Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 7 May 2004 16:55:10 +0300
From:      Gregory Edigarov <greg@profi.kharkov.ua>
To:        freebsd-net@freebsd.org
Subject:   selective NAT problems
Message-ID:  <20040507135510.GA15963@profi.kharkov.ua>
next in thread | raw e-mail | index | archive | help 
Hello,

I've already put this question in freebsd-questions, without any
response.
I have the following configuration:
#!/bin/sh
ipfw -f flush

ipfw add check-state
ipfw add allow all from me to any

ipfw add allow all from any to any via lo0

ipfw add deny all from 10.0.0.0/8 to any in via tun0
ipfw add deny all from 172.16.0.0/12 to any in via tun0
ipfw add deny all from 192.168.0.0/16 to any in via tun0
ipfw add allow icmp from me to any keep-state
ipfw add allow icmp from 192.168.5.0/24 to me 
ipfw add deny all from any to any frag

ipfw add divert natd all from 192.168.5.220 to any out xmit tun0
ipfw add divert natd all from 192.168.7.70  to any out recv ppp\* xmit tun0
ipfw add divert natd all from any to 195.5.17.86 in recv tun0
ipfw add allow all from 192.168.5.220 to any in via sk0 
ipfw add allow all from 192.168.7.70 to any in via ppp\*
ipfw add allow all from me to any
ipfw add unreach filter-prohib ip from not me to any out recv any xmit tun0

ipfw add allow gre from 192.168.5.0/24 to me
ipfw add allow gre from me to any


ipfw add allow tcp from me to any keep-state
ipfw add allow udp from me to any keep-state
ipfw add allow udp from any to me 53
ipfw add allow tcp from any to any established
ipfw add allow tcp from any to me 25 setup
ipfw add allow tcp from any to me ssh setup
ipfw add allow tcp from any to me http setup via tun0
ipfw add allow tcp from 192.168.7.0/24 to me 3128 setup via ppp\*
ipfw add allow tcp from 192.168.7.0/24 to me 2080 setup via ppp\*
ipfw add allow tcp from 192.168.7.0/24 to me pop3 setup via ppp\*
ipfw add allow tcp from 192.168.5.0/24 to me pptp setup
ipfw add allow tcp from 192.168.5.0/24 to me ftp\\-data-ftp setup via sk0
ipfw add allow tcp from any to me 53 setup

ipfw add deny log all from any to any

i.e. if the user is coming from 192.168.5.220 or 192.168.7.70 and
his interface is from ppp group - then allow nat from him or to him. 

it doesn't work. The system is -CURRENT cvsuped ~ 5 days ago.
What am I missing?
-- 
With best regards,
        Gregory Edigarov
------------------------------------------------------------------------------
profi.kharkov.ua                                        Systems Administrator
------------------------------------------------------------------------------

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040507135510.GA15963>