From owner-freebsd-questions@FreeBSD.ORG  Mon Jan 17 12:25:52 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3336216A4CE
	for <freebsd-questions@freebsd.org>;
	Mon, 17 Jan 2005 12:25:52 +0000 (GMT)
Received: from mta2p.point.ne.jp (mta2p.point.ne.jp [210.188.175.71])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6BD9A43D31
	for <freebsd-questions@freebsd.org>;
	Mon, 17 Jan 2005 12:25:51 +0000 (GMT)
	(envelope-from pwd8jmr22w@me.point.ne.jp)
Received: from vc10.point.ne.jp ([211.1.103.138]) by mta2p.point.ne.jp
          with ESMTP id <20050117122550.ZPOG1842.mta2p@vc10.point.ne.jp>
          for <freebsd-questions@freebsd.org>;
          Mon, 17 Jan 2005 21:25:50 +0900
Received: from fvc1-p.point.ne.jp (fvc1.point.ne.jp [210.188.175.76])
	by vc10.point.ne.jp (Scanmail) with ESMTP id 71D362AA0A
	for <freebsd-questions@freebsd.org>;
	Mon, 17 Jan 2005 21:25:49 +0900 (JST)
Received: from [192.168.0.2] ([218.230.54.236]) by fvc1-p.point.ne.jp
          with ESMTP id <20050117122549.YHRP5387.fvc1-p@[218.230.54.236]>
          for <freebsd-questions@freebsd.org>;
          Mon, 17 Jan 2005 21:25:49 +0900
Message-ID: <41EC2D5F.8060705@me.point.ne.jp>
Date: Mon, 17 Jan 2005 21:25:51 +0000
From: Srot BULL <pwd8jmr22w@me.point.ne.jp>
User-Agent: Mozilla Thunderbird 1.0 (X11/20050109)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Questions-ML FreeBSD <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: IPFW - How to allow NAT client to CVSup
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: pwd8jmr22w@me.point.ne.jp
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jan 2005 12:25:52 -0000

Hi to everyone,

I have 2 FreeBSD machines both running FreeBSD Stable 5.3 and both have 
ipfw as firewalls...
One is running ipfw with NAT functions.  Below is the is the rulesets for 
the machine:

#!/bin/sh
ipfw -q -f flush
CMD="ipfw -q add"
SKIP="skipto 00800"
KS="keep-state"
INIC="aue0"
$CMD 00005 allow all from any to any via rl0
$CMD 00010 allow all from any to any via lo0
$CMD 00014 divert natd ip from any to any in via $INIC
$CMD 00015 check-state

$CMD 00020 $SKIP tcp from any to 192.168.0.1 53 out via $INIC setup $KS
$CMD 00021 $SKIP udp from any to 192.168.0.1 53 out via $INIC $KS
$CMD 00030 $SKIP udp from any to 192.168.0.1 67 out via $INIC $KS
$CMD 00040 $SKIP tcp from any to any 80 out via $INIC setup $KS
$CMD 00050 $SKIP tcp from any to any 443 out via $INIC setup $KS
$CMD 00060 $SKIP tcp from any to any 25 out via $INIC setup $KS
$CMD 00061 $SKIP tcp from any to any 110 out via $INIC setup $KS
#------------ Allow out FBSD (make install & CVSUP) functions -----------=#
$CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root
#------------------------------------------------------------------------=#
$CMD 00080 $SKIP icmp from any to any out via $INIC $KS
$CMD 00090 $SKIP tcp from any to any 37 out via $INIC setup $KS
$CMD 00100 $SKIP tcp from any to any 119 out via $INIC setup $KS
$CMD 00110 $SKIP tcp from any to any 22 out via $INIC setup $KS
$CMD 00120 $SKIP tcp from any to any 43 out via $INIC setup $KS
$CMD 00130 $SKIP udp from any to any 123 out via $INIC $KS
$CMD 00140 $SKIP tcp from any to any 873 out via $INIC $KS
$CMD 00141 $SKIP udp from any to any 873 out via $INIC $KS

