ipfw-natd: connecting internal network to the Internet

From: Richard K (rkinnie01_at_excite.com)
Date: 08/30/04

• Next message: Vlad D. Markov: "Re: Email Address Change"
• Previous message: Pedro Pinto: "Re: sudo in startup script"
• Next in thread: +Alan Hicks+: "Re: ipfw-natd: connecting internal network to the Internet"
• Reply: +Alan Hicks+: "Re: ipfw-natd: connecting internal network to the Internet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: 29 Aug 2004 18:06:04 -0700

all~

i have been working on getting my ipfw rules fixed so that my internal
machines on the network can connect to the Internet. In doing so, I
have my machines able to connect to the Internet, let say
www.google.com and do search, which works as expected. When I click on
a link, groups.google.com, I get a connection refused. I cannot
determine by my ruleset what is preventing me from functionality.

Here's my ipfw ruleset. Please let me know whether there is anything
else that I can provide that will assist.

Your assistance is greatly appreciated. If there is something I need
to take out or add to get this to work; I don't understand why this is
happening.

#!/bin/sh
fwcmd="/sbin/ipfw -q"
inif="dc0"
exif="rl0"
innr="10.0.0.0/8"
inip=`ifconfig dc0 | grep "inet " |awk '{print $2}'`
imask=`ifconfig dc0 | grep "inet " | awk '{print $6}'`
exip=`ifconfig rl0 | grep "inet " |awk '{print $2}'`
xmask=`ifconfig rl0 | grep "inet " |awk '{print $6}'`

##########################################################################################################################
###############################################}--[ DO NOT REMOVE
]--{####################################################
##########################################################################################################################

###########################################################
## Clear all rules
#
#ConsoleMessage "Flushing existing ipfw ruleset"
${fwcmd} -f flush
###########################################################

############################################################
## Essential rules that more or less everyone needs ##
############################################################
#
# ConsoleMessage "Setting up ipfw"
#
#################################################
## Allow your loop back to work
#
${fwcmd} add 1000 allow ip from any to any via lo0

#################################################
## Stop and log spoofing of your loopback
#
${fwcmd} add 1010 deny log ip from any to 127.0.0.0/8
${fwcmd} add 1011 deny log ip from 127.0.0.0/8 to any

#################################################
## Stop and log spoofing attack attempts
#
${fwcmd} add 1020 deny log ip from ${innr} to ${exip} in via ${exif}
${fwcmd} add 1021 deny log ip from ${exip} to ${exip} in via ${exif}
${fwcmd} add 1022 deny log all from ${inip}:${imask} to any in via
${exif}
${fwcmd} add 1023 deny log all from ${exip}:${xmask} to any in via
${inif}
#################################################
## Enable Network Address translation, NAT, diverting
#
#ConsoleMessage "Enabling NAT"
${fwcmd} add 1500 divert natd ip from any to any via ${exif}

#################################################
## *** TESTING PURPOSES ONLY *** TESTING PURPOSES ONLY **
## Will open up the Firewall completely!
#
# ${fwcmd} add 2000 allow log logamount 100 ip from any to any
# ${fwcmd} add 2001 allow ip from any to any

#################################################
## Allow all packett that has previously been added to the
## "dynamic" rules table by an allow keep-state statement.
#
${fwcmd} add 2500 check-state

#################################################
## Allow all traffic on the private LAN and run it through the
## dynamic rules table so the IP address are in sync with natd.
#
${fwcmd} add 2510 allow ip from ${innr} to any via ${inif} keep-state
${fwcmd} add 2511 allow ip from ${exip} to any via ${inif} keep-state

#################################################
## Deny all fragments as bogus packets
#
${fwcmd} add 2520 deny ip from any to any frag in via ${exif}

#################################################
## Deny ACK packets that did not match the dynamic rule table
#
${fwcmd} add 2530 deny tcp from any to any established in via ${exif}

