From owner-freebsd-ipfw Wed Jul 19 13:28:43 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from home.offwhite.net (home.offwhite.net [156.46.35.30]) by hub.freebsd.org (Postfix) with ESMTP id 5F8B537C053 for ; Wed, 19 Jul 2000 13:28:38 -0700 (PDT) (envelope-from brennan@offwhite.net) Received: from localhost (brennan@localhost) by home.offwhite.net (8.9.1/8.9.3) with ESMTP id PAA62274 for ; Wed, 19 Jul 2000 15:28:33 -0500 (CDT) Date: Wed, 19 Jul 2000 15:28:33 -0500 (CDT) From: BWS - Offwhite To: freebsd-ipfw@freebsd.org Subject: help with natd Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have set up a private network here at my office and have everyone behind the ipfw firewall. I am using ipnat to do all forwarding and it works like a charm, but I am having trouble. I have one user who needs to ftp files to an outside host and PASV mode is not working. Somewhere along the way an ISP is blocking all PASV traffic, making ftp break. They refuse to change that due to security policies. So what I would like to try is to give that user a static address and route all traffic from an outside address to that static address... 111.222.111.222 < == > 192.168.1.11 I figure that if I forward all traffic from that public IP to his box alone it should work so he does not have to use PASV mode. Would this work? Can anyone tell me what rules I would use with ipnat to make this happen? Thanks much, Brennan Stehling - web developer and sys admin projects: www.greasydaemon.com | www.onmilwaukee.com | www.sncalumni.com Microsoft: Will you get a macro virus today? http://www.greasydaemon.com/noms/ <- Why avoid MS? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 20 7:35:48 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from srv13-poa.poa.terra.com.br (srv13-poa.poa.zaz.com.br [200.248.149.91]) by hub.freebsd.org (Postfix) with ESMTP id 25DC137B5CF for ; Thu, 20 Jul 2000 07:35:38 -0700 (PDT) (envelope-from stumpf@interage.com.br) Received: from srv8-poa.poa.terra.com.br (srv8-poa.poa.terra.com.br [200.248.149.253]) by srv13-poa.poa.terra.com.br (8.9.3/8.9.3) with ESMTP id LAA28208 for ; Thu, 20 Jul 2000 11:35:30 -0300 Received: from stumpf (sann02-csl.csl.terra.com.br [200.248.75.9]) by srv8-poa.poa.terra.com.br (8.9.3/8.9.3) with SMTP id LAA22670 for ; Thu, 20 Jul 2000 11:35:28 -0300 Reply-To: From: "Alexandre Stumpf" To: Subject: interface Date: Thu, 20 Jul 2000 11:29:43 -0300 Message-ID: <001201bff256$f2f4c520$094bf8c8@stumpf> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Is there any graphic interface to configure ipfw rules ?? Web, X, text.... ?? thanks Alexandre Stumpf Diretor de Tecnologia Interage Integradora - Terra Networks Caxias do Sul http://www.interage.com.br To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 20 21:27:52 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from camus.cybercable.fr (camus.cybercable.fr [212.198.0.200]) by hub.freebsd.org (Postfix) with SMTP id 5AB9D37B5C1 for ; Thu, 20 Jul 2000 21:27:46 -0700 (PDT) (envelope-from clefevre@citeweb.net) Received: (qmail 727189 invoked from network); 21 Jul 2000 04:27:43 -0000 Received: from r224m65.cybercable.tm.fr (HELO gits.dyndns.org) ([195.132.224.65]) (envelope-sender ) by camus.cybercable.fr (qmail-ldap-1.03) with SMTP for ; 21 Jul 2000 04:27:43 -0000 Received: (from root@localhost) by gits.dyndns.org (8.9.3/8.9.3) id GAA81290; Fri, 21 Jul 2000 06:27:38 +0200 (CEST) (envelope-from clefevre@citeweb.net) Posted-Date: Fri, 21 Jul 2000 06:27:38 +0200 (CEST) To: Cc: Subject: Re: interface References: <001201bff256$f2f4c520$094bf8c8@stumpf> X-Face: V|+c;4!