From owner-freebsd-net Thu Feb 14 13:33:26 2002 Delivered-To: freebsd-net@freebsd.org Received: from artemis.drwilco.net (diana.drwilco.net [66.48.127.79]) by hub.freebsd.org (Postfix) with ESMTP id 26AF037B400; Thu, 14 Feb 2002 13:33:19 -0800 (PST) Received: from ceres.drwilco.net (docwilco.xs4all.nl [213.84.68.230]) by artemis.drwilco.net (8.11.6/8.11.6) with ESMTP id g1ELXFZ89822 (using TLSv1/SSLv3 with cipher DES-CBC3-SHA (168 bits) verified NO); Thu, 14 Feb 2002 16:33:17 -0500 (EST) (envelope-from drwilco@drwilco.net) Message-Id: <5.1.0.14.0.20020214224151.01c350c0@mail.drwilco.net> X-Sender: lists@mail.drwilco.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 14 Feb 2002 22:43:30 +0100 To: Michael Sierchio , Luigi Rizzo From: "Rogier R. Mulhuijzen" Subject: Re: Bug in stateful code? Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG In-Reply-To: <5.1.0.14.0.20020214221354.01c37da0@mail.drwilco.net> References: <3C6C2180.3020704@tenebras.com> <3C6BE90D.3020108@tenebras.com> <20020214093647.A57238@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 22:25 14-2-2002 +0100, Rogier R. Mulhuijzen wrote: ----SNIP---- Oops, forgot a few rules at the end (bad copy/paste) So here it is again. tl0 is the interface on internal LAN lnc0 is the interface on external LAN -------------------- #divert all http requests from internal network to quid cache add 00510 fwd 172.30.0.1 tcp from 172.30.0.0/16 to any 80 in via tl0 add 00520 fwd 172.30.0.1 tcp from 172.20.0.0/16 to any 80 in via tl0 add 00530 fwd 172.30.0.1 tcp from 192.168.0.0/24 to any 80 in via tl0 #allow all traffic to/from internal network add 01000 allow all from any to any via tl0 #translate incoming packets (NAT) add 30000 divert natd all from any to in via lnc0 #allow incoming packets for hosts on internal network #(Since we translated them, we're sure they belong to existing #connection) add 30110 allow all from any to 172.20.0.0/16 in via lnc0 add 30111 allow all from any to 172.30.0.0/16 in via lnc0 add 30112 allow all from any to 192.168.0.0/24 in via lnc0 #allow SSH from XXXXXXXX add 30200 allow tcp from to 22 in via lnc0 add 30210 allow tcp from 22 to out via lnc0 #allow DNS queries to UUnet DNS servers add 30300 allow udp from 53 to in via lnc0 add 30310 allow udp from to 53 out via lnc0 add 30320 allow udp from 53 to in via lnc0 add 30330 allow udp from to 53 out via lnc0 #allow outgoing traffic from internal hosts #(use skipto 34000 instead of allow because they still need translation) add 31010 skipto 34000 all from 172.20.0.0/16 to any out via lnc0 add 31020 skipto 34000 all from 172.30.0.0/16 to any out via lnc0 add 31030 skipto 34000 all from 192.168.0.0/24 to any out via lnc0 #allow outgoing connections from local machine (using dynamic rules) add 32000 allow all from to any out via lnc0 keep-state #block and log everything that hasn't been allowed so far add 33000 deny log all from any to any #translate outgoing packets (NAT) add 34000 divert natd all from any to any out via lnc0 #allow translated packets to go out add 34010 allow all from 195.109.218.253 to any out via lnc0 #block and log whatever remains (shouldn't be anything) add 65000 deny log all from any to any -------------------- Greets, Doc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message