ppp + natd + forwarding udp

freebsd-isp_at_chef-ingenieur.de
Date: 09/01/04

  • Next message: Frode Nordahl: "Re: Performance RAID setup..." 
    Date: Wed, 1 Sep 2004 16:49:22 +0200 (CEST)
To: freebsd-isp@freebsd.org

    Hello,
    I've a freebsd box on a DSL line, running ppp, ipfw and natd. This
    works fine since about 1 year.
    Now there shuld be a vpn build, but with cisco equipent. The cisco
    is located behind the firewall, so I've to forward the udp packets.
    But this doesn't work. My ipfw rules:

    00100 1174 5341362 allow ip from any to any via lo0
    00200 0 0 deny ip from any to 127.0.0.0/8
    00300 0 0 deny ip from 127.0.0.0/8 to any
    00400 0 0 deny log ip from 172.16.1.0/24 to any in via tun0
    00500 15184 9946779 divert 8668 ip from any to any via tun0
    00600 0 0 check-state
    00700 12125 8358860 allow tcp from me to any keep-state
    00701 0 0 allow log ip from 172.16.1.3 to any
    00702 0 0 allow log ip from any to 172.16.1.3
    00800 13988 11016613 allow ip from 172.16.1.0/24 to any keep-state
    01100 0 0 allow log udp from any to 172.16.1.3 dst-port 500
    01200 0 0 allow log udp from 172.16.1.3 to any dst-port 500
    01300 0 0 allow log udp from any to 172.16.1.3 dst-port
    4500
    01400 0 0 allow log udp from 172.16.1.3 to any dst-port
    4500
    01500 2 120 reset log tcp from any to me dst-port 113 in
    via tun0
    01600 576 48970 allow udp from me to any dst-port 53 keep-state
    01700 0 0 allow udp from 172.16.1.0/24 to any dst-port
    53 keep-state
    01800 12 912 allow udp from me to any dst-port 123 keep-state
    01900 4 148 allow icmp from me to any
    02000 0 0 allow icmp from 172.16.1.0/24 to any
    02100 3 92 allow icmp from any to any in icmptypes
    0,3,4,8,11,12
    02200 1315 298371 deny log ip from any to any
    65535 0 0 deny ip from any to any

    in /etc/natd.conf I've

    redirect_port udp 172.16.1.3:500 500
    redirect_port udp 172.16.1.3:4500 4500

    (the cisco is on 172.16.1.3 an has internet access)

    natd runs with the flags "-dynamic -u -l -s -f /etc/natd.conf -n tun0"

    rules 701+702 are for debugging

    I see the packets on the internal interface, but not on the
    tun0 interface (testet with tcpdump).

    Any hints would be great - I'm really helpless at the moment.

    Regards,
    Thomas.

    _______________________________________________
    freebsd-isp@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

  • Next message: Frode Nordahl: "Re: Performance RAID setup..."

    Relevant Pages

    • Re: Help with ipfw rules to allow DNS queries through
      ... Thanks a whole heap! ... I am guessing that this broken UDP rule may have been ... > UDP from your box, including DNS, if I'm read your ruleset rightly? ... > Does the output of 'ipfw list' or 'ipfw show' include that UDP rule? ...
      (FreeBSD-Security)
    • Re: Newbie Firewall Question
      ... why is there natd rules? ... ipfw add divert natd all from any to any via ep0 ... ipfw add allow tcp from any to any established ... ipfw add allow udp from any 53 to any ...
      (freebsd-questions)
    • UDP Broadcast traffic?
      ... I have a Cisco 2500 sitting between two Ethernet subnets. ... run the command 'no ip forward-protocol udp' with no change in behavior. ...
      (comp.dcom.sys.cisco)
    • Re: Help with ipfw rules to allow DNS queries through
      ... You forget what DNS worked over TCP and UDP ... Monitoring IPFW Logs ... BSD Firewalls: Fine-Tuning Rulesets ...
      (FreeBSD-Security)
    • Re: Help with ipfw and natd
      ... > ipfw add divert natd all from any to any via external_interface ... > ipfw add pass udp from any to any ntp out xmit external_interface ... > ipfw add pass udp from any ntp to any ntp in recv external_interface ...
      (comp.unix.bsd.freebsd.misc)