From owner-freebsd-questions Tue Jul 11 15:21:59 2000 Delivered-To: freebsd-questions@freebsd.org Received: from scooby.lineone.net (doggy.lineone.net [194.75.152.224]) by hub.freebsd.org (Postfix) with ESMTP id A8E6C37B618 for ; Tue, 11 Jul 2000 15:21:53 -0700 (PDT) (envelope-from emichael@mail3d.co.uk) Received: from mail3d.co.uk (host212-140-6-101.btinternet.com [212.140.6.101]) by scooby.lineone.net (8.9.3/8.9.3) with ESMTP id XAA00975 for ; Tue, 11 Jul 2000 23:21:49 +0100 (BST) Message-ID: <396BAD64.7382BBB4@mail3d.co.uk> Date: Tue, 11 Jul 2000 23:27:32 +0000 From: "E. Michael" X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.5-22 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-questions@FreeBSD.ORG Subject: ipfw/nat problem::dynamic ip Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, The scenario is the following: The getway's IP is 192.168.110.1: The outside interface (modem) is the tun0 using dynamic IP. The natd runs with: -n tun0 -use_sockets -same_ports -dynamic and I dial with: ppp -ddial ISP The ipfw ruleset is very simple: 00050 divert 8668 ip from any to any via tun0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 65000 allow ip from any to any 65535 deny ip from any to any With this setup any host of my network can see the outside world.What I am trying to do without success is to block the port 110 of my gateway for the outside world. I try by adding the following two rules: ipfw add 1000 deny tcp from any to 192.168.110.1 110 via tun0 ipfw add 1010 deny tcp from 192.168.110.1 110 to any via tun0 Unfortunately, this does not prevent an external host to connect to the port 110. Here is some output from natd when I ping yahoo from 192.168.110.10 Out [UDP] [UDP] 192.168.110.10:1045 -> 212.67.128.102:53 aliased to [UDP] 212.67.145.58:1045 -> 212.67.128.102:53 In [UDP] [UDP] 212.67.128.102:53 -> 212.67.145.58:1045 aliased to [UDP] 212.67.128.102:53 -> 192.168.110.10:1045 Out [ICMP] [ICMP] 192.168.110.10 -> 216.32.74.55 8(0) aliased to [ICMP] 212.67.145.58 -> 216.32.74.55 8(0) In [ICMP] [ICMP] 216.32.74.55 -> 212.67.145.58 0(0) aliased to [ICMP] 216.32.74.55 -> 192.168.110.10 0(0) (it seems ok for me) and when I ping yahoo from 192.168.110.1 Out [UDP] [UDP] 212.67.145.58:1056 -> 212.67.128.102:53 aliased to [UDP] 212.67.145.58:1056 -> 212.67.128.102:53 In [UDP] [UDP] 212.67.128.102:53 -> 212.67.145.58:1056 aliased to [UDP] 212.67.128.102:53 -> 212.67.145.58:1056 Out [ICMP] [ICMP] 212.67.145.58 -> 216.32.74.50 8(0) aliased to [ICMP] 212.67.145.58 -> 216.32.74.50 8(0) In [ICMP] [ICMP] 216.32.74.50 -> 212.67.145.58 0(0) aliased to [ICMP] 216.32.74.50 -> 212.67.145.58 0(0) ^^^^^^^^^^^^^ Shouldn't be 192.168.110.1 ? What am I doing wrong? Am I missing anything? Thank you in advance for any help. -- ! EMichael ! ! @ ! ! mail3d.co.uk ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message