16.0.0/12 to any in via tun0
ipfw add deny all from 192.168.0.0/16 to any in via tun0
ipfw add allow icmp from me to any keep-state
ipfw add allow icmp from 192.168.5.0/24 to me 
ipfw add deny all from any to any frag

ipfw add divert natd all from 192.168.5.220 to any out xmit tun0
ipfw add divert natd all from 192.168.7.70  to any out recv ppp\* xmit tun0
ipfw add divert natd all from any to 195.5.17.86 in recv tun0
ipfw add allow all from 192.168.5.220 to any in via sk0 
ipfw add allow all from 192.168.7.70 to any in via ppp\*
ipfw add allow all from me to any
ipfw add unreach filter-prohib ip from not me to any out recv any xmit tun0

ipfw add allow gre from 192.168.5.0/24 to me
ipfw add allow gre from me to any


ipfw add allow tcp from me to any keep-state
ipfw add allow udp from me to any keep-state
ipfw add allow udp from any to me 53
ipfw add allow tcp from any to any established
ipfw add allow tcp from any to me 25 setup
ipfw add allow tcp from any to me ssh setup
ipfw add allow tcp from any to me http setup via tun0
ipfw add allow tcp from 192.168.7.0/24 to me 3128 setup via ppp\*
ipfw add allow tcp from 192.168.7.0/24 to me 2080 setup via ppp\*
ipfw add allow tcp from 192.168.7.0/24 to me pop3 setup via ppp\*
ipfw add allow tcp from 192.168.5.0/24 to me pptp setup
ipfw add allow tcp from 192.168.5.0/24 to me ftp\\-data-ftp setup via sk0
ipfw add allow tcp from any to me 53 setup

ipfw add deny log all from any to any


Installed it, then used "natd -n tun0".
Then I am trying to go somewhere using something like: 
ping freebsd.org.
it doesn't work. 
What am I missing? How should I rewrite my script to achieve a full
power?
Thanks a lot in advance. 
-- 
With best regards,
        Gregory Edigarov
------------------------------------------------------------------------------
profi.kharkov.ua                                        Systems Administrator
------------------------------------------------------------------------------

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040507121050.GA15096>