Date: Thu, 2 Aug 2001 09:19:51 +0200 From: "locus" <own3d@gmx.net> To: "freebsd-questions@freebsd" <freebsd-questions@freebsd.org>, "Dennis Berger" <HypnotiZer@gmx.net> Subject: RE: convert ruleset from IPF to IPFW Message-ID: <MKELJLDELMDJNLKMHMAIOEBECBAA.own3d@gmx.net> In-Reply-To: <000801c11ab4$8b25a4a0$650110ac@nachpolierer>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, you can use ipf and ipfw/dummynet together with no problems. That is what i am doing on my wall. If you still want to convert your rules from ipf to ipfw, just keep in mind that ipfw is not a stateful packetfilter. Therefore you will have to add some new rules for connections that were specified as 'keep state'. PS: sorry, i have no time to translate your rules at the moment. bye -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Dennis Berger Sent: Mittwoch, 1. August 2001 20:05 To: freebsd-questions@freebsd.org Subject: convert ruleset from IPF to IPFW Hi, I have the following ruleset build, but it still doesn't work without rule 150 and I have no idea why... I mean why the hell the packet can't come back although the dynamic rules are build. And udp traffic is also denied back in to my clients I set net.inet.ip.fw.one_pass=0 to ensure that a packet is not terminated by the pipe. Or maybe somebody can help me to convert my existing IPF ruleset to IPFW I' would like to do this cause I need a traffic-shaper and under freebsd ALTQ doesn't work with the tun-device. "/etc/ipf.rules" block in log all block out log all pass in on lo0 all pass out on lo0 all pass in on xl0 all pass out on xl0 all pass in on rl0 all pass out on rl0 all block in log quick on tun0 from 192.168.0.0/16 to any block in log quick on tun0 from 172.16.0.0/12 to any block in log quick on tun0 from 10.0.0.0/8 to any block in log quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 0.0.0.0/8 to any block in log quick on tun0 from 169.254.0.0/16 to any block in log quick on tun0 from 192.0.2.0/24 to any block in log quick on tun0 from 204.152.64.0/23 to any block in log quick on tun0 from 224.0.0.0/3 to any pass in quick on tun0 proto icmp from any to any icmp-type 0 pass in quick on tun0 proto icmp from any to any icmp-type 11 pass in quick on tun0 proto tcp from any to any port = 22 flags S keep state keep frags pass in quick on tun0 proto tcp >from any to any port = 80 flags S keep state keep frags pass in quick on tun0 proto tcp from any to any port = 443 flags S keep state keep frags pass in quick on tun0 proto tcp from any to any port = 21 flags S keep state keep frags pass in quick on tun0 proto tcp >from any port > 1023 to any port 49152 >< 65535 flags S keep state keep frags block out quick on tun0 proto udp from any to 192.246.40.56 block out log quick on tun0 proto tcp from any to any port 6666 >< 6670 pass out quick on tun0 proto tcp from any to any flags S keep state pass out quick on tun0 proto udp from any to any keep state pass out quick on tun0 proto icmp from any to any keep state "/etc/natd.cf" redirect_port udp 127.0.0.1:27952 192.246.40.56:27952 use_sockets yes unregistered_only no interface tun0 dynamic yes same_ports yes punch_fw 500:100 "/etc/ipfw.rules" fwcmd="/sbin/ipfw" $fwcmd -f flush $fwcmd add 20 pass all from any to any via lo0 $fwcmd add 30 pass all from any to any via rl0 $fwcmd add 40 pass all from any to any via xl0 $fwcmd add 50 deny log all from 192.168.0.0/16 to any in via tun0 $fwcmd add 60 deny log all from 172.16.0.0/12 to any in via tun0 $fwcmd add 70 deny log all from 10.0.0.0/8 to any in via tun0 $fwcmd add 80 deny log all from 127.0.0.0/8 to any in via tun0 $fwcmd add 90 deny log all from 0.0.0.0/8 to any in via tun0 $fwcmd add 100 deny log all from 169.254.0.0/16 to any in via tun0 $fwcmd add 110 deny log all from 192.0.2.0/24 to any in via tun0 $fwcmd add 120 deny log all from 204.152.64.0/23 to any in via tun0 $fwcmd add 130 deny log all from 224.0.0.0/3 to any in via tun0 $fwcmd add 131 count tcp from any to any via tun0 $fwcmd add 132 count udp from any to any 27000-28000 out via tun0 $fwcmd add 133 count tcp from any 1024-65535 to any 21 in via tun0 $fwcmd add 134 count tcp from any 20 to any 1024-65535 out via tun0 $fwcmd add 135 count tcp from any 49153-65535 to any 1024-65535 out via tun0 $fwcmd add 136 count tcp from any to any 80 in via tun0 $fwcmd add 136 count tcp >from any to any 80 out via tun0 $fwcmd add 140 pipe 1 tcp from any to any 22,1494 via tun0 $fwcmd add 141 pipe 2 udp from any to any 27000-28000 out via tun0 $fwcmd add 142 pipe 3 tcp from any to any in via tun0 $fwcmd add 143 pipe 4 tcp from any to any out via tun0 $fwcmd pipe 1 config bandwidth 0 queue 10Kbyte $fwcmd pipe 2 config bandwidth 0 queue 20Kbyte $fwcmd pipe 3 config bandwidth 728Kbit/s queue 50Kbyte $fwcmd pipe 4 config bandwidth 96Kbit/s queue 10Kbyte $fwcmd add 149 divert natd ip from any to any via tun0 $fwcmd add 150 pass tcp from any to any in via tun0 established $fwcmd add 160 check-state $fwcmd add 200 pass icmp from any to any in via tun0 icmptypes 0,11 $fwcmd add 210 pass tcp from any to any 22 in via tun0 keep-state tcpflags syn $fwcmd add 220 pass tcp from any to any 80 in via tun0 keep-state tcpflags syn $fwcmd add 230 pass tcp from any to any 443 in via tun0 keep-state tcpflags syn $fwcmd add 240 pass tcp from any to any 21 in via tun0 keep-state tcpflags syn $fwcmd add 250 pass tcp from any 1024-65535 to any 49153-65535 in via tun0 keep-state tcpflags syn $fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0 $fwcmd add 270 deny log tcp from any to any 6666-6669 out via tun0 $fwcmd add 280 pass tcp from any to any out via tun0 keep-state tcpflags syn $fwcmd add 290 pass udp from any to any out via tun0 keep-state $fwcmd add 300 pass icmp >from any to any out via tun0 keep-state $fwcmd add 65530 deny log all from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MKELJLDELMDJNLKMHMAIOEBECBAA.own3d>