Date: Sun, 3 Nov 2013 08:04:20 -0800 From: Payam Chychi <pchychi@gmail.com> To: Casey Scott <casey@scottmail.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: NAT/ipfw blocking internal traffic Message-ID: <CF592C15C48942B1A7DB05E5DBE51834@gmail.com> In-Reply-To: <1695827686.288.1383250242478.JavaMail.root@phantombsd.org> References: <789665157.296.1383076677766.JavaMail.root@phantombsd.org> <1695827686.288.1383250242478.JavaMail.root@phantombsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Fo you have logs of whats being dropped? -- Payam Chychi Network Engineer / Security Specialist On Thursday, October 31, 2013 at 1:10 PM, Casey Scott wrote: > Hello, > > My NAT and ipfw ruleset follow almost exactly what is given at > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html > > The problem I'm encountering is that a portion of my outbound internal > traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so > I'm kind of at a loss since the config matches the handbook. Any suggestions > are appreciated. > > uname -a > *********************************************** > FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18 > 20:06:53 PDT 2013 root@hostname:/usr/src/sys/amd64/compile/hostname > amd64 > *********************************************** > > /var/log/security: > *********************************************** > Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915 > 174.129.210.177:80 out via fxp0 > Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876 > 65.126.84.88:80 out via fxp0 > Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877 > 65.126.84.88:80 out via fxp0 > Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 > 208.85.40.45:80 out via fxp0 > Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 > 208.85.40.45:80 out via fxp0 > *********************************************** > > firewall script: > *********************************************** > #!/bin/sh > cmd="ipfw -q add" > skip="skipto 500" > pif=fxp0 > ks="keep-state" > good_tcpo="22,25,37,43,53,80,443" > > ipfw -q -f flush > > $cmd 002 allow all from any to any via em0 # exclude LAN traffic > $cmd 003 allow all from any to any via lo0 # exclude loopback traffic > > $cmd 100 divert natd ip from any to any in via $pif > $cmd 101 check-state > > # Authorized outbound packets > $cmd 136 $skip udp from any to any 53 out via $pif $ks > $cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks > $cmd 151 $skip icmp from any to any out via $pif $ks > $cmd 152 $skip udp from any to any 123 out via $pif $ks > > # Deny all inbound traffic from non-routable reserved address spaces > $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private > IP > $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private > IP > $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private > IP > $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback > $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback > $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config > $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs > $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster > $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E > multicast > > # Authorized inbound packets > $cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2 > $cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2 > $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > $cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > > $cmd 450 deny log ip from any to any > > # This is skipto location for outbound stateful rules > $cmd 500 divert natd ip from any to any out via $pif > *********************************************** > > natd run options: > *********************************************** > /sbin/natd -dynamic -m -n fxp0 > *********************************************** > > -Casey > > ----- Forwarded Message ----- > > Hello, > > My NAT and ipfw ruleset follow almost exactly what is given at > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html > > The problem I'm encountering is that a portion of my outbound internal > traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so > I'm kind of at a loss since the config matches the handbook. Any suggestions > are appreciated. > > uname -a > *********************************************** > FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18 > 20:06:53 PDT 2013 root@hostname:/usr/src/sys/amd64/compile/hostname amd64 > *********************************************** > > /var/log/security: > *********************************************** > Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915 > 174.129.210.177:80 out via fxp0 > Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876 > 65.126.84.88:80 out via fxp0 > Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877 > 65.126.84.88:80 out via fxp0 > Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 > 208.85.40.45:80 out via fxp0 > Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 > 208.85.40.45:80 out via fxp0 > *********************************************** > > firewall script: > *********************************************** > #!/bin/sh > cmd="ipfw -q add" > skip="skipto 500" > pif=fxp0 > ks="keep-state" > good_tcpo="22,25,37,43,53,80,443" > > ipfw -q -f flush > > $cmd 002 allow all from any to any via em0 # exclude LAN traffic > $cmd 003 allow all from any to any via lo0 # exclude loopback traffic > > $cmd 100 divert natd ip from any to any in via $pif > $cmd 101 check-state > > # Authorized outbound packets > $cmd 136 $skip udp from any to any 53 out via $pif $ks > $cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks > $cmd 151 $skip icmp from any to any out via $pif $ks > $cmd 152 $skip udp from any to any 123 out via $pif $ks > > # Deny all inbound traffic from non-routable reserved address spaces > $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP > $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP > $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP > $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback > $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback > $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config > $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs > $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster > $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast > > # Authorized inbound packets > $cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2 > $cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2 > $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > $cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > > $cmd 450 deny log ip from any to any > > # This is skipto location for outbound stateful rules > $cmd 500 divert natd ip from any to any out via $pif > *********************************************** > > natd run options: > *********************************************** > /sbin/natd -dynamic -m -n fxp0 > *********************************************** > > -Casey > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CF592C15C48942B1A7DB05E5DBE51834>