From owner-freebsd-questions Tue May 22 18:25:19 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hotmail.com (oe10.law11.hotmail.com [64.4.16.114]) by hub.freebsd.org (Postfix) with ESMTP id 2098737B422 for ; Tue, 22 May 2001 18:24:55 -0700 (PDT) (envelope-from vipor_1@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 22 May 2001 18:24:54 -0700 X-Originating-IP: [24.0.136.97] Reply-To: "vipor" From: "vipor" To: Subject: I request help on how to allow in or out going tcp & udp... under natd +IPFW Date: Tue, 22 May 2001 18:26:51 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0046_01C0E2EC.C52B91A0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: X-OriginalArrivalTime: 23 May 2001 01:24:54.0891 (UTC) FILETIME=[2C10EBB0:01C0E327] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0046_01C0E2EC.C52B91A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I Have Been Working On My Firewall on one of my bsd box's. I have freebsd 4.3 stable running natd with ipfw. Trying to setup some rules to allow some ports out & in for my=20 lan computers. This is kind of hard for me, just thing of me as a pup when it comes to editing firewalls!! O the pane of it all...heheh I would like to know how to set up my ipfw to allow =20 in or out going of tcp & udp packets !!! to one of my lan computers on ip 192.168.0.4=20 I have been reading and it look's like the only two things i could=20 use are divert port or fwd ipaddr [,port] Now i have tried to use both of these.. but i am not getting it to = work.. so i am looking for help here... an example on how to do this would be grate!!! I am trying to play some online games at msn gaming zone ---> http://zone.msn.com But my lan computers are unable to do this. here are the need udp & tcp ports specs part # 1 This article describes the ports required to play games with other=20 players on the MSN Gaming Zone through a firewall, proxy server,=20 Network Address Translation (NAT), or Internet Connection Sharing (ICS). = To play games on the MSN Gaming Zone through a network firewall or proxy server, the following requirements must be met: Your network administrator must configure the firewall or proxy server = to allow the games to pass information through the proxy server or = firewall. The following TCP ports on the firewall must be open: 6667 28800 - 29000 part # 2 Connection Initial TCP Connection 47624 Outbound 47624 Inbound Subsequent TCP Inbound 2300-2400 Subsequent TCP Outbound 2300-2400 Subsequent UDP Inbound 2300-2400 Subsequent UDP Outbound 2300-2400 I am unable to get it to work !!! here is all of=20 the info that I have. So far this is my setup. RC.CONF : natd_interface=3D"ed0" # Outside interface oif=3D"ed0" # Inside interface iif=3D"xl0" gateway_enable=3D"YES" tcp_extensions=3D"YES" firewall_enable=3D"YES" firewall_script=3D"/etc/rc.ipfw firewall_type=3D"open" natd_enable=3D"YES" natd_interface=3D"ed0" RC.IPFW #This article describes the ports required to play Microsoft DirectX = multiplayer games #through a firewall, a proxy server, Network Address Translation (NAT), = or Intenet #Connection Sharing TCP RULES I could not get this to work right so I removed it=20 ${fwcmd} add pass tcp from any 1000-6667 to any out ${fwcmd} add divert natd tcp from any to 192.168.0.4 1000-6667 in ${fwcmd} add pass tcp from any 20000-29000 to any out ${fwcmd} add divert natd tcp from any to 192.168.0.4 28800-29000 in ${fwcmd} add pass tcp from any to 25000-47624 to any out ${fwcmd} add divert natd from any to 192.168.4 30000-47624 in SO I AM NOW USING THIS ${fwcmd} add pass tcp from any 1000-6667 to any out =20 ${fwcmd} add pass tcp from any to any 1000-6667 in ${fwcmd} add pass tcp from any 20000-29000 to any out ${fwcmd} add pass tcp from any to any 28800-29000 in ${fwcmd} add pass tcp from any 25000-47624 to any out ${fwcmd} add pass tcp from any to any 30000-47624 in #This article describes the ports required to play Microsoft DirectX = multiplayer games #through a firewall, a proxy server, Network Address Translation (NAT), = or Intenet #Connection Sharing UDP RULES I AM NOW USING THIS ${fwcmd} add pass udp from any 1000-6667 to any out ${fwcmd} add pass udp from any to any 1000-6667 in ${fwcmd} add pass udp from any 20000-29000 to any out ${fwcmd} add pass udp from any to any 2000-29000 in ${fwcmd} add pass udp from any 30000-47624 