Date: Mon, 19 May 2003 16:53:43 -0700 From: "Aaron Peterson" <aaron@alpete.com> To: Tommy Forrest <tforrest@shellworld.net>, Craig Reyenga <creyenga@connectmail.carleton.ca>, freebsd-questions@freebsd.org Subject: Re: ipfw2 & natd & stateful Message-ID: <E19HuRr-0002ex-00@host02.ipowerweb.com>
next in thread | raw e-mail | index | archive | help
yeah, linux does just fine with nat + stateful firewalling too > Maybe impossible in FreeBSD - cause our Checkpoint firewalls do not have > this problem. > > On Mon, 19 May 2003, Craig Reyenga wrote: > > > I'm pretty sure that NATD + stateful is impossible because in order to have > > > > [unregistered ip] <-> [internet ip] > > > > you need: > > [unregistered ip] <-> [gateway] > > [natd operates here] > > [gateway] <-> [internet ip] > > > > but ipfw doesnt do this, so your connections end up not working, because the > > stateful rules don't make the second scenario, they make the first. > > > > (I'd love to be proven wrong, as I have a similar setup.) > > > > Hope this helps, > > > > -Craig > > > > > > > > ----- Original Message ----- > > From: "Asenchi" <asenchi@asenchi.com> > > To: <freebsd-questions@freebsd.org> > > Sent: Monday, May 19, 2003 8:40 AM > > Subject: ipfw2 & natd & stateful > > > > > > > Hello Everyone. > > > > > > I have a bit of a problem. I want to switch my company's firewall to IPFW2 > > > but I can't seem to get the ruleset to work. After sidelining the notion, > > I > > > am ready to attack this again. I have had many problems with it. (You can > > > see a discussion on this issue here: > > > <http://www.freebsdforums.org/forums/showthread.php?s=&threadid=9061) > > > > > > It seems that NATD is stopping anyone on my internal network from getting > > > through to websites. I does some how reach DNS but won't go anywhere else. > > I > > > have tried multiple things... > > > > > > I use this ruleset almost verbatim on another machine that isn't running > > > NATD. Can anyone see anything here? I don't subscribe to this list with > > this > > > email address, so could you please cc me? > > > > > > Thanks in advance to anyone who can offer some light... > > > > > > ////curt//// > > > > > > Here is the output of 'ipfw -d show' > > > > > > 00100 0 0 check-state > > > 00200 4 164 deny log logamount 1000 ip from any to any established > > > 00300 28 1789 divert 8668 ip from any to any via vr0 > > > 00400 0 0 deny log logamount 10 ip from 192.168.0.0/24 to any via vr0 > > > 00500 38 3897 allow { tcp or udp } from me to { 198.109.160.2 or dst-ip > > > 198.109.160.3 or dst-ip d.n.s.1 or dst-ip d.n.s.2 } dst-port 53 out xmit > > vr0 > > > keep-state > > > 00600 306 31838 allow tcp from { o.u.t.2/29 or o.u.t.1 or 2.1.0.0/16 or > > > 1.1.0.0/16 } to me dst-port 22 setup in recv vr0 keep-state > > > 00700 22 992 allow tcp from me to any setup via vr0 keep-state > > > 00800 2 120 deny log logamount 1000 { tcp or udp } from any to me > > > 01000 7 336 allow log logamount 1000 tcp from i.n.t.r/24 to any dst-port > > 80 > > > 01100 0 0 allow tcp from 192.168.0.0/24 to any setup keep-state > > > 01200 66 4168 allow { tcp or udp } from 192.168.0.0/24 to { d.n.s.3 or > > > dst-ip d.n.s.4 or dst-ip d.n.s.1 or dst-ip d.n.s.2 } dst-port 53 > > keep-state > > > 01300 0 0 allow tcp from any to 192.168.0.0/24{3,10,11,12,21,110} dst-port > > > 6501-6504 setup in recv vr0 keep-state > > > 01500 0 0 deny icmp from any to me icmptypes 8 > > > 01600 131 5560 allow icmp from any to any > > > 01800 3 234 deny { tcp or udp } from any to any dst-port 137,138,520 > > > 01900 4 304 deny log logamount 1000 ip from any to any > > > 65535 0 0 deny ip from any to any > > > > > > ## Dynamic rules (28): > > > 01200 3 192 (9s) STATE udp 192.168.0.64 1072 <-> d.n.s.3 53 > > > 01200 5 320 (9s) STATE udp 192.168.0.64 1072 <-> d.n.s.2 53 > > > 00600 305 31778 (300s) STATE tcp m.y.i.p 3020 <-> o.u.t.1 22 > > > > > > _______________________________________________ > > > freebsd-questions@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > > > > > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E19HuRr-0002ex-00>