From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 20 21:41:42 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C305F106567F for ; Mon, 20 Oct 2008 21:41:42 +0000 (UTC) (envelope-from leander.schaefer@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 058CB8FC1F for ; Mon, 20 Oct 2008 21:41:41 +0000 (UTC) (envelope-from leander.schaefer@gmx.net) Received: (qmail invoked by alias); 20 Oct 2008 21:14:59 -0000 Received: from p5B12E304.dip.t-dialin.net (EHLO MacBook-Pro.local) [91.18.227.4] by mail.gmx.net (mp053) with SMTP; 20 Oct 2008 23:14:59 +0200 X-Authenticated: #23985221 X-Provags-ID: V01U2FsdGVkX1+vpOlHDjWvED7KvsSM8W0TYH0Jo9hawnUSx8lu5m 27RrCfW/GxAbaC Message-ID: <48FCF4D2.4080103@gmx.net> Date: Mon, 20 Oct 2008 23:14:58 +0200 From: "Leander S." Organization: Privat User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: multipart/mixed; boundary="------------020503040305000300030801" X-Y-GMX-Trusted: 0 X-FuHaFi: 0.5600000000000001 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPFW + Portforwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2008 21:41:43 -0000 This is a multi-part message in MIME format. --------------020503040305000300030801 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Hi, I'm trying to set up something like a HotSpot. Goal is it to force unregistred users to get redirected to the Captive Portalsite where they'll be able to agree my licence therms and get some information ... etc. ... So fact is I need an IPFW rule which forwards Port 80,443,8080 Traffic to another Port i.e. 8080 --> where my Apache will already wait for serving the Captive Portalsite back to the request. So I did read the man and saw something like the fwd rule and the Kernel Option for it - so I added the option - rcompiled the Kernel and gave my Firewall the following fwd rule in an extra script: ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any 80,443,8080 in via ${LAN_if} ^^ But it's sadly not working .... so here is my whole Firewallscript. Btw. my IPFW is compiled as default deny into the Kernel. The Script: ____________________________________________________________________________ #!/bin/sh if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi ############################# #### Globale Variablen: ##### ############################# WAN_if="msk0" WAN_IP="10.1.10.50" WAN_net="255.0.0.0" WAN="10.0.0.0/8" LAN_if="ath0" LAN_IP="192.1.1.1" LAN_net="255.255.255.0" LAN="192.1.1.0/24" fwcmd="/sbin/ipfw -q" ############################# ########## Start: ########### ############################# ### Firewall Reset ### ${fwcmd} -f flush ### Localhost ### ${fwcmd} add 00100 allow all from any to any via lo0 ${fwcmd} add 00200 deny all from any to 127.0.0.0/8 ${fwcmd} add 00300 deny all from 127.0.0.0/8 to any ### WAN Konfiguration ### ${fwcmd} add 00400 allow all from any to any via ${WAN_if} ${fwcmd} add 00500 divert natd all from any to any in via ${WAN_if} ${fwcmd} add 00600 divert natd all from any to any out via ${WAN_if} ### LAN Konfiguration ### ### Ping ${fwcmd} add 00700 allow icmp from ${LAN} to ${LAN} icmptypes 0,8 ### Portfreigabe ${fwcmd} add 00800 allow tcp from any to ${LAN_IP} 22 in via ${LAN_if} ${fwcmd} add 00900 allow tcp from any to ${LAN_IP} 1723 in via ${LAN_if} ${fwcmd} add 01000 allow tcp from any to ${LAN_IP} 8080 in via ${LAN_if} ### PortalSite - Forwarding: ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any 80,8080,443 in via ${LAN_if} ### Package Detour ${fwcmd} add 01200 allow all from any to any out via ${LAN_if} ____________________________________________________________________________ Every positiv type of help will be very appreciated !!! Thanks, Leander P.S. Additionally: This is my first firewallscript - so if this seems to be to ugly for you - feel free to give me some NewBee tips and tricks! ;) THX --------------020503040305000300030801 Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0"; name="rc.firewall_extension" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="rc.firewall_extension" #!/bin/sh if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi ############################# #### Globale Variablen: ##### ############################# WAN_if="msk0" WAN_IP="10.1.10.50" WAN_net="255.0.0.0" WAN="10.0.0.0/8" LAN_if="ath0" LAN_IP="192.1.1.1" LAN_net="255.255.255.0" LAN="192.1.1.0/24" fwcmd="/sbin/ipfw -q" ############################# ########## Start: ########### ############################# ### Firewall Reset ### ${fwcmd} -f flush ### Localhost ### ${fwcmd} add 00100 allow all from any to any via lo0 ${fwcmd} add 00200 deny all from any to 127.0.0.0/8 ${fwcmd} add 00300 deny all from 127.0.0.0/8 to any ### WAN Konfiguration ### ${fwcmd} add 00400 allow all from any to any via ${WAN_if} ${fwcmd} add 00500 divert natd all from any to any in via ${WAN_if} ${fwcmd} add 00600 divert natd all from any to any out via ${WAN_if} ### LAN Konfiguration ### ### Ping ${fwcmd} add 00700 allow icmp from ${LAN} to ${LAN} icmptypes 0,8 ### Portfreigabe ${fwcmd} add 00800 allow tcp from any to ${LAN_IP} 22 in via ${LAN_if} ${fwcmd} add 00900 allow tcp from any to ${LAN_IP} 1723 in via ${LAN_if} ${fwcmd} add 01000 allow tcp from any to ${LAN_IP} 8080 in via ${LAN_if} ### PortalSite - Forwarding: ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any 80,8080,443 in via ${LAN_if} ### Package Detour ${fwcmd} add 01200 allow all from any to any out via ${LAN_if} --------------020503040305000300030801--