From owner-freebsd-questions Tue Feb 25 16:29:19 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF94A37B401 for ; Tue, 25 Feb 2003 16:29:17 -0800 (PST) Received: from whowhere.com (in02-fes1.whowhere.com [209.202.220.218]) by mx1.FreeBSD.org (Postfix) with SMTP id 3562443FA3 for ; Tue, 25 Feb 2003 16:29:17 -0800 (PST) (envelope-from bsdaemon@eudoramail.com) Received: from Unknown/Local ([?.?.?.?]) by whowhere.com; Wed, 26 Feb 2003 00:29:03 -0000 To: "Joshua Lokken" , "Giorgos Keramidas" Date: Tue, 25 Feb 2003 16:29:03 -0800 From: "Joshua Lokken" Message-ID: Mime-Version: 1.0 Cc: freebsd-questions@FreeBSD.ORG X-Sent-Mail: on Reply-To: bsdaemon@eudoramail.com X-Mailer: MailCity Service X-Priority: 3 Subject: Re: Fwd: ipfw rule placement X-Sender-Ip: 130.94.160.46 Organization: Lycos Mail (http://www.mail.eudoramail.com) Content-Type: text/plain; charset=us-ascii Content-Language: en Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 26 Feb 2003 02:25:12 Giorgos Keramidas wrote: >On 2003-02-25 16:09, Joshua Lokken wrote: >> When I remove the default deny rule from the list, nat works fine, >> port redirections and all, but with the deny rule in place, nat >> isn't working, so I'm thinking I have a rule in the wrong place. >> Can anyone point out any obvious missing/misplaced rules here? > >For NAT to be working, you hav to make sure natd(8) is running and has >a proper configuration file. > >Now, as far as the ipfw(8) rules are concerned, try using the >following ruleset: > ># $fwcmd -f flush ># $fwcmd add allow all from any to any via lo0 ># $fwcmd add divert natd all from any to any via $oif ># $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 ># $fwcmd add check-state ># $fwcmd add allow udp from $oip to any via $oif keep-state ># $fwcmd add allow tcp from any to $oip 22,80,443,6346,22002,22003,22010 setup via $oif keep-state ># $fwcmd add allow ip from $oip to any keep-state out via $oif ># $fwcmd add allow ip from $inwr to any keep-state via $iif ># $fwcmd add 65435 deny log ip from any to any > >The changes from your own set of rules are summarized below: > > - moved icmp checking higher, since they're unrelated to tcp or udp > and state checking > > - added a rule for udp packets, since DNS resolving and a few other > useful things depend on them > > - moved check-state higher, to minimise the delay for packets that > are parts of an existing connection (ipfw rules are checked > sequentially, from start to end) > > - added keep-state in your 'setup' rule for incoming connections to > $oip and 'via $oif' to make sure that packets destined for $oip > are only accepted on $oif (good measure against spoofing) > >Before using this set of rules, make sure you give proper values to >$iip, $oip, $iif, $oif and $inwr. > >- Giorgos > Indeed! I do have the variables listed defined, and have natd configured and working. Thank you very much--not only did you answer my question, but gave me a better understanding of ipfw! Joshua Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message