$CMD 00300 deny all from 192.168.0.0/16 to any in via $INIC
$CMD 00301 deny all from 172.16.0.0/12 to any in via $INIC
$CMD 00302 deny all from 10.0.0.0/8 to any in via $INIC
$CMD 00303 deny all from 127.0.0.0/8 to any in via $INIC
$CMD 00304 deny all from 0.0.0.0/8 to any in via $INIC
$CMD 00305 deny all from 169.254.0.0/16 to any in via $INIC
$CMD 00306 deny all from 192.0.2.0/24 to any in via $INIC
$CMD 00308 deny all from 224.0.0.0/3 to any in via $INIC
#$CMD 00310 deny icmp from any to any in via $INIC
$CMD 00315 deny tcp from any to any 113 in via $INIC
$CMD 00320 deny tcp from any to any 137 in via $INIC
$CMD 00321 deny tcp from any to any 138 in via $INIC
$CMD 00322 deny tcp from any to any 139 in via $INIC
$CMD 00323 deny tcp from any to any 81 in via $INIC
$CMD 00330 deny all from any to any frag in via $INIC
$CMD 00332 deny tcp from any to any established in via $INIC

$CMD 00360 allow udp from any to 192.168.0.1 67 in via $INIC $KS
$CMD 00400 deny log all from any to any in via $INIC
$CMD 00450 deny log all from any to any out via $INIC
$CMD 00800 divert natd ip from any to any out via $INIC
$CMD 00801 allow ip from any to any
$CMD 00999 deny log all from any to any

This is the ruleset that I am using for the other machine that I want to be 
able to cvsup...

#!/bin/sh
ipfw -q -f flush
CMD="ipfw -q add"
KS="keep-state"
INIC="bge0"
$CMD 00010 allow all from any to any via lo0
$CMD 00015 check-state
$CMD 00020 allow tcp from any to 192.168.0.1 53 out via $INIC setup $KS
$CMD 00021 allow udp from any to 192.168.0.1 53 out via $INIC $KS
$CMD 00030 allow udp from any to 192.168.0.1 67 out via $INIC $KS
$CMD 00040 allow tcp from any to any 80 out via $INIC setup $KS
$CMD 00050 allow tcp from any to any 443 out via $INIC setup $KS
$CMD 00060 allow tcp from any to any 25 out via $INIC setup $KS
$CMD 00061 allow tcp from any to any 110 out via $INIC setup $KS
$CMD 00070 allow tcp from me to any out via $INIC setup $KS uid root
$CMD 00080 allow icmp from any to any out via $INIC $KS
$CMD 00090 allow tcp from any to any 37 out via $INIC setup $KS
$CMD 00100 allow tcp from any to any 119 out via $INIC setup $KS
$CMD 00110 allow tcp from any to any 22 out via $INIC setup $KS
$CMD 00120 allow tcp from any to any 43 out via $INIC setup $KS
$CMD 00130 allow udp from any to any 123 out via $INIC $KS

$CMD 00300 deny all from 192.168.0.0/16 to any in via $INIC
$CMD 00301 deny all from 172.16.0.0/12 to any in via $INIC
$CMD 00302 deny all from 10.0.0.0/8 to any in via $INIC
$CMD 00303 deny all from 127.0.0.0/8 to any in via $INIC
$CMD 00304 deny all from 0.0.0.0/8 to any in via $INIC
$CMD 00305 deny all from 169.254.0.0/16 to any in via $INIC
$CMD 00306 deny all from 192.0.2.0/24 to any in via $INIC
$CMD 00307 deny all from 204.152.64.0/23 to any in via $INIC
$CMD 00308 deny all from 224.0.0.0/3 to any in via $INIC
$CMD 00315 deny tcp from any to any 113 in via $INIC
$CMD 00320 deny tcp from any to any 137 in via $INIC
$CMD 00321 deny tcp from any to any 138 in via $INIC
$CMD 00322 deny tcp from any to any 139 in via $INIC
$CMD 00323 deny tcp from any to any 81 in via $INIC
$CMD 00330 deny all from any to any frag in via $INIC
$CMD 00332 deny tcp from any to any established in via $INIC
$CMD 00360 allow udp from any to 192.168.0.1 67 in via $INIC $KS

$CMD 00400 deny log all from any to any in via $INIC
$CMD 00999 deny log all from any to any

As you can see I am using the rulesets that are found in the Handbook.  I 
have tried
$CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root
but still no go
$CMD 00070 $SKIP tcp from me to any 5999 out via $INIC setup $KS
but still no go

Can anybody share their ipfw rulesets with me?  To allow my other PC to 
cvsup...
Thanks in advance...

Srot BULL