From owner-freebsd-current@freebsd.org Tue Aug 25 10:30:03 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C2CDA99E0ED for ; Tue, 25 Aug 2015 10:30:03 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A2ED5ACE for ; Tue, 25 Aug 2015 10:30:03 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-243-143.lns20.per4.internode.on.net [121.45.243.143]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id t7PATvhl004692 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 25 Aug 2015 03:30:00 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: ipfw rules for connect port 993 To: =?UTF-8?Q?Petr_Chochol=c3=a1=c4=8d?= , freebsd-current@freebsd.org References: <55DB16B7.2000602@gyrec.cz> <55DB1E79.9030108@freebsd.org> <55DC2130.9040004@gyrec.cz> From: Julian Elischer Message-ID: <55DC43A0.1040700@freebsd.org> Date: Tue, 25 Aug 2015 18:29:52 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <55DC2130.9040004@gyrec.cz> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2015 10:30:03 -0000 On 8/25/15 4:02 PM, Petr Chocholáč wrote: > Hello , ignore my previous email, you have answered my questions here. the firewall set you show is pretty horrible. It really needs a rewrite. do you want to block the two LANs from each other or block any machines on the LANs from reaching the firewall? if not then you should start by adding two rules. ipfw add 350 allow ip from any to any in recv {LAN interface} ipfw add 351 allow ip from any to any out xmit {LAN interface} as you do not want to block that traffic.. you should only be looking at traffic on the internet interface.. In your current rule set all the rules are being tested at all interfaces which is a waste of CPU and also makes it very hard to work out what is going on. if you DO want to filter on other interfaces then send traffic for each interface to a different set of rules, incoming and outgoing. for example add 350 skipto 1000 ip from any to any in recv rl0 add 360 skipto 1100 ip from any to any out xmit rl0 add 370 skipto 1200 ip from any to any in recv re0 add 380 skipto 1300 ip from any to any out xmit re0 etc... then at each rule set (1000, 2000, 3000... you only have rules you need for that exact flow.. also you should use a table to hold all the subnets and addresses that are there for example: you have: 08800 0 0 allow tcp from 85.70.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0 08900 0 0 allow tcp from 85.71.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0 09000 0 0 allow tcp from 84.42.232.0/21 to 86.49.91.98 dst-port 443 setup via rl0 09100 0 0 allow tcp from 84.42.240.0/20 to 86.49.91.98 dst-port 443 setup via rl0 09200 0 0 allow tcp from 80.188.157.0/24 to 86.49.91.98 dst-port 443 setup via rl0 09300 0 0 allow tcp from 89.102.9.0/24 to 86.49.91.98 dst-port 443 setup via rl0 09400 0 0 allow tcp from 89.102.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0 this should all be: allow tcp from table(1) to 86.49.91.98 dst-port 443 setup and it would appear only in the rules to do with incoming packets to rl0 (i.e. in the rules starting with 1000) you would populate the table with: ipfw table 1 add 85.70.0.0/16 ipfw table 1 add 85.71.0.0/16 ipfw table 1 add 84.42.232.0/21 ... etc. I can't actually read your ruleset enough without getting a headache to tell you what is failing. Also you talked about 10.x.x.x in your email, and about 2 interfaces, but later you talked about different addresses and 3 interfaces. can you say what is the actual setup. (you do not have to give your actual internet IP address.. though you already did.. I would replace it with ${OUTSIDE} in the script that makes it.. > > thank you for your answer. > > ad1. > i send my current firewall rules and record from tcpdump on re0 . > My LAN is 172.16.0.0/22 (10... it was easy. I think it does not matter) > My second LAN is 192.168.1.0/24(on this network connection to the > IMAP port 993 works) > My public IP is 86.49.91.98 > ad2. > Tcpdump on rl0 shows nothing > ad3. > Yes . I have gateway_enable="YES" in /etc/rc.conf > ad4. > I think yes... > > PS : Firewall is not my work . I inherited it. > > Thank you very much > > Petr Chocholac > > > > Dne 24.8.2015 v 15:39 Allan Jude napsal(a): >> On 2015-08-24 09:05, Petr Chocholáč wrote: >>> Hello, >>> >>> I would like to ask you for advice. I can not connect to >>> imap.gmail.com >>> on port 993 from my local network. My LAN is behind freeBSD server >>> with >>> IPFW. Server has two network cards rl0=Internet and >>> re0=LAN(10.0.0.0/16). Tcpdump on re0 shows three SYN packets without >>> answers. What rules should i create? >>> >>> I tried someting like this, without success: >>> #ipfw add 01500 allow ip from 10.0.0.0/16 to any in via re0 >>> >>> >>> >>> Thank you very much for any advice and your patience >>> >>> Petr Chocholáč >>> Brno, Czech Republic >>> >>> _______________________________________________ >>> freebsd-current@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-current >>> To unsubscribe, send any mail to >>> "freebsd-current-unsubscribe@freebsd.org" >> We would need to see all of your current firewall rules (ipfw show) >> >> You'll want to tcpdump on rl0, to see if the packet is being >> forwarded. >> >> Do you have the machine configured as a gateway? (gateway_enable="YES" >> in /etc/rc.conf) >> >> Are you doing NAT (Network Address Translation) to remap the internal >> (10.0.0.0/16) addresses to your internet routable IP? >> > > > > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"