From owner-freebsd-questions Fri Nov 1 18:17:15 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0453837B401 for ; Fri, 1 Nov 2002 18:17:14 -0800 (PST) Received: from cumulonimbus.cloudfactory.org (ssh.cloudfactory.org [205.179.129.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15A2E43E9E for ; Fri, 1 Nov 2002 18:17:07 -0800 (PST) (envelope-from terrac@cloudfactory.org) Received: from cumulonimbus.cloudfactory.org (localhost [127.0.0.1]) by cumulonimbus.cloudfactory.org (8.12.3/8.12.3/Debian -4) with ESMTP id gA22H4wj012739 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=FAIL) for ; Fri, 1 Nov 2002 18:17:04 -0800 Received: from localhost (terrac@localhost) by cumulonimbus.cloudfactory.org (8.12.3/8.12.3/Debian -4) with ESMTP id gA22H4Yw012735 for ; Fri, 1 Nov 2002 18:17:04 -0800 X-Authentication-Warning: cumulonimbus.cloudfactory.org: terrac owned process doing -bs Date: Fri, 1 Nov 2002 18:17:04 -0800 (PST) From: Terrac Skiens To: freebsd-questions@FreeBSD.ORG Subject: IPFW ruleset w/nat help Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Help, I am trying to come up with a ruleset that allows ip, tcp port 25 & 22, and icmp traffic out from an internal network 10.1.1.0/8 on the sis1 interface to the sis0 interface. I also want the traffic to appear as though it is coming from one of the public IP addresses on the public subnet. my ruleset thus far with no luck: # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to 172.16.0.0/12 via sis0 00500 deny ip from any to 192.168.0.0/16 via sis0 00600 deny ip from any to 0.0.0.0/8 via sis0 00700 deny ip from any to 169.254.0.0/16 via sis0 00800 deny ip from any to 192.0.2.0/24 via sis0 00900 deny ip from any to 224.0.0.0/4 via sis0 01000 deny ip from any to 240.0.0.0/4 via sis0 # then nat 01100 divert 8668 ip from any to any via sis0 01200 deny ip from 172.16.0.0/12 to any via sis0 01300 deny ip from 192.168.0.0/16 to any via sis0 01400 deny ip from 0.0.0.0/8 to any via sis0 01500 deny ip from 169.254.0.0/16 to any via sis0 01600 deny ip from 192.0.2.0/24 to any via sis0 01700 deny ip from 224.0.0.0/4 to any via sis0 01800 deny ip from 240.0.0.0/4 to any via sis0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 10000 deny log logamount 100 tcp from any to any in recv sis0 setup 10100 allow tcp from any to any setup 10200 allow udp from any to any 53 keep-state out xmit sis0 10200 allow udp from any to any 53 keep-state in recv sis0 10300 allow udp from any to any 22 keep-state out xmit sis0 10300 allow udp from any to any 22 keep-state in recv sis0 10400 allow udp from any to any 123 keep-state out xmit sis0 10500 allow udp from any to any 123 keep-state in recv sis1 10600 allow udp from me to any 67 keep-state out xmit sis0 10700 allow icmp from any to any 65535 deny ip from any to any nad my rc.natd file has: redirect_address 10.1.1.113 public.address.was.here so far I get no pings out from behind the firewall, no ssh either. -terrac --------------------------------------- terrac@cloudfactory.org Unix / Music Production / Web Tech --------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message