Date: Mon, 19 May 2003 11:40:43 -0400 From: "Asenchi" <asenchi@asenchi.com> To: <freebsd-questions@freebsd.org> Subject: ipfw2 & natd & stateful Message-ID: <012701c31e1d$05d90760$8200a8c0@wj>
next in thread | raw e-mail | index | archive | help
Hello Everyone. I have a bit of a problem. I want to switch my company's firewall to IPFW2 but I can't seem to get the ruleset to work. After sidelining the notion, I am ready to attack this again. I have had many problems with it. (You can see a discussion on this issue here: <http://www.freebsdforums.org/forums/showthread.php?s=&threadid=9061) It seems that NATD is stopping anyone on my internal network from getting through to websites. I does some how reach DNS but won't go anywhere else. I have tried multiple things... I use this ruleset almost verbatim on another machine that isn't running NATD. Can anyone see anything here? I don't subscribe to this list with this email address, so could you please cc me? Thanks in advance to anyone who can offer some light... ////curt//// Here is the output of 'ipfw -d show' 00100 0 0 check-state 00200 4 164 deny log logamount 1000 ip from any to any established 00300 28 1789 divert 8668 ip from any to any via vr0 00400 0 0 deny log logamount 10 ip from 192.168.0.0/24 to any via vr0 00500 38 3897 allow { tcp or udp } from me to { 198.109.160.2 or dst-ip 198.109.160.3 or dst-ip d.n.s.1 or dst-ip d.n.s.2 } dst-port 53 out xmit vr0 keep-state 00600 306 31838 allow tcp from { o.u.t.2/29 or o.u.t.1 or 2.1.0.0/16 or 1.1.0.0/16 } to me dst-port 22 setup in recv vr0 keep-state 00700 22 992 allow tcp from me to any setup via vr0 keep-state 00800 2 120 deny log logamount 1000 { tcp or udp } from any to me 01000 7 336 allow log logamount 1000 tcp from i.n.t.r/24 to any dst-port 80 01100 0 0 allow tcp from 192.168.0.0/24 to any setup keep-state 01200 66 4168 allow { tcp or udp } from 192.168.0.0/24 to { d.n.s.3 or dst-ip d.n.s.4 or dst-ip d.n.s.1 or dst-ip d.n.s.2 } dst-port 53 keep-state 01300 0 0 allow tcp from any to 192.168.0.0/24{3,10,11,12,21,110} dst-port 6501-6504 setup in recv vr0 keep-state 01500 0 0 deny icmp from any to me icmptypes 8 01600 131 5560 allow icmp from any to any 01800 3 234 deny { tcp or udp } from any to any dst-port 137,138,520 01900 4 304 deny log logamount 1000 ip from any to any 65535 0 0 deny ip from any to any ## Dynamic rules (28): 01200 3 192 (9s) STATE udp 192.168.0.64 1072 <-> d.n.s.3 53 01200 5 320 (9s) STATE udp 192.168.0.64 1072 <-> d.n.s.2 53 00600 305 31778 (300s) STATE tcp m.y.i.p 3020 <-> o.u.t.1 22
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?012701c31e1d$05d90760$8200a8c0>