From owner-freebsd-questions@FreeBSD.ORG Sat Aug 13 23:58:44 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A608B16A41F for ; Sat, 13 Aug 2005 23:58:44 +0000 (GMT) (envelope-from that_guy_himal@hotmail.com) Received: from hotmail.com (bay102-f1.bay102.hotmail.com [64.4.61.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 740A443D45 for ; Sat, 13 Aug 2005 23:58:44 +0000 (GMT) (envelope-from that_guy_himal@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 13 Aug 2005 16:58:44 -0700 Message-ID: Received: from 64.4.61.207 by by102fd.bay102.hotmail.msn.com with HTTP; Sat, 13 Aug 2005 23:58:44 GMT X-Originating-IP: [64.4.61.207] X-Originating-Email: [that_guy_himal@hotmail.com] X-Sender: that_guy_himal@hotmail.com From: "Himal Mandalia" To: freebsd-questions@freebsd.org Date: Sun, 14 Aug 2005 00:58:44 +0100 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 13 Aug 2005 23:58:44.0105 (UTC) FILETIME=[EFD79790:01C5A062] Subject: IPFW help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Aug 2005 23:58:44 -0000 I've been trying to set up IPFW to do port forwarding so I can use a machine on a private network as a web server. I'm using NAT, which works fine, but can't seem to get port forwarding working unless I remove the "deny ip from any to any" in my firewall script. natd.conf: interface en0 dynamic yes use_sockets yes same_ports yes redirect_port tcp 192.168.0.2:80 80 firewall script: /sbin/ipfw -q -f flush cmd="/sbin/ipfw add" oif="en0" #public iface iif="en1" #private iface oip=`ifconfig $oif | grep 'inet' | awk '{print $2}'` optimus="192.168.0.2" #webserver on private segment $cmd 00010 allow ip from any to any via lo0 $cmd 00020 deny log ip from any to 127.0.0.0/8 $cmd 00100 divert 8668 ip from any to any via $oif $cmd 00400 fwd $optimus,80 tcp from any to $oip 80 $cmd 00500 allow tcp from any to any established $cmd 00600 allow tcp from any to $oip ftp,ssh,http setup $cmd 00700 allow tcp from any to $oip 5900-5909 setup $cmd 00800 allow tcp from any to $oip 6881-6999,6669,3689,873,6346,1863,443,2628 setup $cmd 00900 allow udp from any to $oip 27960-27969 $cmd 01000 allow icmp from any to any $cmd 02000 allow icmp from any to any icmptypes 3,4,11,12 $cmd 03000 reset tcp from any to $oip 113 $cmd 04000 check-state $cmd 05000 allow ip from $oip to any keep-state out via $oif $cmd 06000 allow ip from 192.168.0.0/16 to any keep-state via $iif $cmd 65000 deny ip from any to any Removing the last line works, but then security's out of the window I suppose. I'm sure it's just a problem with the order of the rules or something like that. Any suggestions and help would be most welcome. Thanks _________________________________________________________________ Use MSN Messenger to send music and pics to your friends http://messenger.msn.co.uk