#################################################
## Deny Source Routed Packets
#
#${fwcmd} add 2540 unreach host log ip from any to any ipopt ssrr,lsrr
via ${exif}

#################################################
## Send a RESET to all ident packets
## Disable if you are actually running Auth/Identd
#
${fwcmd} add 2550 reset tcp from any to any 113 in via ${exif}

#################################################
## Allow DHCP/BOOTP (external/internal)
#
${fwcmd} add 2600 allow udp from any 67-68 to any 67-68 via ${exif}
${fwcmd} add 2601 allow udp from any 67-68 to any 67-68 via ${inif}

#################################################
## Allow DHCP Broadcast (external/internal)
#
${fwcmd} add 2610 allow udp from any to 255.255.255.255 67-68 via
${exif}
${fwcmd} add 2611 allow udp from any to 255.255.255.255 67-68 via
${inif}

#################################################
## Allow all ICMP Packets for diagnostic purposes
## you probably wish to leave this commented out
#
# ${fwcmd} add 2620 allow icmp from any to any via ${exif}

#################################################
## Allow Required ICMP Traffic
## path-mtu, source quench plus outgoing traceroute and ping
#
${fwcmd} add 2630 allow icmp from any to any icmptypes 3,4
${fwcmd} add 2631 allow icmp from any to any icmptypes 0,11 in
${fwcmd} add 2632 allow icmp from any to any icmptypes 8 out

#######################################################################################################################
##############################################}--[DO NOT
REMOVE]--{####################################################
#######################################################################################################################

############################################################
## Outbound rules ##
############################################################

#################################################
## Allow DNS
#
${fwcmd} add 3000 allow udp from any 1024-65535 to any 53 out via
${exif} keep-state

#################################################
## Allow Network Time (NTP)
#
${fwcmd} add 3010 allow udp from any to any 1024-65535,123 out via
${exif} keep-state

#################################################
## Allow passive FTP control channel
#
${fwcmd} add 3020 allow tcp from ${exip} to any 21 out via ${exif}
setup keep-state
${fwcmd} add 3021 allow tcp from ${exip} to any 10000-65000 out via
${exif} setup keep-state

#########################################################
# Stop RFC1918 nets on the outside interface
${fwcmd} add 3400 deny log all from 192.168.0.0:255.255.255.0 to any
in recv ${exif}
${fwcmd} add 3402 deny log all from 172.16.0.0:255.240.0.0 to any in
recv $(exif}
${fwcmd} add 3404 deny log all from 10.0.0.0:255.0.0.0 to any in recv
${exif}

#################################################
## Allow all traffic from the firewall going out on the external
interface
#
${fwcmd} add 3502 allow ip from ${innr} to ${exip} out via ${exif}
keep-state

#*******************************************************************************************************************
# Allow connections outbound
${fwcmd} add 3503 allow log ip from any to ${inip} in via ${inip}
keep-state
${fwcmd} add 3504 allow log ip from ${inip} to ${exip} out via ${exif}
keep-state
${fwcmd} add 3505 pass log all from any to any out xmit ${exif}
${fwcmd} add 3506 pass log all from any to any via ${inif}
#${fwcmd} add 3507 pass log tcp from any to any in recv ${exif}
established

#*******************************************************************************************************************
# Allow Priviledge Ports
${fwcmd} add 3606 allow log tcp from any 1-1023 to ${exip} 1-1023 out
via ${exif} keep-state
${fwcmd} add 3607 allow log udp from any 1-1023 to ${exip} 1-1023 out
via ${exif} keep-state

#******************************************************************************************************************
# Allow Non-Privilege Ports
${fwcmd} add 3608 allow log tcp from any 1024-65535 to ${exip}
1024-65535 out via ${exif} keep-state
${fwcmd} add 3609 allow log udp from any 1024-65535 to ${exip}
1024-65535 out via ${exif} keep-state

