Date: Fri, 28 Jul 2006 19:55:12 +0200 From: Peter Rosa <prosa@pro.sk> To: Adam Egan <adam.egan@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and natd routing problems Message-ID: <44CA4F80.5030009@pro.sk> In-Reply-To: <28745bbf0607280412tdff38dck9df78fd0fc363fff@mail.gmail.com> References: <28745bbf0607270947i6d71369fg5c1403b2d6e36219@mail.gmail.com> <28745bbf0607280412tdff38dck9df78fd0fc363fff@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, > [ipfw] > # check if incoming packets belong to a natted session, allow through if > add 01000 divert natd ip from any to any in via sis0 > add 01001 check-state Default behavior of ipfw is to *BLOCK EVERY PACKET* if you did not say in your kernel-config "options IPFIREWALL_DEFAULT_TO_ACCEPT. That's why all your connections time-out... You need to add few rules for check-state to work: add 01002 allow tcp from any to any via sis0 setup keep-state add 01003 allow udp from any to any via sis0 keep-state add 01004 allow icmp from any to any via sis0 keep-state BE AWARE YOUR 'FIREWALL' IS COMPLETELY OPEN FOR ANY CONNECTION FROM INSIDE AND EVEN OUTSIDE!!! It is very well explained in man ipfw and even better in handbook: (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html) Peter Rosa
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44CA4F80.5030009>