Date: Fri, 19 Mar 1999 22:11:36 -0800 From: "Jeff Yeo" <j.yeo@attcanada.net> To: "Jeff Yeo" <Jeff_Yeo@pml.com>, "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG>, "Ludwig Pummer" <ludwigp@bigfoot.com> Subject: Re: ipfw rule blocking connection Message-ID: <012901be7298$a17be780$0a64a8c0@upstairs.gvsa1.bc.wave.home.com>
next in thread | raw e-mail | index | archive | help
> >When you're using natd, you have to remember that packets get sent to natd >by a certain divert rule in your ipfw. Before that rule, the destination >address will be your outside Internet IP. NATD does its work and reinjects >the packet. The divert rule gets skipped. > ... stuff deleted ... >My rc.firewall using the 'OPEN' firewall type: > >$OIP is my outside Internet IP address. > >#$fwcmd add 2000 divert natd all from any to any via vx0 >$fwcmd add 4000 deny log all from $OIP to $OIP in via vx0 >$fwcmd add 4010 deny log all from 172.16.0.0/12 to any in via vx0 >$fwcmd add 4020 deny log all from 192.168.0.0/16 to any in via vx0 >$fwcmd add 4030 deny log all from 10.0.0.0/8 to any in via vx0 >#^-- disallow spoofers spoofing over cable modem interface >$fwcmd add 5000 deny log tcp from any to $OIP 137,138,139 in via vx0 >$fwcmd add 8000 divert natd all from any to any via vx0 >$fwcmd add 10000 deny log tcp from any to $OIP pop2,pop3,imap via vx0 >$fwcmd add 65000 pass all from any to any > ... more stuff deleted ... >If you take a look, I block RFC 1918 subnets before NATD does its magic, so >the destination IPs of traffic coming in via vx0 is still my $OIP address. BTW, it isn't the "from 192.168.0.0/16 to any via ${oif}" rule that is causing me problems, it is the "from any to 192.168.0.0/16 via ${oif}" rule. I thought of moving the rule order, and tried moving the offending rule before the natd rule in /etc/rc.firewall. The blocking rule: 00050 deny ip from any to 192.168.0.0/16 via ${oif} was first in the list and the natd rule: 00100 divert natd ip from any to any via ${oif} was second in the list. Incoming packets were still blocked. I used tcpdump to look at the traffic on my external interface, and not a 192.168.x.x to be seen in either direction. Hence my consternation. (I suppose I should have mentioned this in my first post, but it seemed long enough as it was.) To be certain, I tried again tonight. This time I moved the natd rule after the RFC1918 rules. I changed my deny all from 192.168.0.0/16 to any via ${oif} to deny all from 192.168.0.0/16 to any in via ${oif}" as you suggested, but was still blocked by deny all from any to 192.168.0.0/16 via ${oif} As before, tcpdump indicates that there are no 192.168.x.x addresses on the external interface. I should add that I do see incoming packets from the remote site, but they have the firewall's external IP address (as they should with natd). Have I misunderstood something? Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?012901be7298$a17be780$0a64a8c0>