From owner-freebsd-questions Tue May 22 18:50:11 2001 Delivered-To: freebsd-questions@freebsd.org Received: from swan.mail.pas.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 016AD37B42C for ; Tue, 22 May 2001 18:50:00 -0700 (PDT) (envelope-from ipthomas_77@yahoo.com) Received: from scarlet.my.domain (ip234.buffalo11.ny.pub-ip.psi.net [38.26.224.234]) by swan.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id SAA12170; Tue, 22 May 2001 18:49:43 -0700 (PDT) Received: (from ipt@localhost) by scarlet.my.domain (8.9.3/8.9.3) id VAA10131; Tue, 22 May 2001 21:49:24 -0400 (EDT) (envelope-from ipt) From: User Ipt Ian Patrick Thomas Message-Id: <200105230149.VAA10131@scarlet.my.domain> Subject: Re: I request help on how to allow in or out going tcp & udp... under natd +IPFW In-Reply-To: from vipor at "May 22, 2001 06:26:51 pm" To: vipor_1@hotmail.com (vipor) Date: Tue, 22 May 2001 21:49:23 -0400 (EDT) Cc: freebsd-questions@freebsd.org Operating-System: FreeBSD X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Here is a site that you should check out. http://www.onlamp.com/bsd/ Check out FreeBSD Basics. Excellent articles on firewalls. Ian As told by, vipor [Charset iso-8859-1 unsupported, filtering to ASCII...] > > Hello, > > I Have Been Working On My Firewall on one of my bsd box's. > I have freebsd 4.3 stable running natd with ipfw. > Trying to setup some rules to allow some ports out & in for my > lan computers. This is kind of hard for me, just thing of me as a > pup when it comes to editing firewalls!! O the pane of it all...heheh > > I would like to know how to set up my ipfw to allow > in or out going of tcp & udp packets !!! to one of my lan computers > on ip 192.168.0.4 > > I have been reading and it look's like the only two things i could > use are divert port or fwd ipaddr [,port] > > Now i have tried to use both of these.. but i am not getting it to work.. > so i am looking for help here... > an example on how to do this would be grate!!! > > I am trying to play some online games at msn gaming zone ---> > http://zone.msn.com > > But my lan computers are unable to do this. > here are the need udp & tcp ports specs > part # 1 > > This article describes the ports required to play games with other > players on the MSN Gaming Zone through a firewall, proxy server, > Network Address Translation (NAT), or Internet Connection Sharing (ICS). > To play games on the MSN Gaming Zone through a network firewall or proxy > server, the following requirements must be met: > Your network administrator must configure the firewall or proxy server to > allow the games to pass information through the proxy server or firewall. > The following TCP ports on the firewall must be open: > > 6667 > 28800 - 29000 > > part # 2 > Connection Initial TCP Connection > 47624 Outbound > 47624 Inbound > > Subsequent TCP Inbound > 2300-2400 > Subsequent TCP Outbound > 2300-2400 > > Subsequent UDP Inbound > 2300-2400 > Subsequent UDP Outbound > 2300-2400 > > I am unable to get it to work !!! here is all of > the info that I have. > > So far this is my setup. > > RC.CONF : > > natd_interface="ed0" > # Outside interface > oif="ed0" > # Inside interface > iif="xl0" > gateway_enable="YES" > tcp_extensions="YES" > firewall_enable="YES" > firewall_script="/etc/rc.ipfw > firewall_type="open" > natd_enable="YES" > natd_interface="ed0" > > RC.IPFW > #This article describes the ports required to play Microsoft DirectX multiplayer games > #through a firewall, a proxy server, Network Address Translation (NAT), or Intenet > #Connection Sharing TCP RULES > > I could not get this to work right so I removed it > ${fwcmd} add pass tcp from any 1000-6667 to any out > ${fwcmd} add divert natd tcp from any to 192.168.0.4 1000-6667 in > ${fwcmd} add pass tcp from any 20000-29000 to any out > ${fwcmd} add divert natd tcp from any to 192.168.0.4 28800-29000 in > ${fwcmd} add pass tcp from any to 25000-47624 to any out > ${fwcmd} add divert natd from any to 192.168.4 30000-47624 in > > SO I AM NOW USING THIS > ${fwcmd} add pass tcp from any 1000-6667 to any out > ${fwcmd} add pass tcp from any to any 1000-6667 in > > ${fwcmd} add pass tcp from any 20000-29000 to any out > ${fwcmd} add pass tcp from any to any 28800-29000 in > > ${fwcmd} add pass tcp from any 25000-47624 to any out > ${fwcmd} add pass tcp from any to any 30000-47624 in > > #This article describes the ports required to play Microsoft DirectX multiplayer games > #through a firewall, a proxy server, Network Address Translation (NAT), or Intenet > #Connection Sharing UDP RULES > > I AM NOW USING THIS > ${fwcmd} add pass udp from any 1000-6667 to any out > ${fwcmd} add pass udp from any to any 1000-6667 in > > ${fwcmd} add pass udp from any 20000-29000 to any out > ${fwcmd} add pass udp from any to any 2000-29000 in > > ${fwcmd} add pass udp from any 30000-47624 to any out > ${fwcmd} add pass udp from any to any 30000-47624 in > > ipfw -a list > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 192.168.0.0/24 to any in recv ed0 > 00400 0 0 deny ip from 24.0.136.0/22 to any in recv xl0 > 00500 0 0 deny ip from any to 10.0.0.0/8 via ed0 > 00600 0 0 deny ip from any to 172.16.0.0/12 via ed0 > 00700 0 0 deny ip from any to 192.168.0.0/16 via ed0 > 00800 0 0 deny ip from any to 0.0.0.0/8 via ed0 > 00900 0 0 deny ip from any to 169.254.0.0/16 via ed0 > 01000 0 0 deny ip from any to 192.0.2.0/24 via ed0 > 01100 0 0 deny ip from any to 224.0.0.0/4 via ed0 > 01200 0 0 deny ip from any to 240.0.0.0/4 via ed0 > 01300 27664 4089592 divert 8668 ip from any to any via ed0 > 01400 0 0 deny ip from 10.0.0.0/8 to any via ed0 > 01500 0 0 deny ip from 172.16.0.0/12 to any via ed0 > 01600 0 0 deny ip from 192.168.0.0/16 to any via ed0 > 01700 0 0 deny ip from 0.0.0.0/8 to any via ed0 > 01800 0 0 deny ip from 169.254.0.0/16 to any via ed0 > 01900 0 0 deny ip from 192.0.2.0/24 to any via ed0 > 02000 0 0 deny ip from 224.0.0.0/4 to any via ed0 > 02100 0 0 deny ip from 240.0.0.0/4 to any via ed0 > 02200 25301 7102078 allow tcp from any to any established > 02300 0 0 allow ip from any to any frag > 02400 1442 69216 allow tcp from any to any 80 setup > 02500 0 0 allow tcp from any to any 25 setup > 02600 0 0 allow tcp from any 20 to any 1024-65535 setup > 02700 0 0 deny log logamount 100 tcp from any to any 21 in recv ed0 setup > 02800 0 0 allow log logamount 100 tcp from any to any 22 in recv ed0 setup > 02900 0 0 reset tcp from any to any 113 in recv ed0 setup > 03000 301 14448 allow tcp from any 1000-6667 to any out > 03100 8 384 allow tcp from any to any 1000-6667 in > 03200 0 0 allow tcp from any 20000-29000 to any out > 03300 0 0 allow tcp from any to any 28800-29000 in > 03400 0 0 allow tcp from any 25000-47624 to any out > 03500 163 7824 allow tcp from any to any 30000-47624 in > 03600 4 240 deny log logamount 100 tcp from any to any in recv ed0 setup > 03700 133 6384 allow tcp from any to any setup > 03800 0 0 allow tcp from any to any 3782-3783 > 03900 0 0 allow tcp from any to any 18009 > 04000 0 0 allow tcp from any 6891-6901 to any via ed0 > 04100 0 0 allow tcp from any 1863 to any via ed0 > 04200 106 6396 allow udp from any to 24.5.247.15 53 > 04300 0 0 allow udp from any to 24.5.247.17 53 > 04400 4 252 allow udp from any to 24.5.247.19 53 > 04500 102 25804 allow udp from 24.5.247.15 53 to any > 04600 0 0 allow udp from 24.5.247.17 53 to any > 04700 4 684 allow udp from 24.5.247.19 53 to any > 04800 79 11972 allow udp from any to any 137-139 via xl0 > 04900 0 0 allow log logamount 100 udp from any to any 514 via xl0 > 05000 0 0 allow udp from any 123 to any 123 via ed0 > 05100 0 0 allow udp from any 123 to any via xl0 > 05200 0 0 allow udp from any to any 123 via xl0 > 05300 165 13120 allow udp from any 1000-6667 to any out > 05400 2 80 allow udp from any to any 1000-6667 in > 05500 12767 408544 allow udp from any 20000-29000 to any out > 05600 12849 411168 allow udp from any to any 2000-29000 in > 05700 0 0 allow udp from any 30000-47624 to any out > 05800 163 13040 allow udp from any to any 30000-47624 in > 05900 0 0 allow udp from any to any 33434-33523 out xmit ed0 > 06000 0 0 allow udp from any to any 3782-3783 > 06100 0 0 allow udp from any to any 18009 > 06200 0 0 allow udp from any 6901 to any via ed0 > 06300 0 0 allow udp from any to any 6901 via ed0 > 06400 0 0 allow udp from any 7801 to any via ed0 > 06500 0 0 allow udp from any 7825 to any via ed0 > 06600 0 0 allow udp from any 2001-2120 to any via ed0 > 06700 1055 59080 allow icmp from any to any via xl0 > 06800 0 0 allow icmp from any to any out xmit ed0 icmptype 8 > 06900 0 0 allow icmp from any to any in recv ed0 icmptype 0 > 07000 1053 58968 allow icmp from any to any via ed0 icmptype 3,4,11,12 > 07100 1 32 deny icmp from any to any > 07200 6 1410 deny log logamount 1000 ip from any to any > 63000 0 0 deny ip from any to 0.0.0.255:0.0.0.255 in recv ed0 > 64000 0 0 deny log logamount 100 udp from any to any 137-139 via ed0 > 65000 0 0 deny log logamount 100 ip from any to any via ed0 > 65535 47730 1958043 deny ip from any to any > > > > If you have any questions please just ask me.. > > Thanks in advance > > Pup Admin: Mike > Gamer Name VIPOR > Server's > FreeBSD 4.2-STABLE (VIPOR1) > FreeBSD 4.3-STABLE (VIPOR2) > vipor_1@hotmail.com > -- Have blue screens given you the blues, go to www.freebsd.org for the cure. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message