#------------------------------------------------------------------------------------------------------------------
# Test: Try all the ports
#${fwcmd} add 3700 allow log tcp from any 1-65535 to ${exip} 1-65535
out via ${exif} keep-state
#${fwcmd} add 3702 allow log udp from any 1-65535 to ${exip} 1-65535
out via ${exif} keep-state

${fwcmd} add 3703 check-state

############################################################
## Inbound rules for Standard Services on port 0-1023 ##
############################################################

#################################################
## File Transfer, FTP
#
# ${fwcmd} add 4010 allow tcp from any to ${exip} 20-21 in via ${exif}
setup keep-state

#################################################
## Remote Login, SSH
#
# ${fwcmd} add 4020 allow tcp from any to ${exip} 22 in via ${exif}
setup keep-state

#################################################
## SMTP Mail (Normal/SSL)
#
# ${fwcmd} add 4030 allow tcp from any to ${exip} 25 in via ${exif}
setup keep-state
# ${fwcmd} add 4031 allow tcp from any to ${exip} 465 in via ${exif}
setup keep-state

#################################################
## DNS
#
# ${fwcmd} add 4040 allow udp from any to ${exip} 53 in via ${exif}
keep-state

#################################################
## World Wide Web (Normal/SSL)
#
# ${fwcmd} add 4050 allow tcp from any to ${exip} 80 in via ${exif}
setup keep-state
# ${fwcmd} add 4051 allow tcp from any to ${exip} 443 in via ${exif}
setup keep-state

#################################################
## POP3 Mail (Normal/SSL)
#
# ${fwcmd} add 4060 allow tcp from any to ${exip} 110 in via ${exif}
setup keep-state
# ${fwcmd} add 4061 allow tcp from any to ${exip} 995 in via ${exif}
setup keep-state

#################################################
## Auth/Identd (TCP/UDP)
#
# ${fwcmd} add 4070 allow tcp from any to ${exip} 113 in via ${exif}
setup keep-state
# ${fwcmd} add 4071 allow udp from any to ${exip} 113 in via ${exif}
keep-state

#################################################
## Samba/CIFS (TCP/UDP)
#
# ${fwcmd} add 4080 allow tcp from any to ${exip} 137-139 in via
${exif} setup keep-state
# ${fwcmd} add 4081 allow udp from any to ${exip} 137-139 in via
${exif} keep-state

## Deny with no log, I get to many entries from people trying to crack
Windows servers
# ${fwcmd} add 4082 deny tcp from any to ${exip} 137-139 in via
${exif}
# ${fwcmd} add 4083 deny udp from any to ${exip} 137-139 in via
${exif}

#################################################
## IMAP Mail (Normal/SSL)
#
# ${fwcmd} add 4090 allow tcp from any to ${exip} 143 in via ${exif}
setup keep-state
# ${fwcmd} add 4091 allow tcp from any to ${exip} 993 in via ${exif}
setup keep-state

#################################################
## SNMP
#
# ${fwcmd} add 4100 allow tcp from any to ${exip} 161,162 in via
${exif} setup keep-state
# ${fwcmd} add 4101 allow udp from any to ${exip} 161,192 in via
${exif} keep-state

#################################################
## IRC Chat (TCP/UDP)
#
# ${fwcmd} add 4110 allow tcp from any to ${exip} 194 in via ${exif}
setup keep-state
# ${fwcmd} add 4111 allow udp from any to ${exip} 194 in via ${exif}
keep-state

#################################################
## Apple web/remote Admin Apps
#
# ${fwcmd} add 4120 allow tcp from any to ${exip} 311 in via ${exif}
setup keep-state
# ${fwcmd} add 4121 allow tcp from any to ${exip} 625 in via ${exif}
setup keep-state
# ${fwcmd} add 4122 allow tcp from any to ${exip} 660 in via ${exif}
setup keep-state

