From owner-freebsd-questions@FreeBSD.ORG Fri May 7 05:09:29 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89F4716A4CF for ; Fri, 7 May 2004 05:09:29 -0700 (PDT) Received: from profi.kharkov.ua (ats36sas-22.kharkov.ukrtel.net [195.5.17.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58FAF43D67 for ; Fri, 7 May 2004 05:09:27 -0700 (PDT) (envelope-from greg@profi.kharkov.ua) Received: by profi.kharkov.ua (Postfix, from userid 1002) id 59A0938719E; Fri, 7 May 2004 15:10:50 +0300 (EEST) Date: Fri, 7 May 2004 15:10:50 +0300 From: Gregory Edigarov To: freebsd-questions@freebsd.org Message-ID: <20040507121050.GA15096@profi.kharkov.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: ipfw q X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 May 2004 12:09:29 -0000 Hello, list. Can anybody help me as I can really understand nothing. The scenario: there is two nets: 192.168.5.0/24 and 192.168.7.0/24. All users normally sit in 192.168.5.0/24, using 192.168.7.0/24 as VPN addresses. All VPN users have access to squid, socks, mail, and pop3. everithing works fine, but now I need to give a "direct" access for 2 hosts: 192.168.5.220 and 192.168.7.70. I wrote the following rc.firewall script (tun0 is my outside interface): --- #!/bin/sh ipfw -f flush ipfw add check-state ipfw add allow all from me to any ipfw add allow all from any to any via lo0 ipfw add deny all from 10.0.0.0/8 to any in via tun0 ipfw add deny all from 172.16.0.0/12 to any in via tun0 ipfw add deny all from 192.168.0.0/16 to any in via tun0 ipfw add allow icmp from me to any keep-state ipfw add allow icmp from 192.168.5.0/24 to me ipfw add deny all from any to any frag ipfw add divert natd all from 192.168.5.220 to any out xmit tun0 ipfw add divert natd all from 192.168.7.70 to any out recv ppp\* xmit tun0 ipfw add divert natd all from any to 195.5.17.86 in recv tun0 ipfw add allow all from 192.168.5.220 to any in via sk0 ipfw add allow all from 192.168.7.70 to any in via ppp\* ipfw add allow all from me to any ipfw add unreach filter-prohib ip from not me to any out recv any xmit tun0 ipfw add allow gre from 192.168.5.0/24 to me ipfw add allow gre from me to any ipfw add allow tcp from me to any keep-state ipfw add allow udp from me to any keep-state ipfw add allow udp from any to me 53 ipfw add allow tcp from any to any established ipfw add allow tcp from any to me 25 setup ipfw add allow tcp from any to me ssh setup ipfw add allow tcp from any to me http setup via tun0 ipfw add allow tcp from 192.168.7.0/24 to me 3128 setup via ppp\* ipfw add allow tcp from 192.168.7.0/24 to me 2080 setup via ppp\* ipfw add allow tcp from 192.168.7.0/24 to me pop3 setup via ppp\* ipfw add allow tcp from 192.168.5.0/24 to me pptp setup ipfw add allow tcp from 192.168.5.0/24 to me ftp\\-data-ftp setup via sk0 ipfw add allow tcp from any to me 53 setup ipfw add deny log all from any to any Installed it, then used "natd -n tun0". Then I am trying to go somewhere using something like: ping freebsd.org. it doesn't work. What am I missing? How should I rewrite my script to achieve a full power? Thanks a lot in advance. -- With best regards, Gregory Edigarov ------------------------------------------------------------------------------ profi.kharkov.ua Systems Administrator ------------------------------------------------------------------------------