From owner-freebsd-questions Mon Feb 25 22:24:11 2002 Delivered-To: freebsd-questions@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 1607D37B402 for ; Mon, 25 Feb 2002 22:24:07 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020226062406.QNZV2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Tue, 26 Feb 2002 06:24:06 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1Q6Nv955292; Mon, 25 Feb 2002 22:23:57 -0800 (PST) (envelope-from cjc) Date: Mon, 25 Feb 2002 22:23:57 -0800 From: "Crist J. Clark" To: Florian Nigsch Cc: freebsd-questions@FreeBSD.ORG Subject: Re: private lan + natd: what to divert Message-ID: <20020225222357.F52727@blossom.cjclark.org> References: <20020226020956.A38543@nigsch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020226020956.A38543@nigsch.com>; from flo@nigsch.com on Tue, Feb 26, 2002 at 02:09:56AM +0100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Feb 26, 2002 at 02:09:56AM +0100, Florian Nigsch wrote: > Hi all, > > I just spent the whole austrian evening and part of the night > setting up a new firewall for my home lan. What a job.... > > I have a FreeBSD 4.5-STABLE with two ethernet cards ed0 and ed1 > > ed0: 1.2.3.4 > ed1: 192.168.2.1 > > I have natd running with natd.conf reading: > > deny_incoming no > log_denied > use_sockets > same_ports > unregistered_only > > and a firewall script wit the following rules: > > add 100 allow ip from any to any via lo0 > ... some anti-spoof rules ... > add 4400 skipto 5000 ip from 192.168.2.0/24 to 1.2.3.4 > add 4500 divert 8668 ip from 192.168.2.0/24 to not 192.168.2.0/24 > add 4600 divert 8668 ip from not 192.168.2.0/24 to 1.2.3.4 > > add 5000 check-state > add allow tcp from any to any established > add allow ip from any to any via ed1 keep-state > add allow ip from 1.2.3.4 to any keep-state > ... some other rules ... > add deny 65530 deny log ip from any to any > > -> With these rules I am not able to browse websites from behind the > firewall. However, and that I find a bit confusing, I can do a > mailcheck at my mailserver with Eudora (with TLS). I can ping > outside hosts (like www.yahoo.com), name resolution is working > but I can't seem to get www access working. It would be strange if some TCP worked and others did not. > -> If I change the divert rules instead of two separate rules to > add 4500 divert 8668 ip from any to any via ed0 > everything is working just wonderful. This rule works fine but it > also diverts the traffic for the public IP address, which isn't > really necessary. I don't understand. Rule 4600 is diverting everything that goes to the public IP address, and it is necessary. You should really use the 'via ed0' version. > -> I think that if each connection is a dynamic one, is there the > need to have a rule to allow established tcp packets? The way you have it set up, yes. On the way out, you only create dynamic rules like, 1.2.3.4 -> While on the way back, you get, -> 192.168.2.0/24 Before you check the rules. > What is wrong with those two divert rules? Shouldn't they work as I > expect them to? ;) I don't immediately see why they are not working, but the rules as you have them look dangerous. That is, they pass stuff you wouldn't want to pass. But it's hard to say without seeing the whole ruleset. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message