Date: Sun, 14 Aug 2005 00:58:44 +0100 From: "Himal Mandalia" <that_guy_himal@hotmail.com> To: freebsd-questions@freebsd.org Subject: IPFW help Message-ID: <BAY102-F18E6566C135C3DDD4FD0BCCBF0@phx.gbl>
next in thread | raw e-mail | index | archive | help
I've been trying to set up IPFW to do port forwarding so I can use a machine 
on a private network as a web server. I'm using NAT, which works fine, but 
can't seem to get port forwarding working unless I remove the "deny ip from 
any to any" in my firewall script.
natd.conf:
interface en0
dynamic yes
use_sockets yes
same_ports yes
redirect_port tcp 192.168.0.2:80 80
firewall script:
/sbin/ipfw -q -f flush
cmd="/sbin/ipfw add"
oif="en0" #public iface
iif="en1" #private iface
oip=`ifconfig $oif | grep 'inet' | awk '{print $2}'`
optimus="192.168.0.2" #webserver on private segment
$cmd 00010 allow ip from any to any via lo0
$cmd 00020 deny log ip from any to 127.0.0.0/8
$cmd 00100 divert 8668 ip from any to any via $oif
$cmd 00400 fwd $optimus,80 tcp from any to $oip 80
$cmd 00500 allow tcp from any to any established
$cmd 00600 allow tcp from any to $oip ftp,ssh,http setup
$cmd 00700 allow tcp from any to $oip 5900-5909 setup
$cmd 00800 allow tcp from any to $oip 
6881-6999,6669,3689,873,6346,1863,443,2628 setup
$cmd 00900 allow udp from any to $oip 27960-27969
$cmd 01000 allow icmp from any to any
$cmd 02000 allow icmp from any to any icmptypes 3,4,11,12
$cmd 03000 reset tcp from any to $oip 113
$cmd 04000 check-state
$cmd 05000 allow ip from $oip to any keep-state out via $oif
$cmd 06000 allow ip from 192.168.0.0/16 to any keep-state via $iif
$cmd 65000 deny ip from any to any
Removing the last line works, but then security's out of the window I 
suppose. I'm sure it's just a problem with the order of the rules or 
something like that. Any suggestions and help would be most welcome.
Thanks
_________________________________________________________________
Use MSN Messenger to send music and pics to your friends 
http://messenger.msn.co.uk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY102-F18E6566C135C3DDD4FD0BCCBF0>
