From owner-freebsd-questions@FreeBSD.ORG Mon May 19 16:55:33 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEACC37B401 for ; Mon, 19 May 2003 16:55:33 -0700 (PDT) Received: from host02.ipowerweb.com (host02.ipowerweb.com [12.129.206.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CA9743F3F for ; Mon, 19 May 2003 16:55:33 -0700 (PDT) (envelope-from alpetec@host02.ipowerweb.com) Received: from alpetec by host02.ipowerweb.com with local (Exim 3.36 #1) id 19HuRr-0002ex-00; Mon, 19 May 2003 16:53:43 -0700 From: "Aaron Peterson" To: Tommy Forrest , Craig Reyenga , freebsd-questions@freebsd.org X-Mailer: NeoMail 1.25 X-IPAddress: 139.55.49.242 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Message-Id: Date: Mon, 19 May 2003 16:53:43 -0700 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - host02.ipowerweb.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [33877 2452] / [33877 2452] X-AntiAbuse: Sender Address Domain - host02.ipowerweb.com Subject: Re: ipfw2 & natd & stateful X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: aaron@alpete.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2003 23:55:34 -0000 yeah, linux does just fine with nat + stateful firewalling too > Maybe impossible in FreeBSD - cause our Checkpoint firewalls do not have > this problem. > > On Mon, 19 May 2003, Craig Reyenga wrote: > > > I'm pretty sure that NATD + stateful is impossible because in order to have > > > > [unregistered ip] <-> [internet ip] > > > > you need: > > [unregistered ip] <-> [gateway] > > [natd operates here] > > [gateway] <-> [internet ip] > > > > but ipfw doesnt do this, so your connections end up not working, because the > > stateful rules don't make the second scenario, they make the first. > > > > (I'd love to be proven wrong, as I have a similar setup.) > > > > Hope this helps, > > > > -Craig > > > > > > > > ----- Original Message ----- > > From: "Asenchi" > > To: > > Sent: Monday, May 19, 2003 8:40 AM > > Subject: ipfw2 & natd & stateful > > > > > > > Hello Everyone. > > > > > > I have a bit of a problem. I want to switch my company's firewall to IPFW2 > > > but I can't seem to get the ruleset to work. After sidelining the notion, > > I > > > am ready to attack this again. I have had many problems with it. (You can > > > see a discussion on this issue here: > > > > > > > > It seems that NATD is stopping anyone on my internal network from getting > > > through to websites. I does some how reach DNS but won't go anywhere else. > > I > > > have tried multiple things... > > > > > > I use this ruleset almost verbatim on another machine that isn't running > > > NATD. Can anyone see anything here? I don't subscribe to this list with > > this > > > email address, so could you please cc me? > > > > > > Thanks in advance to anyone who can offer some light... > > > > > > ////curt//// > > > > > > Here is the output of 'ipfw -d show' > > > > > > 00100 0 0 check-state > > > 00200 4 164 deny log logamount 1000 ip from any to any established > > > 00300 28 1789 divert 8668 ip from any to any via vr0 > > > 00400 0 0 deny log logamount 10 ip from 192.168.0.0/24 to any via vr0 > > > 00500 38 3897 allow { tcp or udp } from me to { 198.109.160.2 or dst-ip > > > 198.109.160.3 or dst-ip d.n.s.1 or dst-ip d.n.s.2 } dst-port 53 out xmit > > vr0 > > > keep-state > > > 00600 306 31838 allow tcp from { o.u.t.2/29 or o.u.t.1 or 2.1.0.0/16 or > > > 1.1.0.0/16 } to me dst-port 22 setup in recv vr0 keep-state > > > 00700 22 992 allow tcp from me to any setup via vr0 keep-state > > > 00800 2 120 deny log logamount 1000 { tcp or udp } from any to me > > > 01000 7 336 allow log logamount 1000 tcp from i.n.t.r/24 to any dst-port > > 80 > > > 01100 0 0 allow tcp from 192.168.0.0/24 to any setup keep-state > > > 01200 66 4168 allow { tcp or udp } from 192.168.0.0/24 to { d.n.s.3 or > > > dst-ip d.n.s.4 or dst-ip d.n.s.1 or dst-ip d.n.s.2 } dst-port 53 > > keep-state > > > 01300 0 0 allow tcp from any to 192.168.0.0/24{3,10,11,12,21,110} dst-port > > > 6501-6504 setup in recv vr0 keep-state > > > 01500 0 0 deny icmp from any to me icmptypes 8 > > > 01600 131 5560 allow icmp from any to any > > > 01800 3 234 deny { tcp or udp } from any to any dst-port 137,138,520 > > > 01900 4 304 deny log logamount 1000 ip from any to any > > > 65535 0 0 deny ip from any to any > > > > > > ## Dynamic rules (28): > > > 01200 3 192 (9s) STATE udp 192.168.0.64 1072 <-> d.n.s.3 53 > > > 01200 5 320 (9s) STATE udp 192.168.0.64 1072 <-> d.n.s.2 53 > > > 00600 305 31778 (300s) STATE tcp m.y.i.p 3020 <-> o.u.t.1 22 > > > > > > _______________________________________________ > > > freebsd-questions@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > > > > > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > --