Date: Wed, 05 Oct 2005 04:32:52 +0200 From: Alex de Kruijff <freebsd@akruijff.dds.nl> To: Ertan Kucukoglu <ertank@ozlerplastik.com> Cc: questions@freebsd.org Subject: Re: help needed for ipfw rules Message-ID: <20051005023252.GB740@Alex.lan> In-Reply-To: <43380504.5080106@ozlerplastik.com> References: <43380504.5080106@ozlerplastik.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 26, 2005 at 05:26:12PM +0300, Ertan Kucukoglu wrote: > Hi, > > I have a problem blocking foreign intruders for specific ports in ipfw. > > One of my friends have 4.X-Stable running in production for proxy, > e-mail, virus etc. Server also have natd and ipfw installed on it. We > have following rule set. > ----- > 00050 2132 1212881 divert 8668 ip from any to any via dc1 > 00100 1078 4537400 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 allow tcp from 192.168.0.0/24 to me 23 > 00500 0 0 deny tcp from 192.168.0.69 to me 1863 > 00550 0 0 deny tcp from 192.168.0.63 to me 1863 > 00600 0 0 deny tcp from 192.168.0.69 to me 80 > 00650 0 0 deny tcp from 192.168.0.63 to me 80 > 01000 0 0 allow tcp from 192.168.0.0/16 to me 21 > 01010 0 0 deny tcp from any to me 21 > 01100 0 0 allow tcp from 212.58.X.X to me 1433 via dc1 (ip > intentionally hided) > 01110 0 0 deny tcp from any to me 1433 via dc1 > 65000 5467 3180867 allow ip from any to any > 65535 4654 322885 deny ip from any to any > ----- > > Natd is diverting port 1433 to an internal machine. > > When I try with a different ip address on Internet than 212.58.x.x, and > I can easily get connect to directed servers' 1433 port. > > I'm sure that I'm missing something, but I can not recognize what it is > at the moment. Any help will be appreciated. > > Regards, Your forgetting that natd changes the destation ip address so that it is not me. Try putting the block rule before the divert. This is also good for performance. -- Alex Please copy the original recipients, otherwise I may not read your reply. Howto's based on my ppersonal use, including information about setting up a firewall and creating traffic graphs with MRTG http://www.kruijff.org/alex/FreeBSD/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051005023252.GB740>