Date: Fri, 19 Mar 1999 22:11:36 -0800 From: "Jeff Yeo" <j.yeo@attcanada.net> To: "Jeff Yeo" <Jeff_Yeo@pml.com>, "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG>, "Ludwig Pummer" <ludwigp@bigfoot.com> Subject: Re: ipfw rule blocking connection Message-ID: <012901be7298$a17be780$0a64a8c0@upstairs.gvsa1.bc.wave.home.com>
next in thread | raw e-mail | index | archive | help
>
>When you're using natd, you have to remember that packets get sent to natd
>by a certain divert rule in your ipfw. Before that rule, the destination
>address will be your outside Internet IP. NATD does its work and reinjects
>the packet. The divert rule gets skipped.
>
... stuff deleted ...
>My rc.firewall using the 'OPEN' firewall type:
>
>$OIP is my outside Internet IP address.
>
>#$fwcmd add 2000 divert natd all from any to any via vx0
>$fwcmd add 4000 deny log all from $OIP to $OIP in via vx0
>$fwcmd add 4010 deny log all from 172.16.0.0/12 to any in via vx0
>$fwcmd add 4020 deny log all from 192.168.0.0/16 to any in via vx0
>$fwcmd add 4030 deny log all from 10.0.0.0/8 to any in via vx0
>#^-- disallow spoofers spoofing over cable modem interface
>$fwcmd add 5000 deny log tcp from any to $OIP 137,138,139 in via vx0
>$fwcmd add 8000 divert natd all from any to any via vx0
>$fwcmd add 10000 deny log tcp from any to $OIP pop2,pop3,imap via vx0
>$fwcmd add 65000 pass all from any to any
>
... more stuff deleted ...
>If you take a look, I block RFC 1918 subnets before NATD does its magic, so
>the destination IPs of traffic coming in via vx0 is still my $OIP address.
BTW, it isn't the "from 192.168.0.0/16 to any via ${oif}" rule that is
causing me
problems, it is the "from any to 192.168.0.0/16 via ${oif}" rule.
I thought of moving the rule order, and tried moving the offending rule
before the natd rule in /etc/rc.firewall. The blocking rule:
00050 deny ip from any to 192.168.0.0/16 via ${oif}
was first in the list and the natd rule:
00100 divert natd ip from any to any via ${oif}
was second in the list. Incoming packets were still blocked. I used
tcpdump to look at the traffic on my external interface, and not a
192.168.x.x
to be seen in either direction. Hence my consternation.
(I suppose I should have mentioned this in my first post, but it seemed long
enough as it was.)
To be certain, I tried again tonight. This time I moved the natd rule after
the
RFC1918 rules. I changed my
deny all from 192.168.0.0/16 to any via ${oif}
to
deny all from 192.168.0.0/16 to any in via ${oif}"
as you suggested, but was still blocked by
deny all from any to 192.168.0.0/16 via ${oif}
As before, tcpdump indicates that there are no 192.168.x.x addresses on the
external interface. I should add that I do see incoming packets from the
remote site, but they have the firewall's external IP address (as they
should
with natd).
Have I misunderstood something?
Jeff
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?012901be7298$a17be780$0a64a8c0>