From owner-freebsd-questions Wed Apr 3 4:37:25 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smtp016.mail.yahoo.com (smtp016.mail.yahoo.com [216.136.174.113]) by hub.freebsd.org (Postfix) with SMTP id 8EAB637B400 for ; Wed, 3 Apr 2002 04:37:19 -0800 (PST) Received: from 12-220-244-231.client.insightbb.com (HELO Kaiser) (donniejones18@12.220.244.231 with login) by smtp.mail.vip.sc5.yahoo.com with SMTP; 3 Apr 2002 12:37:18 -0000 Date: Wed, 3 Apr 2002 07:37:22 -0500 From: Donnie Jones To: Ramses van Pinxteren Cc: freebsd-questions@freebsd.org Subject: Re: IPF and Nat question Message-Id: <20020403073722.662079f1.donniejones18@yahoo.com> In-Reply-To: <395ABDBC0952D211BB2A00104BB3F93906A1ACE1@nl-amv-mail03.cmg.nl> References: <395ABDBC0952D211BB2A00104BB3F93906A1ACE1@nl-amv-mail03.cmg.nl> X-Mailer: Sylpheed version 0.6.6 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 3 Apr 2002 13:04:28 +0200 Ramses van Pinxteren wrote: > Hello question solvers around the world, > > I have a problem with my firewall... I think (suspect) there is something > wrong with the ordening of the rules but I am nog sure. can you pease take a > look at it and shoot me for the most stupid errors ever made?? > > The problem I have is when I load the firewall Nat will not work anymore :-( > does anyone have a suggesion?? > > ############################# > # > # Start firewall by blocking all incomming traffic > # > ############################# > > block in on xl0 all ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Not necessary with default block all enabled. > > block in quick on xl0 proto icmp from any to 80.252.225.121/32 icmp-type > 0 > block in quick on xl0 proto icmp from any to 80.252.225.121/32 icmp-type > 11 > block in quick on xl0 proto icmp from any to any > > # The pass rules... > > #allow in FTP > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 20 > flags S keep state keep frags > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 21 > flags S keep state keep frags > > #allow in SSH > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 22 > flags S keep state keep frags > > #allow in SMTP > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 25 > flags S keep state keep frags > > #allow in DNS > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 53 > flags S keep state keep frags > pass in quick on xl0 proto udp from any to 80.242.225.121/32 port = 53 > flags S keep state keep frags > > #allow in WEB > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 80 > flags S keep state keep frags > > #allow in CHAT > pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 8000 > flags S keep state keep frags > > block out on xl0 all > > # Only allow TCP, UDP and ICMP traffic out > pass out quick on xl0 proto tcp from 80.242.225.121/32 to any keep > state > pass out quick on xl0 proto udp from 80.242.225.121/32 to any keep > state > pass out quick on xl0 proto icmp from 80.242.225.121/32 to any keep > state > > #internal interface > pass in quick on rl0 from any to any > pass out quick on rl0 from any to any > > #Local loopback > pass in quick on lo0 from any to any > pass out quick on lo0 from any to any > > > I have compiled my kernel with default blocking enabled. I quickly looked over your firewall and I am not seeing any glaring errors. What is the problem that you are having? If you like you can go to my website, http://www.darthik.com and then to the FreeBSD tab. I have an IPNAT howto, and my ipfw and ipf configuration files there along with some other firewall howtos that may help you. Good luck, --Donnie _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message