Date: Wed, 03 Apr 2002 15:11:02 +0200 From: Jens Rehsack <rehsack@liwing.de> To: Ramses van Pinxteren <ramses.van.pinxteren@cmg.nl> Cc: freebsd-questions <freebsd-questions@FreeBSD.ORG> Subject: Re: IPF and Nat question Message-ID: <3CAAFF66.B8B1FC4F@liwing.de> References: <395ABDBC0952D211BB2A00104BB3F93906A1ACE1@nl-amv-mail03.cmg.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Ramses van Pinxteren wrote:
>
> Hello question solvers around the world,
>
> I have a problem with my firewall... I think (suspect) there is something
> wrong with the ordening of the rules but I am nog sure. can you pease take a
> look at it and shoot me for the most stupid errors ever made??
>
> The problem I have is when I load the firewall Nat will not work anymore :-(
> does anyone have a suggesion??
Does NAT stops working (a) after every reboot or (b) after reloading firewall rules?
if a) send please your NAT rules and (if required) your other ip-adresses.
if b) please reload NAT after reload firewall.
Maybe your ifconfig -a output maybe relevant????
> #############################
> #
> # Start firewall by blocking all incomming traffic
> #
> #############################
>
> block in on xl0 all
>
> block in quick on xl0 proto icmp from any to 80.252.225.121/32 icmp-type
> 0
> block in quick on xl0 proto icmp from any to 80.252.225.121/32 icmp-type
> 11
> block in quick on xl0 proto icmp from any to any
doesn't make sense
block in log quick could make sense for a special rule, but block in all is
clear, isn't it?
> # The pass rules...
>
> #allow in FTP
> pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 20
> flags S keep state keep frags
> pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 21
> flags S keep state keep frags
>
> #allow in SSH
> pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 22
> flags S keep state keep frags
>
> #allow in SMTP
> pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 25
> flags S keep state keep frags
>
> #allow in DNS
> pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 53
> flags S keep state keep frags
> pass in quick on xl0 proto udp from any to 80.242.225.121/32 port = 53
> flags S keep state keep frags
>
> #allow in WEB
> pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 80
> flags S keep state keep frags
>
> #allow in CHAT
> pass in quick on xl0 proto tcp from any to 80.242.225.121/32 port = 8000
> flags S keep state keep frags
>
> block out on xl0 all
>
> # Only allow TCP, UDP and ICMP traffic out
> pass out quick on xl0 proto tcp from 80.242.225.121/32 to any keep
> state
> pass out quick on xl0 proto udp from 80.242.225.121/32 to any keep
> state
> pass out quick on xl0 proto icmp from 80.242.225.121/32 to any keep
> state
>
> #internal interface
> pass in quick on rl0 from any to any
> pass out quick on rl0 from any to any
>
> #Local loopback
> pass in quick on lo0 from any to any
> pass out quick on lo0 from any to any
You're rules looking as they're correct. Little bit paranoid content, but
I cannot see any error.
> I have compiled my kernel with default blocking enabled.
As it should be done :-)
--
L i W W W i Jens Rehsack
L W W W
L i W W W W i nnn gggg LiWing IT-Services
L i W W W W i n n g g
LLLL i W W i n n g g Friesenstraße 2
gggg 06112 Halle
g
g g
Tel.: +49 - 3 45 - 5 17 05 91 ggg e-Mail: <rehsack@liwing.de>
Fax: +49 - 3 45 - 5 17 05 92 http://www.liwing.de/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CAAFF66.B8B1FC4F>