From owner-freebsd-questions@FreeBSD.ORG Sun Sep 23 23:00:49 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9388116A418 for ; Sun, 23 Sep 2007 23:00:49 +0000 (UTC) (envelope-from nollan@phreaker.net) Received: from av8-2-sn3.vrr.skanova.net (av8-2-sn3.vrr.skanova.net [81.228.9.184]) by mx1.freebsd.org (Postfix) with ESMTP id 08FDD13C458 for ; Sun, 23 Sep 2007 23:00:48 +0000 (UTC) (envelope-from nollan@phreaker.net) Received: by av8-2-sn3.vrr.skanova.net (Postfix, from userid 502) id 5B9DA38066; Mon, 24 Sep 2007 00:29:59 +0200 (CEST) Received: from smtp3-1-sn3.vrr.skanova.net (smtp3-1-sn3.vrr.skanova.net [81.228.9.101]) by av8-2-sn3.vrr.skanova.net (Postfix) with ESMTP id 46F3537FF3; Mon, 24 Sep 2007 00:29:59 +0200 (CEST) Received: from [10.10.10.2] (81-237-246-236-no120.tbcn.telia.com [81.237.246.236]) by smtp3-1-sn3.vrr.skanova.net (Postfix) with ESMTP id 05B8E37E44; Mon, 24 Sep 2007 00:29:58 +0200 (CEST) Message-ID: <46F70504.9050709@phreaker.net> Date: Mon, 24 Sep 2007 00:29:56 +0000 From: "mr. phreak" User-Agent: Thunderbird 1.5.0.7 (X11/20061027) MIME-Version: 1.0 To: freebsd-questions@freebsd.org, nollan@phreaker.net Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: IPFW + NATD FORWARDING X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Sep 2007 23:00:49 -0000 Hi, I am having trouble with my IPFW+NATD forwarding. I know a lot of people have and I've googled my ass off. Still I can't get it right. I'm trying to forward port 1213 in/out for dc++ usage. this is my setup: __WAN router (192.168.1.1) | | (FreeBSD gateway/fw NIC1:ath0 (public) NIC2:rl0 (LAN) ) | |__ LAN (10.10.10.0/24) I use stateful rules and I'd like to forward port 1213 both ways using natd. I know NATD should take care of this as long as i allow port 1213 in/out from the firewall. I've tried this at almost every position in the ipfw.rules and now i ask where i should put it?? i.e it's not there right now. I've tried: $cmd [num] allow all from any to any 1213 (at various positions in ipfw.rules) still doesn't work. $cmd [num] divert natd all from any to any 1213. Can someone help me? J Here is my files: my natd.conf: use_sockets yes same_ports yes dynamic yes redirect_port tcp 10.10.10.2:1213 1213 redirect_port udp 10.10.10.2:1213 1213 ipfw.rules: ############### start ipfw rules ############# ############################################## ipfw -q -f flush # Delete all # INIT ######### ################ oif="ath0" # out NIC cmd="ipfw -q add " # quiet skip="skipto 4000" # skipto NATD. # BEGIN RULES # ################################# # LAN NO RESTRICTIONS ########### ################################# $cmd 00300 allow all from any to any via rl0 # LOOPBACK NO RESTRICTIONS ###### ################################# $cmd 00400 allow all from any to any via lo0 # NATD IN? THEN TRANSLATE ### ################################# $cmd 00450 divert natd ip from any to any in via $oif # CHECK-STATE ################### ################################# $cmd 00500 check-state ####### ( OUTBOUND ) ####################### ############################################ # DNS ###################################### $cmd 00600 $skip tcp from any to 195.67.199.39 53 out via $oif setup keep-state $cmd 00610 $skip udp from any to 195.67.199.39 53 out via $oif keep-state # DHCP ##################################### $cmd 00700 $skip udp from any to any 67 out via $oif keep-state # HTTP ##################################### $cmd 00800 $skip tcp from any to any 80 out via $oif setup keep-state # HTTPS #################################### $cmd 00810 $skip tcp from any to any 443 out via $oif setup keep-state # POP & SMTP ############################### $cmd 00900 $skip tcp from any to any 25 out via $oif setup keep-state $cmd 00910 $skip tcp from any to any 110 out via $oif setup keep-state # FREEBSD CVS ############################## $cmd 01000 $skip tcp from me to any out via $oif setup keep-state uid root # ALLOW PING OUT ########################### $cmd 01100 $skip icmp from any to any out via $oif keep-state # SSH ###################################### $cmd 01200 $skip tcp from any to any 22 out via $oif setup keep-state # WHOIS #################################### $cmd 01300 $skip tcp from any to any 43 out via $oif setup keep-state # FTP ###################################### $cmd 01400 $skip tcp from any to any 21 out via $oif setup keep-state # IRC ###################################### $cmd 01500 $skip tcp from any to any 6667 out via $oif setup keep-state $cmd 01510 $skip tcp from any to any 8888 out via $oif setup keep-state $cmd 01520 $skip tcp from any to any 5020 out via $oif setup keep-state # SHOUTCAST ################################ ############################################ $cmd 01600 $skip tcp from any to any 9000 out via $oif setup keep-state ####### ( INBOUND ) ######################## ############################################ # Deny all inbound from non-routable ####### $cmd 02000 deny all from 192.168.0.0/16 to any in via $oif $cmd 02010 deny all from 172.16.0.0/12 to any in via $oif $cmd 02020 deny all from 10.0.0.0/8 to any in via $oif $cmd 02030 deny all from 127.0.0.0/8 to any in via $oif $cmd 02040 deny all from 0.0.0.0/8 to any in via $oif $cmd 02050 deny all from 169.254.0.0/16 to any in via $oif $cmd 02060 deny all from 192.0.2.0/24 to any in via $oif $cmd 02070 deny all from 204.152.64.0/23 to any in via $oif $cmd 02080 deny all from 224.0.0.0/3 to any in via $oif # DENY PING INBOUND ######################## $cmd 02100 deny icmp from any to any in via $oif # DENY IDENT ############################### $cmd 02200 deny tcp from any to any 113 in via $oif # DENY NETBIOS ############################# $cmd 02300 deny tcp from any to any 137 in via $oif $cmd 02310 deny tcp from any to any 138 in via $oif $cmd 02320 deny tcp from any to any 139 in via $oif $cmd 02330 deny tcp from any to any 81 in via $oif # DHCP ##################################### $cmd 02400 allow udp from any to 192.168.1.1 68 in via $oif keep-state # HTTP ##################################### $cmd 02500 allow tcp from any to me 80 in via $oif setup limit src-addr 2 # HTTPS #################################### $cmd 02600 allow tcp from any to me 443 in via $oif setup limit src-addr 2 # SSH ###################################### $cmd 02700 allow tcp from any to me 22 in via $oif setup limit src-addr 2 # REJECT IN/OUT ############################ ############################################ $cmd 3000 deny all from any to any in via $oif $cmd 3100 deny all from any to any out via $oif # SKIPTO ################################### ############################################ $cmd 4000 divert natd ip from any to any out via $oif $cmd 4010 allow ip from any to any # DENY ALL ################################# ############################################ $cmd 9999 deny all from any to any ################### End ipfw rules ############