Date: Thu, 23 Dec 1999 21:27:07 -0500 (EST) From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: pouncy@rtscomputer.net (Richard Pouncy) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Simple or Open Firewall Message-ID: <199912240227.VAA39818@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <008c01bf4d7b$8fb20cf0$0201a8c0@rp.com> from Richard Pouncy at "Dec 23, 1999 11:26:07 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Richard Pouncy wrote, [Charset iso-8859-1 unsupported, filtering to ASCII...] > Happy Holidays All, > > I am having a problem with setting up network Address Translations > (NATD) to maintain some inbound security while allowing some ports > (8080) to be diverted to another machine running on a private network > (192.168.1.0/255.255.255.0). When the rules for the firewall is set to > "open" ( $fwcmd add 65000 pass all from any to any), the translation and > diverting works great. But when trying to set some security rules, > everything stops working. > > > natd.conf file with the following in it: > > interface ed0 > deny_incoming no > use_sockets yes > same_ports yes > redirect_port tcp 192.168.1.2:80 8080 > > content of the rc.firewall file: > > # Allow TCP through if setup succeeded > $fwcmd add pass tcp from any to any established > > # Allow setup of incoming email > $fwcmd add pass tcp from any to ${oip} 25 setup > > # Allow access to out ftp server > $fwcmd add pass tcp from any to ${oip} 21 setup > > # Allow access to out Telnet server > $fwcmd add pass tcp from 63.194.21.189 to ${oip} 23 setup > > # Allow access to our DNS > $fwcmd add pass tcp from any to ${oip} 53 setup > > # Allow access to our WWW > $fwcmd add pass tcp from any to ${oip} 80 setup > > # Reject&Log all setup of incoming connections from the outside > $fwcmd add deny log tcp from any to any in via ${oif} setup Uhhh... This rule is going to be dropping your connections to port 8080 from the outside. > # Allow setup of any other TCP connection > $fwcmd add pass tcp from any to any setup > > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${oip} > $fwcmd add pass udp from ${oip} to any 53 > > # Allow NTP queries out in the world > #$fwcmd add pass udp from any 123 to ${oip} > #$fwcmd add pass udp from ${oip} to any 123 > > # Everything else is denied as default. > > > > everything works great with: $fwcmd add 65000 pass all from any to any You need to add a rule to pass those packets to your internal web server before the rule indicated. Something like, $fwcmd add pass tcp from any to ${www} 8080 setup Where $www is the webserver, 192.168.1.2. (Note that for that to work properly, it must appear after the NATd divert.) -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912240227.VAA39818>