From owner-freebsd-questions@FreeBSD.ORG Mon Jan 17 12:25:52 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3336216A4CE for ; Mon, 17 Jan 2005 12:25:52 +0000 (GMT) Received: from mta2p.point.ne.jp (mta2p.point.ne.jp [210.188.175.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BD9A43D31 for ; Mon, 17 Jan 2005 12:25:51 +0000 (GMT) (envelope-from pwd8jmr22w@me.point.ne.jp) Received: from vc10.point.ne.jp ([211.1.103.138]) by mta2p.point.ne.jp with ESMTP id <20050117122550.ZPOG1842.mta2p@vc10.point.ne.jp> for ; Mon, 17 Jan 2005 21:25:50 +0900 Received: from fvc1-p.point.ne.jp (fvc1.point.ne.jp [210.188.175.76]) by vc10.point.ne.jp (Scanmail) with ESMTP id 71D362AA0A for ; Mon, 17 Jan 2005 21:25:49 +0900 (JST) Received: from [192.168.0.2] ([218.230.54.236]) by fvc1-p.point.ne.jp with ESMTP id <20050117122549.YHRP5387.fvc1-p@[218.230.54.236]> for ; Mon, 17 Jan 2005 21:25:49 +0900 Message-ID: <41EC2D5F.8060705@me.point.ne.jp> Date: Mon, 17 Jan 2005 21:25:51 +0000 From: Srot BULL User-Agent: Mozilla Thunderbird 1.0 (X11/20050109) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Questions-ML FreeBSD Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: IPFW - How to allow NAT client to CVSup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: pwd8jmr22w@me.point.ne.jp List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 12:25:52 -0000 Hi to everyone, I have 2 FreeBSD machines both running FreeBSD Stable 5.3 and both have ipfw as firewalls... One is running ipfw with NAT functions. Below is the is the rulesets for the machine: #!/bin/sh ipfw -q -f flush CMD="ipfw -q add" SKIP="skipto 00800" KS="keep-state" INIC="aue0" $CMD 00005 allow all from any to any via rl0 $CMD 00010 allow all from any to any via lo0 $CMD 00014 divert natd ip from any to any in via $INIC $CMD 00015 check-state $CMD 00020 $SKIP tcp from any to 192.168.0.1 53 out via $INIC setup $KS $CMD 00021 $SKIP udp from any to 192.168.0.1 53 out via $INIC $KS $CMD 00030 $SKIP udp from any to 192.168.0.1 67 out via $INIC $KS $CMD 00040 $SKIP tcp from any to any 80 out via $INIC setup $KS $CMD 00050 $SKIP tcp from any to any 443 out via $INIC setup $KS $CMD 00060 $SKIP tcp from any to any 25 out via $INIC setup $KS $CMD 00061 $SKIP tcp from any to any 110 out via $INIC setup $KS #------------ Allow out FBSD (make install & CVSUP) functions -----------=# $CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root #------------------------------------------------------------------------=# $CMD 00080 $SKIP icmp from any to any out via $INIC $KS $CMD 00090 $SKIP tcp from any to any 37 out via $INIC setup $KS $CMD 00100 $SKIP tcp from any to any 119 out via $INIC setup $KS $CMD 00110 $SKIP tcp from any to any 22 out via $INIC setup $KS $CMD 00120 $SKIP tcp from any to any 43 out via $INIC setup $KS $CMD 00130 $SKIP udp from any to any 123 out via $INIC $KS $CMD 00140 $SKIP tcp from any to any 873 out via $INIC $KS $CMD 00141 $SKIP udp from any to any 873 out via $INIC $KS $CMD 00300 deny all from 192.168.0.0/16 to any in via $INIC $CMD 00301 deny all from 172.16.0.0/12 to any in via $INIC $CMD 00302 deny all from 10.0.0.0/8 to any in via $INIC $CMD 00303 deny all from 127.0.0.0/8 to any in via $INIC $CMD 00304 deny all from 0.0.0.0/8 to any in via $INIC $CMD 00305 deny all from 169.254.0.0/16 to any in via $INIC $CMD 00306 deny all from 