|B?E%BE^{E6);aI.[<97Zd*>^#%Y5Cxv;%Y[PT-LW3;A:fRrJ8+^k"e7@+30g0YD0*^^3jgyShN7o?a]C la*Zv'5NA,=963bM%J^o]C Reply-To: Cyrille Lefevre From: Cyrille Lefevre In-Reply-To: "Alexandre Stumpf"'s message of "Thu, 20 Jul 2000 11:29:43 -0300" Date: 21 Jul 2000 06:27:37 +0200 Message-ID: Lines: 9 User-Agent: Gnus/5.0807 (Gnus v5.8.7) XEmacs/21.1 (Canyonlands) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Alexandre Stumpf" writes: > Is there any graphic interface to configure ipfw rules ?? Web, X, text.... I guess, no. but I'm interrested too as well as for ipf. Cyrille. -- home: mailto:clefevre@citeweb.net work: mailto:Cyrille.Lefevre@edf.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jul 21 6:24:20 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id D7D3637B5FD for ; Fri, 21 Jul 2000 06:24:17 -0700 (PDT) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id IAA34270; Fri, 21 Jul 2000 08:24:15 -0500 (CDT) (envelope-from dmartin@origen.com) Message-ID: <39786AE0.3D916D9F@origen.com> Date: Fri, 21 Jul 2000 08:23:12 -0700 From: Richard Martin X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Cyrille Lefevre Cc: Cyrille Lefevre , freebsd-ipfw@FreeBSD.ORG Subject: Re: interface References: <001201bff256$f2f4c520$094bf8c8@stumpf> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Try the GUI firewall report: http://www.cs.technion.ac.il/Courses/Computer-Networks-Lab/projects/spring98/fwmanager/ -- Richard Martin dmartin@origen.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jul 21 7: 0: 8 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from c014.sfo.cp.net (c014-h003.c014.sfo.cp.net [209.228.12.67]) by hub.freebsd.org (Postfix) with SMTP id BFCE337B937 for ; Fri, 21 Jul 2000 06:59:59 -0700 (PDT) (envelope-from dchance@valuedata.net) Received: (cpmta 1459 invoked from network); 21 Jul 2000 06:59:57 -0700 Received: from m12hRs4n205.midsouth.rr.com (HELO development1) (24.95.125.205) by smtp.valuedata.net with SMTP; 21 Jul 2000 06:59:57 -0700 X-Sent: 21 Jul 2000 13:59:57 GMT Message-ID: <005101bff31b$eae66ee0$0200000a@development1> From: "Daryl Chance" To: "FreeBSD IPFW" Subject: IPFW rules. Date: Fri, 21 Jul 2000 08:59:41 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I'm currently running a FreeBSD 4.0-RELEASE box and we're using it as our internet gateway. It's on DHCP (cable modem) and was wondering if anyone has a link to an IPFW tutorial for setting up the rules. Last time I tried setting them up, the internet would stop working for about < 1 min intermittently. One of the tutorials I've been able to find uses the actual IP address. is there a way to do this using DHCP? Do we somehow include nat in there instead of the ip address? Here's my current ruleset: fwcmd="/sbin/ipfw -q" # set the interfaces oif="rl0" iif="rl1" # Flush out the list before we begin. ${fwcmd} -f flush ${fwcmd} add divert natd all from any to any via ${oif} # Only in rare cases do you want to change these rules ${fwcmd} add pass all from any to any via lo0 ${fwcmd} add deny all from any to 127.0.0.0/8 # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # couldn't get a good set of firewall rules to work, # temporary ${fwcmd} add 65435 pass all from any to any The main thing is I want to allow us to pretty much do anything from our boxes, but only allow connections on port 22. I'm not asking for it to be written for me, just some help :). Thanks, Daryl Chance To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message