IPFW acting weird OR invalid ruleset?
whizkid_at_ValueDJ.com
Date: 06/29/04
- Previous message: Laszlo Antal: "Which book should I start?"
- Next in thread: Remko Lodder: "Re: IPFW acting weird OR invalid ruleset?"
- Reply: Remko Lodder: "Re: IPFW acting weird OR invalid ruleset?"
- Reply: Steve Bertrand: "Re: IPFW acting weird OR invalid ruleset?"
- Reply: Steve Bertrand: "Re: IPFW acting weird OR invalid ruleset?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 29 Jun 2004 12:52:28 -0700 (PDT) To: freebsd-questions@freebsd.org
Hey everyone. Below is my natd.conf file and my rc.firewall.rule file. I
cannot figure it out, but if one of my machines that is behind my
Masqurading Firewall tries to d/l a file that is on a FTP site, it fails
to connect.
FreeBSD 5.2.1 machine with 2 nics.
xl0 outside Nic
fxp0 inside Nic
rc.conf:
# enable firewall
firewall_enable="YES"
# set path to custom firewall config
firewall_type="/etc/fw/rc.firewall.rules"
# be non-verbose? set to YES after testing
firewall_quiet="NO"
# enable natd, the NAT daemon
natd_enable="YES"
# which is the interface to the internet that we hide behind?
natd_interface="xl0"
# flags for natd
natd_flags="-f /etc/fw/natd.conf"
natd.conf:
unregistered_only
interface xl0
use_sockets
dynamic
# dyamically open fw for ftp, irc
punch_fw 2000:50
rc.firewall.rules:
# be quiet and flush all rules on start
-q flush
# allow local traffic, deny RFC 1918 addresses on the outside
add 00100 allow ip from any to any via lo0
add 00110 deny ip from any to 127.0.0.0/8
add 00120 deny ip from any to any not verrevpath in
add 00301 deny ip from 10.0.0.0/8 to any in via xl0
add 00302 deny ip from 172.16.0.0/12 to any in via xl0
add 00303 deny ip from 192.168.0.0/16 to any in via xl0
# check if incoming packets belong to a natted session, allow through if yes
add 01000 divert natd ip from any to me in via xl0
add 01001 check-state
# allow some traffic from the local net to the router
#SMTP
add 02000 allow tcp from any to any 25 setup keep-state
# SSH
add 04000 allow tcp from any to me dst-port 22 in via fxp0 setup keep-state
add 04001 allow tcp from any to me dst-port 22 in via xl0 setup keep-state
#IMAP-SSL
add 04010 allow tcp from any to me dst-port 143 in via fxp0 setup keep-state
add 04011 allow tcp from any to me dst-port 143 in via xl0 setup keep-state
# NTP
add 04020 allow tcp from any to me dst-port 123 in via fxp0 setup keep-state
add 04021 allow udp from any to me dst-port 123 in via fxp0 keep-state
add 04020 allow tcp from any to me dst-port 123 in via xl0 setup keep-state
add 04021 allow udp from any to me dst-port 123 in via xl0 keep-state
#webmin
add 04030 allow tcp from any to me dst-port 10000 in via fxp0 setup
keep-state
add 04031 allow tcp from any to me dst-port 10000 in via xl0 setup keep-state
#http
add 04040 allow tcp from any to me dst-port 80 in via fxp0 setup keep-state
add 04041 allow tcp from any to me dst-port 80 in via xl0 setup keep-state
# DNS
add 04050 allow udp from any to me dst-port 53 in via fxp0
add 04051 allow udp from any to me dst-port 53 in via xl0
add 04052 allow tcp from any to me dst-port 53 in via fxp0
add 04053 allow tcp from any to me dst-port 53 in via xl0
#POP
add 04060 allow tcp from any to me dst-port 110 in via fxp0 setup keep-state
add 04061 allow tcp from any to me dst-port 110 in via xl0 setup keep-state
#HTTPS
add 04070 allow tcp from any to me dst-port 443 in via fxp0 setup keep-state
add 04071 allow tcp from any to me dst-port 443 in via xl0 setup keep-state
#IMAPS
add 04080 allow tcp from any to me dst-port 993 in via fxp0 setup keep-state
add 04081 allow tcp from any to me dst-port 993 in via xl0 setup keep-state
# drop everything else
add 04090 deny ip from any to me
# pass outgoing packets (to be natted) on to a special NAT rule
add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via fxp0 keep-state
# allow all outgoing traffic from the router
add 05010 allow ip from me to any out keep-state
# drop everything that has come so far. This means it doesn't belong to an
# established connection, don't log the most noisy scans.
add 59998 deny icmp from any to me
add 59999 deny ip from any to me dst-port 135,137-139,445,4665
add 60000 deny log tcp from any to any established
add 60001 deny log ip from any to any
# this is the NAT rule. Only outgoing packets from the local net will come
here.
# First, nat them, then pass them on (again, you may choose to be more
restrictive)
add 61000 divert natd ip from 192.168.1.0/24 to any out via xl0
add 61001 allow ip from any to any
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Laszlo Antal: "Which book should I start?"
- Next in thread: Remko Lodder: "Re: IPFW acting weird OR invalid ruleset?"
- Reply: Remko Lodder: "Re: IPFW acting weird OR invalid ruleset?"
- Reply: Steve Bertrand: "Re: IPFW acting weird OR invalid ruleset?"
- Reply: Steve Bertrand: "Re: IPFW acting weird OR invalid ruleset?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
