Date: Thu, 23 Dec 1999 21:27:07 -0500 (EST) From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: pouncy@rtscomputer.net (Richard Pouncy) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Simple or Open Firewall Message-ID: <199912240227.VAA39818@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <008c01bf4d7b$8fb20cf0$0201a8c0@rp.com> from Richard Pouncy at "Dec 23, 1999 11:26:07 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Richard Pouncy wrote,
[Charset iso-8859-1 unsupported, filtering to ASCII...]
> Happy Holidays All,
>
> I am having a problem with setting up network Address Translations
> (NATD) to maintain some inbound security while allowing some ports
> (8080) to be diverted to another machine running on a private network
> (192.168.1.0/255.255.255.0). When the rules for the firewall is set to
> "open" ( $fwcmd add 65000 pass all from any to any), the translation and
> diverting works great. But when trying to set some security rules,
> everything stops working.
>
>
> natd.conf file with the following in it:
>
> interface ed0
> deny_incoming no
> use_sockets yes
> same_ports yes
> redirect_port tcp 192.168.1.2:80 8080
>
> content of the rc.firewall file:
>
> # Allow TCP through if setup succeeded
> $fwcmd add pass tcp from any to any established
>
> # Allow setup of incoming email
> $fwcmd add pass tcp from any to ${oip} 25 setup
>
> # Allow access to out ftp server
> $fwcmd add pass tcp from any to ${oip} 21 setup
>
> # Allow access to out Telnet server
> $fwcmd add pass tcp from 63.194.21.189 to ${oip} 23 setup
>
> # Allow access to our DNS
> $fwcmd add pass tcp from any to ${oip} 53 setup
>
> # Allow access to our WWW
> $fwcmd add pass tcp from any to ${oip} 80 setup
>
> # Reject&Log all setup of incoming connections from the outside
> $fwcmd add deny log tcp from any to any in via ${oif} setup
Uhhh... This rule is going to be dropping your connections to port
8080 from the outside.
> # Allow setup of any other TCP connection
> $fwcmd add pass tcp from any to any setup
>
> # Allow DNS queries out in the world
> $fwcmd add pass udp from any 53 to ${oip}
> $fwcmd add pass udp from ${oip} to any 53
>
> # Allow NTP queries out in the world
> #$fwcmd add pass udp from any 123 to ${oip}
> #$fwcmd add pass udp from ${oip} to any 123
>
> # Everything else is denied as default.
>
>
>
> everything works great with: $fwcmd add 65000 pass all from any to any
You need to add a rule to pass those packets to your internal web
server before the rule indicated. Something like,
$fwcmd add pass tcp from any to ${www} 8080 setup
Where $www is the webserver, 192.168.1.2. (Note that for that to work
properly, it must appear after the NATd divert.)
--
Crist J. Clark cjclark@home.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912240227.VAA39818>