Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 11 Dec 2006 11:30:06 +0700 (WIT)
From:      Abdullah Koro <koro@koro.bentala.co.id>
To:        Nathan Watson <nwatson@nwatson.org>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: ipf stateful rules
Message-ID:  <20061211112722.G9462@pangrango.bentala.co.id>
In-Reply-To: <3083783.171165792287615.JavaMail.root@cirrus>
References:  <3083783.171165792287615.JavaMail.root@cirrus>
next in thread | previous in thread | raw e-mail | index | archive | help 
at the moment, i just use simple configuration that pass all traffic.
nothing needed to be restrict.

this is my NAT configuration sample and make it simple ;)

#Jalankan NAT
/sbin/natd -interface rl0
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via rl0
/sbin/ipfw add pass all from any to any

and the interfaces:

> ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         options=8<VLAN_MTU>
         inet6 fe80::2e0:4cff:feaa:3e53%rl0 prefixlen 64 scopeid 0x1
         inet 192.168.2.231 netmask 0xffffff00 broadcast 192.168.2.255
         ether 00:e0:4c:aa:3e:53
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         options=8<VLAN_MTU>
         inet6 fe80::213:46ff:fe3a:da6f%rl1 prefixlen 64 scopeid 0x2
         inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
         ether 00:13:46:3a:da:6f
         media: Ethernet autoselect (10baseT/UTP)
         status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
         inet6 ::1 prefixlen 128
         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
         inet 127.0.0.1 netmask 0xff000000

regards,
koro


On Sun, 10 Dec 2006, Nathan Watson wrote:

> Hello,
> I'm running FreeBSD 6.1 with IPF/IPNAT, and I'm having a problem getting my rules to work. The problem is mainly that I want no restrictions on outbound traffic, and I'm not sure how to apply stateful filtering to that. I have the following rule (hme0 is my external interface):
>
> pass out quick on hme0 all
>
> If I change that to "pass out quick on hme0 all keep state," will that only open the port that the outbound packet was on? Are there any problems that can arise from allowing all outbound traffic? At the moment, my ruleset doesn't pass packets at all... I'm just having lots of troubles here. My ruleset is below, and everything seems to be caught by the last block all rule. Any suggestions?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061211112722.G9462>