From owner-freebsd-questions@FreeBSD.ORG Fri May 28 02:23:21 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E8AA16A4CE for ; Fri, 28 May 2004 02:23:21 -0700 (PDT) Received: from profi.kharkov.ua (as-0-22.ar36-1s.kharkov.ukrtel.net [195.5.17.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3291C43D2F for ; Fri, 28 May 2004 02:23:19 -0700 (PDT) (envelope-from greg@profi.kharkov.ua) Received: by profi.kharkov.ua (Postfix, from userid 1002) id 0739A2098; Fri, 28 May 2004 12:22:22 +0300 (EEST) Date: Fri, 28 May 2004 12:22:21 +0300 From: Gregory Edigarov To: questions@freebsd.org Message-ID: <20040528092221.GA9593@profi.kharkov.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: ipfw, 2 scripts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 May 2004 09:23:21 -0000 Hello, bellow you will find 2 ipfw scripts, first one working, and second is a very good looking, but not working. what am I missing in the second script? ---- first script starts here --- #!/bin/sh ipfw -f flush ipfw add 1 check-state ipfw add 100 allow all from any to any via lo0 ipfw add deny all from 10.0.0.0/8 to any in via tun0 ipfw add deny all from 172.16.0.0/12 to any in via tun0 ipfw add deny all from 192.168.0.0/16 to any in via tun0 ipfw add deny all from any to any frag ipfw add divert natd all from any to 195.5.17.86 in ipfw add allow icmp from me to any ipfw add allow icmp from any to me ipfw add allow gre from 192.168.5.0/24 to me ipfw add allow gre from me to any ipfw add allow tcp from me to any keep-state ipfw add allow udp from me to any keep-state ipfw add allow udp from any to me 53 ipfw add allow tcp from any to any established ipfw add allow tcp from any to me 25 setup ipfw add allow tcp from any to me ssh setup ipfw add allow tcp from any to me http setup via tun0 ipfw add allow tcp from 192.168.7.0/24 to me 3128 setup via ppp\* ipfw add allow tcp from 192.168.7.0/24 to me 2080 setup via ppp\* ipfw add allow tcp from 192.168.7.0/24 to me pop3 setup via ppp\* ipfw add allow tcp from 192.168.5.0/24 to me pptp setup ipfw add allow tcp from 192.168.5.0/24 to me ftp\\-data-ftp setup via em0 ipfw add allow tcp from any to me 53 setup ipfw add skipto 10000 all from 192.168.7.40 to any in keep-state ipfw add skipto 10000 all from 192.168.7.65 to any in keep-state ipfw add skipto 10000 all from 192.168.7.100 to any in keep-state ipfw add deny all from any to any ipfw add 10000 divert natd all from 192.168.7.40 to any out keep-state ipfw add divert natd all from 192.168.7.65 to any out keep-state ipfw add divert natd all from 192.168.7.100 to any out keep-state ipfw add allow all from any to any ---- first script ends here ---- after some more thinking I have decided to structurize the firewall behavior, i.e. I wanted to have different sets of rules for 2 my nets, plus one for nat. Here's how I've tryed to do it: ---- second script starts here ---- #!/bin/sh ipfw -f flush ipfw add 1 check-state ipfw add deny all from 10.0.0.0/8 to 195.5.17.86 ipfw add deny all from 172.16.0.0/16 to 195.5.17.86 ipfw add deny all from 192.168.0.0/16 to 195.5.17.86 ipfw add deny all from any to any frag ipfw add allow udp from me to any keep-state ipfw add allow tcp from me to any keep-state ipfw add allow icmp from me to any keep-state ipfw add allow all from me to any ipfw add allow tcp from any to any established ipfw add skipto 1000 all from any to 195.5.17.86 in via tun0 ipfw add skipto 2000 all from 192.168.5.0/24 to me in via em0 ipfw add skipto 3000 all from 192.168.7.0/24 to me in via ppp\* ipfw add skipto 4000 all from 192.168.5.0/24 to not me via em0 ipfw add skipto 5000 all from 10.100.105.0/24 to not me via em0 ipfw add skipto 6000 all from 192.168.7.0/24 to not me out xmit tun0 ipfw add deny log all from any to any ipfw add 1000 divert natd all from any to 195.5.17.86 ipfw add allow tcp from any to me smtp setup ipfw add allow tcp from any to me ssh setup ipfw add allow tcp from any to me domain setup ipfw add deny all from any to any ipfw add 2000 allow tcp from 192.168.5.0/24 to me ftp\\-data-ftp setup ipfw add allow tcp from 192.168.5.0/24 to me pptp setup ipfw add allow udp from 192.168.5.0/24 to me 53 ipfw add allow icmp from 192.168.5.0/24 to me ipfw add allow gre from 192.168.5.0/24 to me ipfw add deny all from any to any ipfw add 3000 allow tcp from 192.168.7.0/24 to me 3128 setup ipfw add allow tcp from 192.168.7.0/24 to me 2080 setup ipfw add allow tcp from 192.168.7.0/24 to me 25 setup ipfw add allow tcp from 192.168.7.0/24 to me 80 setup ipfw add allow tcp from 192.168.7.0/24 to me 110 setup ipfw add allow udp from 192.168.7.0/24 to me 53 ipfw add deny all from any to any ipfw add 4000 allow all from any to 10.100.105.0/24 via em0 ipfw add deny all from any to any ipfw add 5000 deny all from 10.100.105.0/24 to any out via tun0 ipfw add deny all from 10.100.105.0/24 to me via em0 ipfw add allow all from 10.100.105.0/24 to any ipfw add deny all from any to any ipfw add 6000 divert natd all from 192.168.7.40 to any via ppp\* ipfw add divert natd all from 192.168.7.100 to any via ppp\* ipfw add divert natd all from 192.168.7.65 to any via ppp\* ipfw add allow all from any to any ---- second script ends here --- some comments: 192.168.5.0/24 - my base network. 192.168.7.0/24 - my vpn network 10.100.105.0/24 - network of our friends. we can use some of the services there, 192.168.5.77 - is the gateway between 192.168.5.0/24 and 10.100.105.0/24. with second script (which is logically correct for the situation) nothing works. What should I do? If you need some additional info - just ask me. -- With best regards, Gregory Edigarov ------------------------------------------------------------------------------ profi.kharkov.ua Systems Administrator ------------------------------------------------------------------------------