From owner-freebsd-questions Tue Jul 11 22:12:43 2000 Delivered-To: freebsd-questions@freebsd.org Received: from emu.prod.itd.earthlink.net (emu.prod.itd.earthlink.net [207.217.121.31]) by hub.freebsd.org (Postfix) with ESMTP id 52EE037B9D4 for ; Tue, 11 Jul 2000 22:12:39 -0700 (PDT) (envelope-from cjc@pool0246.cvx20-bradley.dialup.earthlink.net) Received: from pool0246.cvx20-bradley.dialup.earthlink.net (pool1196.cvx20-bradley.dialup.earthlink.net [209.179.254.176]) by emu.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id WAA11529; Tue, 11 Jul 2000 22:12:36 -0700 (PDT) Received: (from cjc@localhost) by pool0246.cvx20-bradley.dialup.earthlink.net (8.9.3/8.9.3) id WAA00730; Tue, 11 Jul 2000 22:10:49 -0700 (PDT) Date: Tue, 11 Jul 2000 22:10:47 -0700 From: "Crist J. Clark" To: "E. Michael" Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw/nat problem::dynamic ip Message-ID: <20000711221047.A523@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu References: <396BAD64.7382BBB4@mail3d.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <396BAD64.7382BBB4@mail3d.co.uk>; from emichael@mail3d.co.uk on Tue, Jul 11, 2000 at 11:27:32PM +0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Jul 11, 2000 at 11:27:32PM +0000, E. Michael wrote: > Hi, > > The scenario is the following: > > The getway's IP is 192.168.110.1: > The outside interface (modem) is the tun0 using dynamic IP. > The natd runs with: > -n tun0 -use_sockets -same_ports -dynamic > and I dial with: > ppp -ddial ISP > > The ipfw ruleset is very simple: > > 00050 divert 8668 ip from any to any via tun0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 65000 allow ip from any to any > 65535 deny ip from any to any > > With this setup any host of my network can see the outside world.What I > am trying to do without success is to block the port 110 of my gateway > for the outside world. > I try by adding the following two rules: > ipfw add 1000 deny tcp from any to 192.168.110.1 110 via tun0 > ipfw add 1010 deny tcp from 192.168.110.1 110 to any via tun0 > Unfortunately, this does not prevent an external host to connect to > the port 110. The external hosts are trying to connect to the address on the tun0 interface, not the internal one. > Here is some output from natd when I ping yahoo from 192.168.110.10 > Out [UDP] [UDP] 192.168.110.10:1045 -> 212.67.128.102:53 aliased to > [UDP] 212.67.145.58:1045 -> 212.67.128.102:53 > In [UDP] [UDP] 212.67.128.102:53 -> 212.67.145.58:1045 aliased to > [UDP] 212.67.128.102:53 -> 192.168.110.10:1045 > Out [ICMP] [ICMP] 192.168.110.10 -> 216.32.74.55 8(0) aliased to > [ICMP] 212.67.145.58 -> 216.32.74.55 8(0) > In [ICMP] [ICMP] 216.32.74.55 -> 212.67.145.58 0(0) aliased to > [ICMP] 216.32.74.55 -> 192.168.110.10 0(0) > > (it seems ok for me) > > and when I ping yahoo from 192.168.110.1 > Out [UDP] [UDP] 212.67.145.58:1056 -> 212.67.128.102:53 aliased to > [UDP] 212.67.145.58:1056 -> 212.67.128.102:53 > In [UDP] [UDP] 212.67.128.102:53 -> 212.67.145.58:1056 aliased to > [UDP] 212.67.128.102:53 -> 212.67.145.58:1056 > Out [ICMP] [ICMP] 212.67.145.58 -> 216.32.74.50 8(0) aliased to > [ICMP] 212.67.145.58 -> 216.32.74.50 8(0) > In [ICMP] [ICMP] 216.32.74.50 -> 212.67.145.58 0(0) aliased to > [ICMP] 216.32.74.50 -> 212.67.145.58 0(0) > ^^^^^^^^^^^^^ > Shouldn't be 192.168.110.1 ? No. I would assume that 212.67.145.58 is the address of the tun0 interface. What does 192.168.110.1, the interior interface, have to do with it? > What am I doing wrong? Am I missing anything? You just seem to be a little confused. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message