#################################################
## Timbuktu Pro (TCP/UDP)
#
# ${fwcmd} add 4130 allow tcp from any to ${exip} 407 in via ${exif}
setup keep-state
# ${fwcmd} add 4131 allow udp from any to ${exip} 407 in via ${exif}
keep-state

#################################################
## Network Browser (SLP)
#
# ${fwcmd} add 4140 allow udp from any to ${exip} 427 in via ${exif}
keep-state

#################################################
## Retrospect
#
# ${fwcmd} add 4150 allow tcp from any to ${exip} 497 in via ${exif}
setup keep-state

#################################################
## LPR (printing)
#
# ${fwcmd} add 4160 allow tcp from any to ${exip} 515 in via ${exif}
setup keep-state

#################################################
## QuickTime Streaming Server, RTSP (TCP/UDP)
#
# ${fwcmd} add 4170 allow tcp from any to ${exip} 554 in via ${exif}
setup keep-state
# ${fwcmd} add 4171 allow udp from any to ${exip} 554 in via ${exif}
keep-state
# ${fwcmd} add 4172 allow udp from any to ${exip} 6970-6999 in via
${exif} keep-state
# ${fwcmd} add 4173 allow udp from any to ${exip} 7070 in via ${exif}
keep-state

#################################################
## Apple File Protocol (AFP)
#
# ${fwcmd} add 4180 allow tcp from any to ${exip} 548 in via ${exif}
setup keep-state

#################################################
## IPP (Internet Printing Protocol)
#
# ${fwcmd} add 4190 allow tcp from any to ${exip} 631 in via ${exif}
setup keep-state

############################################################
## Inbound rules for User Services on port 1024-65535 ##
############################################################

#################################################
## iSync/Rendezvous (TCP/UDP)
#
# ${fwcmd} add 5010 allow tcp from any to ${exip} 3004 in via ${exif}
setup keep-state
# ${fwcmd} add 5011 allow udp from any to ${exip} 3004 in via ${exif}
keep-state

#################################################
## iTunes 4 streaming (TCP/UDP)
#
# ${fwcmd} add 5020 allow tcp from any to ${exip} 3689 in via ${exif}
setup keep-state
# ${fwcmd} add 5021 allow udp from any to ${exip} 3689 in via ${exif}
keep-state

#################################################
## ICQ Chat (TCP/UDP)
#
# ${fwcmd} add 5030 allow tcp from any to ${exip} 4000 in via ${exif}
setup keep-state
# ${fwcmd} add 5031 allow udp from any to ${exip} 4000 in via ${exif}
keep-state

#################################################
## FileMaker Pro (TCP/UDP)
#
# ${fwcmd} add 5040 allow tcp from any to ${exip} 5003 in via ${exif}
setup keep-state
# ${fwcmd} add 5041 allow udp from any to ${exip} 5003 in via ${exif}
keep-state

#################################################
## iChat/AOL Instant Messenger
#
## iChat/AOL file transfers
# ${fwcmd} add 5050 allow tcp from any to ${exip} 5190 in via ${exif}
setup keep-state
# ${fwcmd} add 5051 allow udp from any to ${exip} 5190 in via ${exif}
keep-state
#
## iChat/Rendezvous file transfers
# ${fwcmd} add 5052 allow tcp from any to ${exip} 5298 in via ${exif}
setup keep-state
# ${fwcmd} add 5053 allow udp from any to ${exip} 5298 in via ${exif}
keep-state
# ${fwcmd} add 5054 allow tcp from any to ${exip} 17421 in via ${exif}
setup keep-state
#
## iChat AV
# ${fwcmd} add 5055 allow udp from any to ${exip} 5060 in via ${exif}
keep-state
# ${fwcmd} add 5056 allow udp from any to ${exip} 16384-16403 in via
${exif} keep-state

#################################################
## Rendezvous (mDNSResponder)
#
# ${fwcmd} add 5060 allow udp from any to ${exip} 5353 in via ${exif}
keep-state

