Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 1 Nov 2013 09:37:31 +0100
From:      FBSD UG <freebsd@rgbaz.eu>
To:        Da Rock <freebsd-questions@herveybayaustralia.com.au>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: NAT/ipfw blocking internal traffic
Message-ID:  <B276118C-BB6D-41FC-B4A8-1F4E58BA69EC@rgbaz.eu>
In-Reply-To: <52721041.7040705@herveybayaustralia.com.au>
References:  <789665157.296.1383076677766.JavaMail.root@phantombsd.org> <52721041.7040705@herveybayaustralia.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 

On 31 okt 2013, at 09:09, Da Rock wrote:

> On 10/30/13 05:57, Casey Scott wrote:
>> Hello,
>>=20
>> My NAT and ipfw ruleset follow almost exactly what is given at =
http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
>>=20
>> The problem I'm encountering is that a portion of my outbound =
internal traffic is being blocked by ipfw. This is a fresh Freebsd =
installaion, so I'm kind of at a loss since the config matches the =
handbook. Any suggestions are appreciated.
>>=20
> =46rom what I have gathered the handbook is getting out of date - =
particularly in this area. Try the IPFW list (they're very helpful and =
rather quick to respond), but try checking the scripts in /etc first. =
Man should be up to date too.
>=20
> You should find some generic settings such as OPEN, SECURE, etc in the =
scripts /etc. Just set the rc.conf to use those, and season to taste ;)
>=20
> HTH
> _______________________________________________

Hi Casey,


I've setup a server myself using IPFW not long ago
and used Example #2 form the page you mention.

two things I changed to make things work for my situation:
i completely removed rule nr 450:
$cmd 450 deny log all from any to any out via $pif

and I removed the 'setup' from
$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state
so it's now:
$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif keep-state


450 is there to block all unauthorised outgoing traffic.
There was no need for me to block this traffic as strictly.
Could this also be your problem?

greets
Arno=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B276118C-BB6D-41FC-B4A8-1F4E58BA69EC>