From owner-freebsd-questions Tue Feb 25 16:25:21 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8862737B401 for ; Tue, 25 Feb 2003 16:25:19 -0800 (PST) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AC8743F3F for ; Tue, 25 Feb 2003 16:25:18 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a167.otenet.gr [212.205.215.167]) by mailsrv.otenet.gr (8.12.6/8.12.6) with ESMTP id h1Q0PDOs015383; Wed, 26 Feb 2003 02:25:13 +0200 (EET) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.7/8.12.7) with ESMTP id h1Q0PCPU069278; Wed, 26 Feb 2003 02:25:12 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.7/8.12.7/Submit) id h1Q0PCH4069277; Wed, 26 Feb 2003 02:25:12 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 26 Feb 2003 02:25:12 +0200 From: Giorgos Keramidas To: Joshua Lokken Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Fwd: ipfw rule placement Message-ID: <20030226002512.GD68877@gothmog.gr> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 2003-02-25 16:09, Joshua Lokken wrote: > When I remove the default deny rule from the list, nat works fine, > port redirections and all, but with the deny rule in place, nat > isn't working, so I'm thinking I have a rule in the wrong place. > Can anyone point out any obvious missing/misplaced rules here? For NAT to be working, you hav to make sure natd(8) is running and has a proper configuration file. Now, as far as the ipfw(8) rules are concerned, try using the following ruleset: # $fwcmd -f flush # $fwcmd add allow all from any to any via lo0 # $fwcmd add divert natd all from any to any via $oif # $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # $fwcmd add check-state # $fwcmd add allow udp from $oip to any via $oif keep-state # $fwcmd add allow tcp from any to $oip 22,80,443,6346,22002,22003,22010 setup via $oif keep-state # $fwcmd add allow ip from $oip to any keep-state out via $oif # $fwcmd add allow ip from $inwr to any keep-state via $iif # $fwcmd add 65435 deny log ip from any to any The changes from your own set of rules are summarized below: - moved icmp checking higher, since they're unrelated to tcp or udp and state checking - added a rule for udp packets, since DNS resolving and a few other useful things depend on them - moved check-state higher, to minimise the delay for packets that are parts of an existing connection (ipfw rules are checked sequentially, from start to end) - added keep-state in your 'setup' rule for incoming connections to $oip and 'via $oif' to make sure that packets destined for $oip are only accepted on $oif (good measure against spoofing) Before using this set of rules, make sure you give proper values to $iip, $oip, $iif, $oif and $inwr. - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message