From owner-freebsd-questions@FreeBSD.ORG Sat Aug 23 21:45:14 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03B4B16A4BF for ; Sat, 23 Aug 2003 21:45:14 -0700 (PDT) Received: from southgate.ph.inter.net (lanceb.ph.inter.net [202.61.82.144]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BABB43FCB for ; Sat, 23 Aug 2003 21:45:13 -0700 (PDT) (envelope-from chael@southgate.ph.inter.net) Received: from mrj (unknown [203.168.14.69]) by southgate.ph.inter.net (Postfix) with SMTP id AE2CE20B4; Sun, 24 Aug 2003 12:43:33 +0800 (PHT) Message-ID: <000e01c369fa$86af9420$450ea8cb@mrj> From: To: "Thomas Smith" , References: <3F4663B2.1030004@openadventures.org> Date: Sun, 24 Aug 2003 12:45:20 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: NATD Firewall Rules Setup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 04:45:14 -0000 I suggest you complete your ipfw rules basing on "simple" within /etc/rc.firewall. Substitute variables assuming having natd_enable="YES" and firewall_enable="YES" on rc.conf. chael ----- Original Message ----- From: "Thomas Smith" To: Sent: Saturday, August 23, 2003 2:40 AM Subject: NATD Firewall Rules Setup > I'm configuring a firewall (FreeBSD 4.8-RELEASE). I've got the firewall > locked down as I need it to be but am having issues getting NAT working. > The firewall config file is included below. > > Note that if I add the "allow all" rule to the end of the file NAT works > fine. I'm certain its an IPFW issue but haven't been able to figure it > out--as I'm a bit new to IPFW and FreeBSD, pointers to documentation > (preferably with examples of usage) would be very helpful. I haven't > been able to find a lot of info outside of the Handbook and what I do > find regarding NAT includes three rules: 1) flush, 2) divert, 3) allow > all traffic. > > # Internal network variables > iif="rl1" > inet="192.168.20.0" > iip="192.168.20.2" > imask="255.255.255.0" > > # External network variables > oif="rl0" > onet="216.161.174.0" > oip="216.161.174.7" > omask="255.255.255.0" > > # Clear current rules > /sbin/ipfw -f flush > > # Allow TCP in, if setup succeeded > /sbin/ipfw add pass tcp from any to any established > > # Allow all local traffic > /sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1 > > # Stop spoofing > /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} > /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} > > # Stop RFC1918 nets on the external interface > /sbin/ipfw add deny all from 10.0.0.1:255.0.0.0 to any via ${oif} > /sbin/ipfw add deny all from 127.16.0.0:255.240.0.0 to any via ${oif} > /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} > > # Allow internal network traffic > /sbin/ipfw add pass all from ${iip} to any > /sbin/ipfw add pass all from ${inet}:${imask} to ${iip} > > # Allow NAT traffic out. > /sbin/ipfw add divert natd all from any to any via ${oif} > > # Allow setup of SSH connections > /sbin/ipfw add pass tcp from any to ${oip} 22 setup > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > >