From owner-freebsd-questions Wed Apr 28 17:16: 7 1999 Delivered-To: freebsd-questions@freebsd.org Received: from mail.rdc1.bc.home.com (ha1.rdc1.bc.wave.home.com [24.2.10.66]) by hub.freebsd.org (Postfix) with ESMTP id 65C9E15122 for ; Wed, 28 Apr 1999 17:16:05 -0700 (PDT) (envelope-from hjcs@home.com) Received: from home.com ([24.113.114.44]) by mail.rdc1.bc.home.com (InterMail v4.00.03 201-229-104) with ESMTP id <19990429001604.VRB24551.mail.rdc1.bc.home.com@home.com> for ; Wed, 28 Apr 1999 17:16:04 -0700 Message-ID: <3727A604.55A107A@home.com> Date: Wed, 28 Apr 1999 17:21:32 -0700 From: Christoff Snijders X-Mailer: Mozilla 4.51 (Macintosh; I; PPC) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-questions@FreeBSD.org Subject: ipfw rules Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, all Apologies in advance for the long posting. This message is a copy of part of one I posted to comp.unix.bsd.freebsd.misc. I was searching through the archives for this mailing list, and found several posts about ipfw, but no information that helped me fix my problem, so I thought I'd post to this mailing list, too. I'm very new to this whole ipfw thing and have limited knowledge of TCP/IP. I've searched through the man pages, the handbook, the FAQ, and dejanews, but I haven't found the answers to my problem (or, not in a way I could understand, anyway). I need some help with the ipfw rules. I have a very simple setup: one FreeBSD 2.2.5-RELEASE box with two Ethernet cards in it. One card is connected to a cable modem with a static IP address, the other is connected to a hub, which is in turn connected to several computers on an internal network. If I remove all the ipfw rules and allow access from anything to anything, with traffic diverted through natd on port 6668, all the machines on the network can access the net, but the firewall is useless (non-existant). If I use the standard, simple rules in rc.firewall, the console user can access the Internet, but none of the users on the internal network can. I've printed the whole rule set I'm using, below. I seem to be getting the message natd: failed to write packet back (Permission denied) every time one of the hosts on the internal network tries to access the net. Am I right that the reason for this is that natd can send packets out through ed2 (the Ethernet card connected to the cable modem), but natd is somehow being prevented from sending packets back? Which of my rules should I change (and, if you could tell me how, I'd be grateful), or what rule should I add to prevent this problem? Thanks so much in advance for any help you can provide. Christoff Snijders. # set these to your outside interface network and netmask and ip oif="ed2" onet="123.456.789.1" omask="255.255.252.0" oip="123.456.678.22" # set these to your inside interface network and netmask and ip iif="ed1" inet="192.168.2.0" imask="255.255.255.0" iip="192.168.2.1" # divert traffic to natd (I added this) /sbin/ipfw add divert natd all from any to any via ed2 # Stop spoofing $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} # Allow TCP through if setup succeeded $fwcmd add pass tcp from any to any established # Allow setup of incoming email $fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW $fwcmd add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message