Date: Wed, 21 Jul 2010 11:40:29 +0200 From: Spil Oss <spil.oss@gmail.com> To: freebsd-ipfw@freebsd.org, freebsd-stable@freebsd.org Subject: Changes to ipfw in 8.1 Message-ID: <AANLkTin6Ao8etOxX180N1NcI7M20eYFCO1ooCMREk7pg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, Testing FreeBSD 8.1 I noticed that I seem to have routing or nat or firewall issues. (csupped RELENG_8_1 which was -RELEASE not -RC last night?) - 8.1 booted fine - connections from the system itself were fine - connections from my jails to the internet were not working - connections from my LAN/WLAN to the internet were not working Reverting back to 8.0-p2 with the same configuration works fine. In UPDATING I see that rc.firewall and rc.firewall6 were unified. Setup is - xl0 connected to internet/public IP via dhcp - bge0/wlan0(ath0) connected to LAN - jails have ip's on bge0 in the same subnet as the LAN - allow all from any to any via bge0|wlan0|lo0 - NAT using natd My guess is that something's changed to ipfw that is affecting my network settings. Any clues where I went wrong? Help appreciated/ Kind regards, Spil. rc.conf: firewall_enable="YES" firewall_script="/etc/ipfw.rules" natd.conf interface xl0 dynamic yes same_ports yes # http/https to http jail redirect_port tcp 192.168.2.3:80 80 redirect_port tcp 192.168.2.3:443 443 Part of /etc/ipfw.rules #!/bin/sh cmd="ipfw -q add" skip="skipto 500" pif=xl0 pif6=gif0 ext6="2001:dead:beef:1::1" ks="keep-state" ipfw -q -f flush # Allow internal traffic $cmd 002 allow all from any to any via bge0 # exclude LAN traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 004 allow all from any to any via wlan0 # exclude WLAN traffic $cmd 005 allow all from any to any via bridge0 # exclude WLAN traffic $cmd 006 allow all from any to any via tun0 # exclude WLAN traffic # Allow all encapulated IPv6 to/from tunnel PoP $cmd 010 allow ip4 from <tunnel-provider-ipv4> to me via $pif $cmd 010 allow ip4 from me to <tunnel-provider-ipv4> via $pif # Black-hole some stuff using tables $cmd 050 drop ip from "table(17)" to any in via $pif $cmd 050 drop ip from any to "table(17)" out via $pif # Separate IPv6 rules (no NAT!) $cmd 060 skipto 1000 ip6 from any to any $cmd 100 divert natd ip from any to any in via $pif # Mangle inbound packets from external $cmd 101 check-state # Authorized outbound packets $cmd 130 $skip icmp from any to any out via $pif $ks $cmd 150 $skip tcp from any to any out via $pif $ks $cmd 151 $skip udp from any to any out via $pif $ks $cmd 200 allow udp from 10.50.0.1 to me 68 in $ks # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 unreach host all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 unreach host all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 unreach host all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 unreach host all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 unreach host all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 unreach host all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 unreach host all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 unreach host all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 unreach host all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny packets that did not match the dynamic rule table #$cmd 330 deny all from any to any frag in via $pif # All late fragments #$cmd 332 deny tcp from any to any established in via $pif # Deny ACK # Authorized inbound packets $cmd 400 allow icmp from any to any icmptypes 0,11 # echo reply and TTL-exceeded $cmd 420 allow tcp from any to me ssh in via $pif setup $ks $cmd 421 allow tcp from any to me smtp in via $pif $cmd 422 allow tcp from any to me http in via $pif $cmd 423 allow tcp from any to me https in via $pif $cmd 424 allow tcp from any to me imaps in via $pif #$cmd 449 unreach host ip from any to any in via $pif $cmd 448 reject log all from any to any in via $pif $cmd 449 reject log all from any to any out via $pif $cmd 450 reject log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif $cmd 510 allow ip from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTin6Ao8etOxX180N1NcI7M20eYFCO1ooCMREk7pg>