From owner-freebsd-questions@FreeBSD.ORG Tue Jun 29 19:53:05 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAFDC16A507 for ; Tue, 29 Jun 2004 19:53:05 +0000 (GMT) Received: from ns1.valuedj.com (adsl-216-100-130-21.dsl.snfc21.pacbell.net [216.100.130.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9129E43D1F for ; Tue, 29 Jun 2004 19:53:05 +0000 (GMT) (envelope-from whizkid@ValueDJ.com) Received: from localhost (localhost.valuedj.com [127.0.0.1]) by ns1.valuedj.com (Postfix) with ESMTP id 41023612E for ; Tue, 29 Jun 2004 12:52:29 -0700 (PDT) Received: from ns1.valuedj.com ([127.0.0.1]) by localhost (ns1.valuedj.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11714-08 for ; Tue, 29 Jun 2004 12:52:28 -0700 (PDT) Received: by ns1.valuedj.com (Postfix, from userid 80) id 325256128; Tue, 29 Jun 2004 12:52:28 -0700 (PDT) Received: from 207.13.174.37 (SquirrelMail authenticated user whizkid) by www.ValueDJ.com with HTTP; Tue, 29 Jun 2004 12:52:28 -0700 (PDT) Message-ID: <3443.207.13.174.37.1088538748.squirrel@www.ValueDJ.com> Date: Tue, 29 Jun 2004 12:52:28 -0700 (PDT) From: whizkid@ValueDJ.com To: freebsd-questions@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal X-Virus-Scanned: by amavisd-new at ValueDJ.com Subject: IPFW acting weird OR invalid ruleset? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2004 19:53:06 -0000 Hey everyone. Below is my natd.conf file and my rc.firewall.rule file. I cannot figure it out, but if one of my machines that is behind my Masqurading Firewall tries to d/l a file that is on a FTP site, it fails to connect. FreeBSD 5.2.1 machine with 2 nics. xl0 outside Nic fxp0 inside Nic rc.conf: # enable firewall firewall_enable="YES" # set path to custom firewall config firewall_type="/etc/fw/rc.firewall.rules" # be non-verbose? set to YES after testing firewall_quiet="NO" # enable natd, the NAT daemon natd_enable="YES" # which is the interface to the internet that we hide behind? natd_interface="xl0" # flags for natd natd_flags="-f /etc/fw/natd.conf" natd.conf: unregistered_only interface xl0 use_sockets dynamic # dyamically open fw for ftp, irc punch_fw 2000:50 rc.firewall.rules: # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via xl0 add 00302 deny ip from 172.16.0.0/12 to any in via xl0 add 00303 deny ip from 192.168.0.0/16 to any in via xl0 # check if incoming packets belong to a natted session, allow through if yes add 01000 divert natd ip from any to me in via xl0 add 01001 check-state # allow some traffic from the local net to the router #SMTP add 02000 allow tcp from any to any 25 setup keep-state # SSH add 04000 allow tcp from any to me dst-port 22 in via fxp0 setup keep-state add 04001 allow tcp from any to me dst-port 22 in via xl0 setup keep-state #IMAP-SSL add 04010 allow tcp from any to me dst-port 143 in via fxp0 setup keep-state add 04011 allow tcp from any to me dst-port 143 in via xl0 setup keep-state # NTP add 04020 allow tcp from any to me dst-port 123 in via fxp0 setup keep-state add 04021 allow udp from any to me dst-port 123 in via fxp0 keep-state add 04020 allow tcp from any to me dst-port 123 in via xl0 setup keep-state add 04021 allow udp from any to me dst-port 123 in via xl0 keep-state #webmin add 04030 allow tcp from any to me dst-port 10000 in via fxp0 setup keep-state add 04031 allow tcp from any to me dst-port 10000 in via xl0 setup keep-state #http add 04040 allow tcp from any to me dst-port 80 in via fxp0 setup keep-state add 04041 allow tcp from any to me dst-port 80 in via xl0 setup keep-state # DNS add 04050 allow udp from any to me dst-port 53 in via fxp0 add 04051 allow udp from any to me dst-port 53 in via xl0 add 04052 allow tcp from any to me dst-port 53 in via fxp0 add 04053 allow tcp from any to me dst-port 53 in via xl0 #POP add 04060 allow tcp from any to me dst-port 110 in via fxp0 setup keep-state add 04061 allow tcp from any to me dst-port 110 in via xl0 setup keep-state #HTTPS add 04070 allow tcp from any to me dst-port 443 in via fxp0 setup keep-state add 04071 allow tcp from any to me dst-port 443 in via xl0 setup keep-state #IMAPS add 04080 allow tcp from any to me dst-port 993 in via fxp0 setup keep-state add 04081 allow tcp from any to me dst-port 993 in via xl0 setup keep-state # drop everything else add 04090 deny ip from any to me # pass outgoing packets (to be natted) on to a special NAT rule add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via fxp0 keep-state # allow all outgoing traffic from the router add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an # established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 59999 deny ip from any to me dst-port 135,137-139,445,4665 add 60000 deny log tcp from any to any established add 60001 deny log ip from any to any # this is the NAT rule. Only outgoing packets from the local net will come here. # First, nat them, then pass them on (again, you may choose to be more restrictive) add 61000 divert natd ip from 192.168.1.0/24 to any out via xl0 add 61001 allow ip from any to any