Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Jan 2005 09:44:22 -0600
From:      "James A. Coulter" <jacoulter@jacoulter.net>
To:        pwd8jmr22w@me.point.ne.jp
Cc:        Questions-ML FreeBSD <freebsd-questions@freebsd.org>
Subject:   Re: IPFW - How to allow NAT client to CVSup
Message-ID:  <41EBDD56.8000300@jacoulter.net>
In-Reply-To: <41EC2D5F.8060705@me.point.ne.jp>
References:  <41EC2D5F.8060705@me.point.ne.jp>
next in thread | previous in thread | raw e-mail | index | archive | help 
Srot BULL wrote:
> Hi to everyone,
> 
> I have 2 FreeBSD machines both running FreeBSD Stable 5.3 and both have 
> ipfw as firewalls...
> One is running ipfw with NAT functions.  Below is the is the rulesets 
> for the machine:

< -- snip rulesets -->

> As you can see I am using the rulesets that are found in the Handbook.  
> I have tried
> $CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root
> but still no go
> $CMD 00070 $SKIP tcp from me to any 5999 out via $INIC setup $KS
> but still no go
> 
> Can anybody share their ipfw rulesets with me?  To allow my other PC to 
> cvsup...
> Thanks in advance...
> 
> Srot BULL
> _______________________________________________


I also had problems using a similar "stateful" ruleset with IPFW & NAT.

As I understand it, a stateful ruleset will not allow passive ftp
connections from machines behind the firewall (although I was able
to establish passive ftp from my gateway/router/firewall machine itself)

This problem is documented in the mailing lists if you want to research
it.

I ended up changing to a much simpler, non-stateful ruleset on my
gateway/router/firewall machine:


     #!/bin/sh

     ipfw -q -f flush

     # Set rules command prefix
     cmd="ipfw -q add"
     pif="dc1"     # public interface name of Nic card
                   # facing the public internet

     $cmd 005 allow all from any to any via dc0

     $cmd 050 divert natd ip from any to any via $pif

     $cmd 100 allow ip from any to any via lo0

     $cmd 200 deny ip from any to 127.0.0.0/8

     $cmd 300 deny ip from 127.0.0.0/8 to any

     $cmd 65000 allow ip from any to any

     $cmd 65535 deny log all ip from any to any

This ruleset allows me establish passive ftp from any machine behind
the firewall, including accomplishing CVSUP.

So far I haven't had any problems with security.

HTH

Jim Coulter

-- 
James A. Coulter
jacoulter@jacoulter.net
http://jacoulter.net

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41EBDD56.8000300>