From owner-freebsd-questions@FreeBSD.ORG Fri Nov 1 09:22:57 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 10BEC4E1 for ; Fri, 1 Nov 2013 09:22:57 +0000 (UTC) (envelope-from freebsd@rgbaz.eu) Received: from mx2.titan.secsrv.net (mx2.titan.secsrv.net [69.175.78.11]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DEA512B38 for ; Fri, 1 Nov 2013 09:22:56 +0000 (UTC) Received: from dhcp-089-098-113-201.chello.nl ([89.98.113.201]:58923 helo=[10.0.1.110]) by titan.secsrv.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.80.1) (envelope-from ) id 1VcAEX-0006lQ-5Y; Fri, 01 Nov 2013 03:37:33 -0500 Subject: Re: NAT/ipfw blocking internal traffic Mime-Version: 1.0 (Apple Message framework v1085) From: FBSD UG In-Reply-To: <52721041.7040705@herveybayaustralia.com.au> Date: Fri, 1 Nov 2013 09:37:31 +0100 Message-Id: References: <789665157.296.1383076677766.JavaMail.root@phantombsd.org> <52721041.7040705@herveybayaustralia.com.au> To: Da Rock X-Mailer: Apple Mail (2.1085) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - titan.secsrv.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - rgbaz.eu X-Get-Message-Sender-Via: titan.secsrv.net: authenticated_id: arno@rgbaz.eu Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Nov 2013 09:22:57 -0000 On 31 okt 2013, at 09:09, Da Rock wrote: > On 10/30/13 05:57, Casey Scott wrote: >> Hello, >>=20 >> My NAT and ipfw ruleset follow almost exactly what is given at = http://www.freebsd.org/doc/handbook/firewalls-ipfw.html >>=20 >> The problem I'm encountering is that a portion of my outbound = internal traffic is being blocked by ipfw. This is a fresh Freebsd = installaion, so I'm kind of at a loss since the config matches the = handbook. Any suggestions are appreciated. >>=20 > =46rom what I have gathered the handbook is getting out of date - = particularly in this area. Try the IPFW list (they're very helpful and = rather quick to respond), but try checking the scripts in /etc first. = Man should be up to date too. >=20 > You should find some generic settings such as OPEN, SECURE, etc in the = scripts /etc. Just set the rc.conf to use those, and season to taste ;) >=20 > HTH > _______________________________________________ Hi Casey, I've setup a server myself using IPFW not long ago and used Example #2 form the page you mention. two things I changed to make things work for my situation: i completely removed rule nr 450: $cmd 450 deny log all from any to any out via $pif and I removed the 'setup' from $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state so it's now: $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif keep-state 450 is there to block all unauthorised outgoing traffic. There was no need for me to block this traffic as strictly. Could this also be your problem? greets Arno=