to any out ${fwcmd} add pass udp from any to any 30000-47624 in ipfw -a list 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 192.168.0.0/24 to any in recv ed0 00400 0 0 deny ip from 24.0.136.0/22 to any in recv xl0 00500 0 0 deny ip from any to 10.0.0.0/8 via ed0 00600 0 0 deny ip from any to 172.16.0.0/12 via ed0 00700 0 0 deny ip from any to 192.168.0.0/16 via ed0 00800 0 0 deny ip from any to 0.0.0.0/8 via ed0 00900 0 0 deny ip from any to 169.254.0.0/16 via ed0 01000 0 0 deny ip from any to 192.0.2.0/24 via ed0 01100 0 0 deny ip from any to 224.0.0.0/4 via ed0 01200 0 0 deny ip from any to 240.0.0.0/4 via ed0 01300 27664 4089592 divert 8668 ip from any to any via ed0 01400 0 0 deny ip from 10.0.0.0/8 to any via ed0 01500 0 0 deny ip from 172.16.0.0/12 to any via ed0 01600 0 0 deny ip from 192.168.0.0/16 to any via ed0 01700 0 0 deny ip from 0.0.0.0/8 to any via ed0 01800 0 0 deny ip from 169.254.0.0/16 to any via ed0 01900 0 0 deny ip from 192.0.2.0/24 to any via ed0 02000 0 0 deny ip from 224.0.0.0/4 to any via ed0 02100 0 0 deny ip from 240.0.0.0/4 to any via ed0 02200 25301 7102078 allow tcp from any to any established 02300 0 0 allow ip from any to any frag 02400 1442 69216 allow tcp from any to any 80 setup 02500 0 0 allow tcp from any to any 25 setup 02600 0 0 allow tcp from any 20 to any 1024-65535 setup 02700 0 0 deny log logamount 100 tcp from any to any 21 in = recv ed0 setup 02800 0 0 allow log logamount 100 tcp from any to any 22 in = recv ed0 setup 02900 0 0 reset tcp from any to any 113 in recv ed0 setup 03000 301 14448 allow tcp from any 1000-6667 to any out 03100 8 384 allow tcp from any to any 1000-6667 in 03200 0 0 allow tcp from any 20000-29000 to any out 03300 0 0 allow tcp from any to any 28800-29000 in 03400 0 0 allow tcp from any 25000-47624 to any out 03500 163 7824 allow tcp from any to any 30000-47624 in 03600 4 240 deny log logamount 100 tcp from any to any in recv = ed0 setup 03700 133 6384 allow tcp from any to any setup 03800 0 0 allow tcp from any to any 3782-3783 03900 0 0 allow tcp from any to any 18009 04000 0 0 allow tcp from any 6891-6901 to any via ed0 04100 0 0 allow tcp from any 1863 to any via ed0 04200 106 6396 allow udp from any to 24.5.247.15 53 04300 0 0 allow udp from any to 24.5.247.17 53 04400 4 252 allow udp from any to 24.5.247.19 53 04500 102 25804 allow udp from 24.5.247.15 53 to any 04600 0 0 allow udp from 24.5.247.17 53 to any 04700 4 684 allow udp from 24.5.247.19 53 to any 04800 79 11972 allow udp from any to any 137-139 via xl0 04900 0 0 allow log logamount 100 udp from any to any 514 via = xl0 05000 0 0 allow udp from any 123 to any 123 via ed0 05100 0 0 allow udp from any 123 to any via xl0 05200 0 0 allow udp from any to any 123 via xl0 05300 165 13120 allow udp from any 1000-6667 to any out 05400 2 80 allow udp from any to any 1000-6667 in 05500 12767 408544 allow udp from any 20000-29000 to any out 05600 12849 411168 allow udp from any to any 2000-29000 in 05700 0 0 allow udp from any 30000-47624 to any out 05800 163 13040 allow udp from any to any 30000-47624 in 05900 0 0 allow udp from any to any 33434-33523 out xmit ed0 06000 0 0 allow udp from any to any 3782-3783 06100 0 0 allow udp from any to any 18009 06200 0 0 allow udp from any 6901 to any via ed0 06300 0 0 allow udp from any to any 6901 via ed0 06400 0 0 allow udp from any 7801 to any via ed0 06500 0 0 allow udp from any 7825 to any via ed0 06600 0 0 allow udp from any 2001-2120 to any via ed0 06700 1055 59080 allow icmp from any to any via xl0 06800 0 0 allow icmp from any to any out xmit ed0 icmptype 8 06900 0 0 allow icmp from any to any in recv ed0 icmptype 0 07000 1053 58968 allow icmp from any to any via ed0 icmptype = 3,4,11,12 07100 1 32 deny icmp from any to any 07200 6 1410 deny log logamount 1000 ip from any to any 63000 0 0 deny ip from any to 0.0.0.255:0.0.0.255 in recv ed0 64000 0 0 deny log logamount 100 udp from any to any 137-139 = via ed0 65000 0 0 deny log logamount 100 ip from any to any via ed0 65535 47730 1958043 deny ip from any to any If you have any questions please just ask me.. Thanks in advance Pup Admin: Mike Gamer Name VIPOR Server's FreeBSD 4.2-STABLE (VIPOR1) FreeBSD 4.3-STABLE (VIPOR2) vipor_1@hotmail.com ------=_NextPart_000_0046_01C0E2EC.C52B91A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 
Hello,
 
I Have Been Working On My Firewall on = one of my=20 bsd box's.
I have freebsd 4.3 stable running natd with = ipfw.
Trying to=20 setup some rules to allow some ports out & in for my =
lan computers. This is  kind of = hard for me,=20 just thing of me as  a
 pup when it comes = to editing=20 firewalls!! O the pane of it all...heheh
 
I would like to know how to set up my = ipfw to=20 allow 
in or out  going  of tcp & udp packets !!! = to one=20 of my lan computers
on ip 192.168.0.4

I have been reading and it = look's like=20 the only two things i could
use are divert port or fwd ipaddr=20 [,port]

Now i have tried to use both of = these..=20 but  i am not getting it to work..
so i am looking for help=20 here...
an example on how to do this would be = grate!!!
 
I am = trying to play some=20 online games at msn gaming zone = --->
http://zone.msn.com

But my lan computers are = unable to do=20 this.
here are the need udp & tcp = ports=20 specs
part # = 1

This article describes the ports required to play = games=20 with other
players on the MSN Gaming Zone = through a=20 firewall, proxy server,
Network Address Translation = (NAT), or=20 Internet Connection Sharing (ICS). 
To play games on the MSN Gaming = Zone=20 through a network firewall or proxy
server, the following = requirements must=20 be met:
Your network administrator must configure the firewall or = proxy=20 server to
allow the  games to pass information through the proxy = server=20 or firewall.
 The following TCP ports on the firewall must be=20 open:
 
6667
28800 - 29000
 
part # = 2
Connection Initial TCP Connection
47624=20 Outbound
47624 Inbound
 
Subsequent TCP=20 Inbound
2300-2400
Subsequent TCP=20 Outbound
2300-2400
 
Subsequent UDP=20 Inbound
2300-2400
Subsequent UDP=20 Outbound
2300-2400
 
I am unable to get  = it=20 to   work !!! here is all of
the info that I=20 have.
 
So far this is my=20 setup.
 
RC.CONF :
 
natd_interface=3D"ed0"
# Outside=20 interface
oif=3D"ed0"
# Inside=20 interface
iif=3D"xl0"
gateway_enable=3D"YES"
tcp_extensions=3D"Y= ES"
firewall_enable=3D"YES"
firewall_script=3D"/etc/rc.ipfw
fire= wall_type=3D"open"
natd_enable=3D"YES"
natd_interface=3D"ed0"
 
RC.IPFW
#This article = describes the=20 ports required to play Microsoft DirectX multiplayer games
#through a = firewall, a proxy server, Network Address Translation (NAT), or=20 Intenet
#Connection Sharing   TCP = RULES
 