#################################################
## Gnutella/Limewire
#
# ${fwcmd} add 5070 allow tcp from any to ${exip} 6346 in via ${exif}
setup keep-state

#################################################
## BitTorrent
#
# ${fwcmd} add 5080 allow tcp from any to ${exip} 6881-6999 in via
${exif} setup keep-state

#################################################
## NetFone
#
# ${fwcmd} add 5090 allow tcp from any to ${exip} 10200-10210 in via
${exif} setup keep-state
## If you use port forwarding you must have a rule that lets the
traffic
## in to the private LAN. This is one example for NetFone.
# ${fwcmd} add 5091 allow tcp from any to ${innr} 10200-10210 in via
${exif} setup keep-state

############################################################
## Generic inbound rules to wrap things up ##
############################################################

#################################################
## Deny all other Privileged Ports (TCP/UDP)
#
${fwcmd} add 6000 deny log tcp from any to ${exip} 1-1023 in via
${exif}
${fwcmd} add 6010 deny log udp from any to ${exip} 1-1023 in via
${exif}

#${fwcmd} add 6020 allow log tcp from any to ${exip} 1-1023 in via
${inif} setup keep-state
#${fwcmd} add 6030 allow log udp from any to ${exip} 1-1023 in via
${inif} keep-state

#################################################
## Deny all other Non-Privileged Ports (TCP/UDP)
#
${fwcmd} add 6100 deny log tcp from any to ${exip} 1024-65535 in via
${exif}
${fwcmd} add 6110 deny log udp from any to ${exip} 1024-65535 in via
${exif}

## Allow all Non-Privileged Ports (TCP/UDP)
#${fwcmd} add 6120 allow tcp from any to ${exip} 1024-65535 in via
${exif} setup keep-state
#${fwcmd} add 6130 allow udp from any to ${exip} 1024-65535 in via
${exif} keep-state

#################################################
## Deny everything else
#
${fwcmd} add 7000 deny log ip from any to any
${fwcmd} add 7010 allow log ip from any to ${exip}

• Next message: Vlad D. Markov: "Re: Email Address Change"
• Previous message: Pedro Pinto: "Re: sudo in startup script"
• Next in thread: +Alan Hicks+: "Re: ipfw-natd: connecting internal network to the Internet"
• Reply: +Alan Hicks+: "Re: ipfw-natd: connecting internal network to the Internet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages [ipfw/natd] forwarding (only) not working ... add 00110 deny ip from any to 127.0.0.0/8 ... add 00302 deny ip from 172.16.0.0/12 to any in via ep0 ... # pass outgoing packets on to a special NAT rule ... (comp.unix.bsd.freebsd.misc) Problem accessing net from a NAT Firewall ... 2)I have setup the computer A as a router with a firewall and NAT. ... add 00110 deny ip from any to 127.0.0.0/8 ... add 00303 deny ip from 192.168.0.0/16 to any in via ath0 ... (freebsd-questions) Re: [OT] Firewall Rule Set not allowing access to DNS servers? ... >> There are many ways in which your ruleset might break. ... a deny rule or an allow if the kernel was compiled with the option ... add allow tcp from any to any out setup keep-state ... add allow tcp from any to any 22 in setup keep-state ... (freebsd-questions) FreeBSD 4.9 ifconfig paralysing interface ... Using ifconfig to bring down my network interface, adding an IP alias, ... $fwcmd add 00006 deny all from 66.220.17.0/24 to me ... $fwcmd add 00014 deny tcp from any to any in recv any tcpflags fin,syn ... $fwcmd add 00026 allow tcp from me to any out xmit any setup keep-state ... (freebsd-stable) Re: ipfw and ssh ... ${fwcmd} allow tcp from any to any 22 out setup keep-state ... I see two reasons that egress sshd traffic will not match the above rule. ... (freebsd-questions)

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint