From owner-freebsd-questions@FreeBSD.ORG Tue Oct 14 18:31:30 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E6821065686 for ; Tue, 14 Oct 2008 18:31:30 +0000 (UTC) (envelope-from xuchen66@gmail.com) Received: from mail-gx0-f16.google.com (mail-gx0-f16.google.com [209.85.217.16]) by mx1.freebsd.org (Postfix) with ESMTP id 3F5A68FC20 for ; Tue, 14 Oct 2008 18:31:30 +0000 (UTC) (envelope-from xuchen66@gmail.com) Received: by gxk9 with SMTP id 9so4740053gxk.19 for ; Tue, 14 Oct 2008 11:31:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=+OZGAAJMVBWcKk1JQYMXpK6YumFdCiOegJnz/OnkwGc=; b=Buvp25lTlNfC7S7hesOwtOZUZOLp/43Cj4SvhwrCKLQD8zMSLLrNTUDch5jd55fm+w 6vVfijsW6p9thUZmtptxMrasAqeDGuhcTsqjDzcYzIpycKlLTFTbTRY5TzqJSpWsy3UZ X54EtzpLPp5Ln9qmZCU2ivFxGYwNbpc9asiMU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=T0kesf1J1zv4hwDQGQWrvNMaU7EzTBkD44akTFs2c3qrTswAWUgnhn53k0Er3Z1/JA 3HR0Rat/8MriszaTVJt3qYfKpsuGB2m7oS4/wIx6bvYRduCWRbY/1PFQVRypLqAumWJ3 QkIOH2KYk3vwZcAZbEik2W7q9mL575q3szMtY= Received: by 10.142.166.1 with SMTP id o1mr3564941wfe.345.1224007544752; Tue, 14 Oct 2008 11:05:44 -0700 (PDT) Received: by 10.90.84.4 with HTTP; Tue, 14 Oct 2008 11:05:44 -0700 (PDT) Message-ID: <184b087c0810141105o657af770l5d0535c19fab059d@mail.gmail.com> Date: Tue, 14 Oct 2008 14:05:44 -0400 From: "Chen Xu" To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: no access to web server behind ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Oct 2008 18:31:30 -0000 Dear All, I think I need help from the group. The situation is kind of simple, but I can not get it work for me. I wanted to access to a web server behind of firewall/gateway 191.168.1.1 (firewall/gateway/natd) 192.168.1.10 (internal web server) 191.168.1.1 has these info. ========= FreeBSD 5.3-RELEASE-p26 Kernel complied with following lines: ---- options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=5 options IPDIVERT rc.conf has those lines: ----- # Add stuff for firewall - ipfw firewall_enable="YES" firewall_type="OPEN" firewall_script="/etc/ipfw.rules" firewall_logging="YES" gateway_enable="YES" # Enable natd. natd_enable="YES" natd_interface="fxp0" #natd_flags="-dynamic -m" # preserve port numbers if possible natd_flags="-f /etc/natd.conf" # preserve port numbers if possible /etc/natd.conf ---- port 8668 interface fxp0 redirect_port tcp 192.168.1.10:80 80 /etc/ipfw.rules ---- #!/bin/sh ipfw -q -f flush cmd="ipfw -q add" skip="skipto 500" pif=fxp0 ks="keep-state" good_tcpo="22" ipfw -q -f flush $cmd 002 allow all from any to any via em0 # exclude LAN traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 120 $skip udp from any to x.x.x.11 53 out via $pif $ks $cmd 121 $skip udp from any to x.x.x.12 53 out via $pif $ks ## --> block only one PC running windows (192.168.1.2) $cmd 123 deny tcp from 192.168.1.2 to any 80 out via $pif $cmd 124 $skip tcp from any to any 80 out via $pif setup $ks # $cmd 129 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 130 $skip icmp from any to any out via $pif $ks $cmd 135 $skip udp from any to any 123 out via $pif $ks # root can do cvsup etc. like a GOD $cmd 140 allow tcp from me to any out via $pif $ks uid root # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Authorized inbound packets $cmd 421 allow tcp from any to 192.168.1.10 80 in via $pif setup limit src-addr 5 $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif $cmd 510 allow ip from any to any ######################## end of rules ################## apparently rule 421 is not enough to access the webserver 192.168.1.10 at port 80. I need help here. Thanks, Chen