192.0.2.0/24 to any in via $INIC $CMD 00308 deny all from 224.0.0.0/3 to any in via $INIC #$CMD 00310 deny icmp from any to any in via $INIC $CMD 00315 deny tcp from any to any 113 in via $INIC $CMD 00320 deny tcp from any to any 137 in via $INIC $CMD 00321 deny tcp from any to any 138 in via $INIC $CMD 00322 deny tcp from any to any 139 in via $INIC $CMD 00323 deny tcp from any to any 81 in via $INIC $CMD 00330 deny all from any to any frag in via $INIC $CMD 00332 deny tcp from any to any established in via $INIC $CMD 00360 allow udp from any to 192.168.0.1 67 in via $INIC $KS $CMD 00400 deny log all from any to any in via $INIC $CMD 00450 deny log all from any to any out via $INIC $CMD 00800 divert natd ip from any to any out via $INIC $CMD 00801 allow ip from any to any $CMD 00999 deny log all from any to any This is the ruleset that I am using for the other machine that I want to be able to cvsup... #!/bin/sh ipfw -q -f flush CMD="ipfw -q add" KS="keep-state" INIC="bge0" $CMD 00010 allow all from any to any via lo0 $CMD 00015 check-state $CMD 00020 allow tcp from any to 192.168.0.1 53 out via $INIC setup $KS $CMD 00021 allow udp from any to 192.168.0.1 53 out via $INIC $KS $CMD 00030 allow udp from any to 192.168.0.1 67 out via $INIC $KS $CMD 00040 allow tcp from any to any 80 out via $INIC setup $KS $CMD 00050 allow tcp from any to any 443 out via $INIC setup $KS $CMD 00060 allow tcp from any to any 25 out via $INIC setup $KS $CMD 00061 allow tcp from any to any 110 out via $INIC setup $KS $CMD 00070 allow tcp from me to any out via $INIC setup $KS uid root $CMD 00080 allow icmp from any to any out via $INIC $KS $CMD 00090 allow tcp from any to any 37 out via $INIC setup $KS $CMD 00100 allow tcp from any to any 119 out via $INIC setup $KS $CMD 00110 allow tcp from any to any 22 out via $INIC setup $KS $CMD 00120 allow tcp from any to any 43 out via $INIC setup $KS $CMD 00130 allow udp from any to any 123 out via $INIC $KS $CMD 00300 deny all from 192.168.0.0/16 to any in via $INIC $CMD 00301 deny all from 172.16.0.0/12 to any in via $INIC $CMD 00302 deny all from 10.0.0.0/8 to any in via $INIC $CMD 00303 deny all from 127.0.0.0/8 to any in via $INIC $CMD 00304 deny all from 0.0.0.0/8 to any in via $INIC $CMD 00305 deny all from 169.254.0.0/16 to any in via $INIC $CMD 00306 deny all from 192.0.2.0/24 to any in via $INIC $CMD 00307 deny all from 204.152.64.0/23 to any in via $INIC $CMD 00308 deny all from 224.0.0.0/3 to any in via $INIC $CMD 00315 deny tcp from any to any 113 in via $INIC $CMD 00320 deny tcp from any to any 137 in via $INIC $CMD 00321 deny tcp from any to any 138 in via $INIC $CMD 00322 deny tcp from any to any 139 in via $INIC $CMD 00323 deny tcp from any to any 81 in via $INIC $CMD 00330 deny all from any to any frag in via $INIC $CMD 00332 deny tcp from any to any established in via $INIC $CMD 00360 allow udp from any to 192.168.0.1 67 in via $INIC $KS $CMD 00400 deny log all from any to any in via $INIC $CMD 00999 deny log all from any to any As you can see I am using the rulesets that are found in the Handbook. I have tried $CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root but still no go $CMD 00070 $SKIP tcp from me to any 5999 out via $INIC setup $KS but still no go Can anybody share their ipfw rulesets with me? To allow my other PC to cvsup... Thanks in advance... Srot BULL