From owner-freebsd-current@FreeBSD.ORG Tue Nov 28 09:47:54 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9351316A403 for ; Tue, 28 Nov 2006 09:47:54 +0000 (UTC) (envelope-from fulanpeng@gmail.com) Received: from nz-out-0102.google.com (nz-out-0506.google.com [64.233.162.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BC2843CAB for ; Tue, 28 Nov 2006 09:47:37 +0000 (GMT) (envelope-from fulanpeng@gmail.com) Received: by nz-out-0102.google.com with SMTP id i11so781990nzh for ; Tue, 28 Nov 2006 01:47:38 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=s754N8gxnJU/Wm+pn2WZIs7MU9nvNshzKv8mvFHs/ayrJwlByiAuZLYU8vTQKu//SB/K14NCbEun6zGSkaJMR/5pFByhbWHgLujvflW74Qpg/PLMiVX3+UfjQgN5EPtyLt2RxrLtaSVxwfuEwDpoiOOqmajebPiErtq1eZlguOM= Received: by 10.65.54.9 with SMTP id g9mr1291230qbk.1164707258662; Tue, 28 Nov 2006 01:47:38 -0800 (PST) Received: by 10.64.241.6 with HTTP; Tue, 28 Nov 2006 01:47:38 -0800 (PST) Message-ID: Date: Tue, 28 Nov 2006 04:47:38 -0500 From: "fulan Peng" To: current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: FreeBSD 6.1 and 6.2 i386 firewall or NAT block web mail applications X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Nov 2006 09:47:54 -0000 Hi, I need some help with FreeBSD firewall with NAT. I have made pppoe and NAT working with both 6.1 release and 6.2 RC i386. All I want is to forward port 443 to port 8843. I added a line in the OPEN portion in the rc.firewall file: ${fwcmd} add fwd 127.0.0.1,8843 tcp from any to any 443 in keep-state Now, when I type https://myserver's ip, it will forward to a proxy server listening at 8843. This is good. But, in the local network, nobody can access the yahoo and google mail. I made another kernel with the options IPFIREWALL_DEFAULT_TO_ACCEPT. When I ipfw, there is only one rule: allow ip from any to any This is good. When I added a line ipfw add fwd 127.0.0.1,8843 from any to any 443 in keep-state again, it won't work with any web email applications. I added a line like this ${fwcmd} add pass tcp from any to any 25 setup Still it won't work. pen at both 6.1 and 6.2 are not working. I remember it works only with 7.0-current. I have only 3 options when I compile the kernel: options IPFIREWALL options IPFIREWALL_FORWARD options IPDIVERT in order to get pppoe to work, I added options NETGRAPH options NETGRAPH_PPPOE options NETGRAPH_SOCKET my rc.conf is like this gateway_enable="YES" hostname=... ifconfig_ed0=... ppp_enable="YES" ppp_nat="YES" ppp_profile="sympatico" ppp_mode="ddial" firewall_enable="YES" firewall_type="OPEN" By the way, I have made this mistake twice: Comment out firewall_enable and firewall_type, the default rule is to lock out any body. I could not access my remote server. I wish you would not do this like me. The best way is to have an options IPFIREWALL_DEFAULT_TO_ACCEPT. The problem is : whenever you add some rule, it will block web mails!