Date: Mon, 18 Jul 2011 17:41:36 +0000 From: David van Rensburg - PC Network <david@pcnetwork.co.za> To: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: ipfw and nat problem Message-ID: <BDFA5956978BD645B1EC70AA3D3DC5CB519DA772@pcnetwork.pcnetwork.local>
next in thread | raw e-mail | index | archive | help
Hi Ive been having a problem with ipfw and nat. I can get nat to work but I wa= nt the following: My lan must only have access to outgoing port 80 I want to be able to allow some lan users access to ftp and outgoing 3389 (= remote desktop), but by default only port 80 I have transparent proxy work in ipfw. I want to be able to limit outgoing and incoming to the freebsd server acco= rding to port. I want a default deny. ANY help or point me in the right direction would be great. I have been goo= gling for a week now and cant find anything similar. Most examples don't us= e a default deny and don't allow certain services to the lan users. oif=3D"rl0" freebsd box with 2 network cards 192.168.1.3 - lan side (all lan clients 192.168.1.x) 192.168.0.2 - router side of card (machine default gateways to 192.168.0.1 = which is the router) Rc.conf: gateway_enable=3D"YES" natd_enable=3D"YES" natd_interface=3D"rl0" natd_flags=3D"-s -u -m" firewall_enable=3D"YES" firewall_logging_enable=3D"YES" firewall_quiet=3D"NO" #firewall_type=3D"simple blah" firewall_script=3D"/etc/firewall.local" natd_flags=3D"-f /etc/natd.conf" Im using the following rules which isn't working properly eg the actual fre= ebsd can ftp out for some reason. 00100 0 0 divert 8668 ip from not me to any via rl0 00150 0 0 fwd 192.168.1.3,3128 tcp from not me to any dst-port 80 00250 24 1440 allow ip from any to any via lo0 00350 0 0 deny ip from any to 127.0.0.0/8 00450 0 0 deny ip from 127.0.0.0/8 to any 00550 0 0 deny tcp from any to any frag 00650 0 0 check-state 00750 241 27480 allow tcp from any to any established 00850 24 5676 allow ip from any to any out keep-state 00950 0 0 allow tcp from any to any dst-port 22 in 01050 0 0 allow tcp from any to any dst-port 22 out 01150 0 0 allow udp from any to any dst-port 53 in 01250 0 0 allow tcp from any to any dst-port 53 in 01350 0 0 allow udp from any to any dst-port 53 out 01450 0 0 allow tcp from any to any dst-port 53 out 01550 0 0 allow tcp from 192.168.1.99 to any dst-port 3389 01650 462 53744 deny ip from any to any 65535 122 12588 allow ip from any to any David van Rensburg PC Network Tel: 0215107600 Fax: 0215104165 www.pcnetwork.co.za<http://www.pcnetwork.co.za/>; This electronic communication and the attached file(s) are subject to terms= and conditions which can be accessed on the following link: http://www.pcnetwork.co.za/terms as well as the acceptable usage policy whi= ch can be accessed on: http://www.pcnetwork.co.za/aup If you are unable to view the above, please contact support@pcnetwork.co.za= <mailto:support@pcnetwork.co.za> for a copy.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BDFA5956978BD645B1EC70AA3D3DC5CB519DA772>