From owner-freebsd-questions  Wed Feb 26 11:25:11 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4964E37B401
	for <freebsd-questions@freebsd.org>; Wed, 26 Feb 2003 11:25:07 -0800 (PST)
Received: from whowhere.com (in02-fes1.whowhere.com [209.202.220.218])
	by mx1.FreeBSD.org (Postfix) with SMTP id BBCC243F85
	for <freebsd-questions@freebsd.org>; Wed, 26 Feb 2003 11:25:06 -0800 (PST)
	(envelope-from bsdaemon@eudoramail.com)
Received: from Unknown/Local ([?.?.?.?]) by whowhere.com; Wed, 26 Feb 2003 19:25:02 -0000
To: "Questions" <freebsd-questions@freebsd.org>
Date: Wed, 26 Feb 2003 11:25:02 -0800
From: "Joshua Lokken" <bsdaemon@eudoramail.com>
Message-ID: <NCPGCOKPJPLIHBAA@whowhere.com>
Mime-Version: 1.0
Reply-To: bsdaemon@eudoramail.com
X-Sent-Mail: on
X-Mailer: MailCity Service
Subject: ipfw troubleshooting (was ipfw rule placement)
X-Priority: 3
X-Sender-Ip: 130.94.160.46
Organization: Lycos Mail  (http://www.mail.eudoramail.com)
Content-Type: multipart/mixed; boundary="=_-=_-OFJHBOEFHNKIHBAA"
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

This is a multi-part message in MIME format.
You need a MIME compliant mail reader to completely decode it.
--=_-=_-OFJHBOEFHNKIHBAA
Content-Language: en
Content-Type: text/plain; charset=us-ascii
Content-Language: en
Content-Length: 1029
Content-Transfer-Encoding: 7bit

Hello

I am running 4.7-release p6 as a gateway (ipfw+natd).  Thanks to those of you who helped me firm up my ruleset.  Natd is running and configured, however, I am not able to do port redirection or http from the outside.  (Firewall disk crashed over the weekend, and I didn't have things properly backed up).

My firewall log is flooded with this message:

[date and time]churgeon /kernel: ipfw: Deny UDP 10.142.240.1:67 255.255.255.255:68 in via ed1

When I run sockstat, I see that dhclient is listening for udp packets on port 68:

root   dhclient    62  4  udp4   *:68         *:*

Attached is my ipfw ruleset.  I'd like to know if I need to allow these packets (if they're required by dhclient, etc.).
Just in case, I've attached natd.conf and rc.conf, as well.  Thanks for any help.

---

Joshua Lokken
FreeBSD:  The Power to Serve!
bsdaemon@eudoramail.com
-------------------------------->


Need a new email address that people can remember
Check out the new EudoraMail at
http://www.eudoramail.com
--=_-=_-OFJHBOEFHNKIHBAA
Content-Type: text/plain; charset=us-ascii; name="firewall.conf"
Content-Language: en
Content-Length: 753
Content-Transfer-Encoding: 7bit

#!/bin/sh

fwcmd="/sbin/ipfw"
oif="ed1"
oip="xxx.xxx.xxx.xxx"

iif="rl0"
inwr="10.0.0.0/8"
iip="10.0.0.1"

ns1="204.127.198.4"
ns2="216.148.227.68"
ns3="207.228.252.107"
ns4="64.246.26.64"

$fwcmd -f flush

$fwcmd add allow all from any to any via lo0

$fwcmd add divert natd all from any to any via $oif

$fwcmd add allow icmp from any to any icmptypes 3,4,11,12

$fwcmd add check-state

$fwcmd add allow udp from $oip to any via $oif keep-state

$fwcmd add allow tcp from any to $oip 22,25,80,110,443,6346,22002,22003,22010 setup via $oif keep-state

$fwcmd add allow ip from $oip to any keep-state out via $oif

$fwcmd add allow ip from $inwr to any keep-state via $iif

$fwcmd add 65435 deny log ip from any to any
--=_-=_-OFJHBOEFHNKIHBAA
Content-Type: text/plain; charset=us-ascii; name="natd.conf"
Content-Language: en
Content-Length: 581
Content-Transfer-Encoding: 7bit

# natd.conf
# flags

interface ed1
dynamic yes
unregistered_only yes

# Web and mail

redirect_port tcp 10.0.0.10:8080 80
redirect_port udp 10.0.0.10:8080 80
redirect_port tcp 10.0.0.10:443 443
redirect_port udp 10.0.0.10:443 443

# SSH
redirect_port tcp 10.0.0.2:22 22002
redirect_port udp 10.0.0.2:22 22002
redirect_port tcp 10.0.0.3:22 22003
redirect_port udp 10.0.0.3:22 22003
redirect_port tcp 10.0.0.10:22 22010
redirect_port udp 10.0.0.10:22 22010

# VNC
redirect_port tcp 10.0.0.2:5900-5910 5900-5910
redirect_port udp 10.0.0.2:5900-5910 5900-5910
--=_-=_-OFJHBOEFHNKIHBAA
Content-Type: text/plain; charset=us-ascii; name="rc.conf"
Content-Language: en
Content-Length: 645
Content-Transfer-Encoding: 7bit


# -- sysinstall generated deltas -- # Sat Feb 15 13:14:18 2003
# Created: Sat Feb 15 13:14:18 2003

network_interfaces="lo0 ed1 rl0"
hostname="churgeon.joshualokken.com"
ifconfig_ed1="DHCP"
ifconfig_rl0="inet 10.0.0.1  netmask 255.0.0.0"
inetd_enable="NO"
kern_securelevel_enable="YES"
kern_securelevel="1"
nfs_reserved_port_only="YES"
sendmail_enable="NONE"
sshd_enable="YES"
syslogd_enable="YES"
syslogd_flags="-ss"

gateway_enable="YES"
firewall_enable="YES"
natd_enable="YES"
natd_interface="ed1"
natd_flags="-f /etc/natd.conf"
firewall_script="/etc/firewall.conf"

tcp_extensions="YES"
icmp_drop_redirect="YES"

--=_-=_-OFJHBOEFHNKIHBAA--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message