From owner-freebsd-questions@FreeBSD.ORG Mon Jan 17 15:46:29 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E08A16A4CE for ; Mon, 17 Jan 2005 15:46:29 +0000 (GMT) Received: from lakermmtao03.cox.net (lakermmtao03.cox.net [68.230.240.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF19443D1F for ; Mon, 17 Jan 2005 15:46:28 +0000 (GMT) (envelope-from jacoulter@jacoulter.net) Received: from [192.168.1.110] (really [68.105.58.150]) by lakermmtao03.cox.net (InterMail vM.6.01.04.00 201-2131-117-20041022) with ESMTP id <20050117154627.CVXA2250.lakermmtao03.cox.net@[192.168.1.110]>; Mon, 17 Jan 2005 10:46:27 -0500 Message-ID: <41EBDD56.8000300@jacoulter.net> Date: Mon, 17 Jan 2005 09:44:22 -0600 From: "James A. Coulter" User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: pwd8jmr22w@me.point.ne.jp References: <41EC2D5F.8060705@me.point.ne.jp> In-Reply-To: <41EC2D5F.8060705@me.point.ne.jp> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: Questions-ML FreeBSD Subject: Re: IPFW - How to allow NAT client to CVSup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 15:46:29 -0000 Srot BULL wrote: > Hi to everyone, > > I have 2 FreeBSD machines both running FreeBSD Stable 5.3 and both have > ipfw as firewalls... > One is running ipfw with NAT functions. Below is the is the rulesets > for the machine: < -- snip rulesets --> > As you can see I am using the rulesets that are found in the Handbook. > I have tried > $CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root > but still no go > $CMD 00070 $SKIP tcp from me to any 5999 out via $INIC setup $KS > but still no go > > Can anybody share their ipfw rulesets with me? To allow my other PC to > cvsup... > Thanks in advance... > > Srot BULL > _______________________________________________ I also had problems using a similar "stateful" ruleset with IPFW & NAT. As I understand it, a stateful ruleset will not allow passive ftp connections from machines behind the firewall (although I was able to establish passive ftp from my gateway/router/firewall machine itself) This problem is documented in the mailing lists if you want to research it. I ended up changing to a much simpler, non-stateful ruleset on my gateway/router/firewall machine: #!/bin/sh ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" pif="dc1" # public interface name of Nic card # facing the public internet $cmd 005 allow all from any to any via dc0 $cmd 050 divert natd ip from any to any via $pif $cmd 100 allow ip from any to any via lo0 $cmd 200 deny ip from any to 127.0.0.0/8 $cmd 300 deny ip from 127.0.0.0/8 to any $cmd 65000 allow ip from any to any $cmd 65535 deny log all ip from any to any This ruleset allows me establish passive ftp from any machine behind the firewall, including accomplishing CVSUP. So far I haven't had any problems with security. HTH Jim Coulter -- James A. Coulter jacoulter@jacoulter.net http://jacoulter.net