I could not get this to work right = so I removed=20 it
    ${fwcmd} add pass tcp from = any=20 1000-6667 to any out
    ${fwcmd} add divert natd tcp = from any=20 to 192.168.0.4 1000-6667 in
    ${fwcmd} add pass tcp = from any=20 20000-29000 to any out
    ${fwcmd} add divert natd = tcp from=20 any to 192.168.0.4 28800-29000 in
    ${fwcmd} add = pass tcp=20 from any to 25000-47624 to any out
    ${fwcmd} add = divert=20 natd from any to 192.168.4 30000-47624 in
 
SO I AM NOW USING = THIS
    ${fwcmd} add pass tcp from = any=20 1000-6667 to any=20 out       
    = ${fwcmd} add=20 pass tcp from any to any 1000-6667 in
 
    ${fwcmd} add pass tcp from = any=20 20000-29000 to any out
    ${fwcmd} add pass tcp from = any to=20 any 28800-29000 in

    ${fwcmd} add pass tcp = from any=20 25000-47624 to any out
    ${fwcmd} add pass tcp from = any to any=20 30000-47624 in
 
#This article describes the ports required to = play=20 Microsoft DirectX multiplayer games
#through a firewall, a proxy = server,=20 Network Address Translation (NAT), or Intenet
#Connection = Sharing  =20 UDP  = RULES
 
I AM NOW USING THIS
     ${fwcmd} add = pass udp from=20 any 1000-6667 to any out
     ${fwcmd} add pass = udp from=20 any to any 1000-6667 in
 
    ${fwcmd} add pass = udp from any=20 20000-29000 to any out
    ${fwcmd} add pass udp from = any to=20 any 2000-29000 in
 
    ${fwcmd} add pass = udp from any=20 30000-47624 to any out
    ${fwcmd} add pass udp from = any to=20 any 30000-47624 in
 
ipfw -a=20 list
00100    =20 0       0 allow ip from any to any via=20 lo0
00200     = 0       0=20 deny ip from any to 127.0.0.0/8
00300    =20 0       0 deny ip from 192.168.0.0/24 to = any in=20 recv ed0
00400     = 0      =20 0 deny ip from 24.0.136.0/22 to any in recv = xl0
00500    =20 0       0 deny ip from any to 10.0.0.0/8 = via=20 ed0
00600     = 0       0=20 deny ip from any to 172.16.0.0/12 via = ed0
00700    =20 0       0 deny ip from any to = 192.168.0.0/16 via=20 ed0
00800     = 0       0=20 deny ip from any to 0.0.0.0/8 via ed0
00900    =20 0       0 deny ip from any to = 169.254.0.0/16 via=20 ed0
01000     = 0       0=20 deny ip from any to 192.0.2.0/24 via = ed0
01100    =20 0       0 deny ip from any to 224.0.0.0/4 = via=20 ed0
01200     = 0       0=20 deny ip from any to 240.0.0.0/4 via ed0
01300 27664 4089592 divert = 8668 ip=20 from any to any via ed0
01400    =20 0       0 deny ip from 10.0.0.0/8 to any = via=20 ed0
01500     = 0       0=20 deny ip from 172.16.0.0/12 to any via = ed0
01600    =20 0       0 deny ip from 192.168.0.0/16 to = any via=20 ed0
01700     = 0       0=20 deny ip from 0.0.0.0/8 to any via ed0
01800    =20 0       0 deny ip from 169.254.0.0/16 to = any via=20 ed0
01900     = 0       0=20 deny ip from 192.0.2.0/24 to any via = ed0
02000    =20 0       0 deny ip from 224.0.0.0/4 to any = via=20 ed0
02100     = 0       0=20 deny ip from 240.0.0.0/4 to any via ed0
02200 25301 7102078 allow tcp = from=20 any to any established
02300    =20 0       0 allow ip from any to any=20 frag
02400  1442   69216 allow tcp from any to any 80=20 setup
02500     = 0       0=20 allow tcp from any to any 25 setup
02600    =20 0       0 allow tcp from any 20 to any = 1024-65535=20 setup
02700     = 0       0=20 deny log logamount 100 tcp from any to any 21 in recv ed0=20 setup
02800     = 0       0=20 allow log logamount 100 tcp from any to any 22 in recv ed0=20 setup
02900     = 0       0=20 reset tcp from any to any 113 in recv ed0 setup
03000  =20 301   14448 allow tcp from any 1000-6667 to any=20 out
03100     8     384 allow = tcp=20 from any to any 1000-6667 in
03200    =20 0       0 allow tcp from any 20000-29000 = to any=20 out
03300     = 0       0=20 allow tcp from any to any 28800-29000 = in
03400    =20 0       0 allow tcp from any 25000-47624 = to any=20 out
03500   163    7824 allow tcp from any = to any=20 30000-47624 in
03600     = 4     240=20 deny log logamount 100 tcp from any to any in recv ed0=20 setup
03700   133    6384 allow tcp from any = to any=20 setup
03800     = 0       0=20 allow tcp from any to any 3782-3783
03900    =20 0       0 allow tcp from any to any=20 18009
04000     = 0       0=20 allow tcp from any 6891-6901 to any via = ed0
04100    =20 0       0 allow tcp from any 1863 to any = via=20 ed0
04200   106    6396 allow udp from any = to=20 24.5.247.15 53
04300    =20 0       0 allow udp from any to = 24.5.247.17=20 53
04400     4     252 allow = udp from=20 any to 24.5.247.19 53
04500   102   25804 allow = udp from=20 24.5.247.15 53 to any
04600    =20 0       0 allow udp from 24.5.247.17 53 to = any
04700     4     684 allow = udp=20 from 24.5.247.19 53 to any
04800    79   = 11972 allow=20 udp from any to any 137-139 via xl0
04900    =20 0       0 allow log logamount 100 udp from = any to=20 any 514 via xl0
05000    =20 0       0 allow udp from any 123 to any = 123 via=20 ed0
05100     = 0       0=20 allow udp from any 123 to any via xl0
05200    =20 0       0 allow udp from any to any 123 = via=20 xl0
05300   165   13120 allow udp from any = 1000-6667 to=20 any out
05400     2      = 80=20 allow udp from any to any 1000-6667 in
05500 12767  408544 allow = udp=20 from any 20000-29000 to any out
05600 12849  411168 allow udp = from any=20 to any 2000-29000 in
05700    =20 0       0 allow udp from any 30000-47624 = to any=20 out
05800   163   13040 allow udp from any to any = 30000-47624 in
05900    =20 0       0 allow udp from any to any = 33434-33523=20 out xmit ed0
06000    =20 0       0 allow udp from any to any=20 3782-3783
06100     = 0      =20 0 allow udp from any to any 18009
06200    =20 0       0 allow udp from any 6901 to any = via=20 ed0
06300     = 0       0=20 allow udp from any to any 6901 via ed0
06400    =20 0       0 allow udp from any 7801 to any = via=20 ed0
06500     = 0       0=20 allow udp from any 7825 to any via ed0
06600    =20 0       0 allow udp from any 2001-2120 to = any via=20 ed0
06700  1055   59080 allow icmp from any to any via = xl0
06800     = 0       0=20 allow icmp from any to any out xmit ed0 icmptype=20 8
06900     0       = 0 allow=20 icmp from any to any in recv ed0 icmptype 0
07000  = 1053  =20 58968 allow icmp from any to any via ed0 icmptype=20 3,4,11,12
07100     = 1      32=20 deny icmp from any to any
07200     = 6   =20 1410 deny log logamount 1000 ip from any to = any
63000    =20 0       0 deny ip from any to = 0.0.0.255:0.0.0.255=20 in recv ed0
64000    =20 0       0 deny log logamount 100 udp from = any to=20 any 137-139 via ed0
65000    =20 0       0 deny log logamount 100 ip from = any to=20 any via ed0
65535 47730 1958043 deny ip from any to any


 
If you have any questions please = just ask=20 me..

Thanks in advance

Pup Admin: Mike
Gamer Name = VIPOR
Server's
FreeBSD=20 4.2-STABLE (VIPOR1)
FreeBSD 4.3-STABLE (VIPOR2)
vipor_1@hotmail.com
 
------=_NextPart_000_0046_01C0E2EC.C52B91A0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message