From owner-freebsd-questions@FreeBSD.ORG Wed Oct 5 02:51:59 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9664E16A41F for ; Wed, 5 Oct 2005 02:51:59 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from smtp14.wxs.nl (smtp14.wxs.nl [195.121.6.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A37C43D6D for ; Wed, 5 Oct 2005 02:51:55 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from smtp.planet.nl (ip51cc8423.speed.planet.nl [81.204.132.35]) by smtp14.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0INV00EFJ8ETPF@smtp14.wxs.nl> for questions@freebsd.org; Wed, 05 Oct 2005 04:32:55 +0200 (CEST) Received: from Alex.lan (localhost [127.0.0.1]) by smtp.planet.nl (8.13.3/8.13.3) with ESMTP id j952WrYN002150; Wed, 05 Oct 2005 04:32:53 +0200 Received: (from akruijff@localhost) by Alex.lan (8.13.3/8.13.3/Submit) id j952WqBc002149; Wed, 05 Oct 2005 04:32:52 +0200 Content-return: prohibited Date: Wed, 05 Oct 2005 04:32:52 +0200 From: Alex de Kruijff In-reply-to: <43380504.5080106@ozlerplastik.com> To: Ertan Kucukoglu Message-id: <20051005023252.GB740@Alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <43380504.5080106@ozlerplastik.com> X-Authentication-warning: Alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f Cc: questions@freebsd.org Subject: Re: help needed for ipfw rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd@akruijff.dds.nl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 02:51:59 -0000 On Mon, Sep 26, 2005 at 05:26:12PM +0300, Ertan Kucukoglu wrote: > Hi, > > I have a problem blocking foreign intruders for specific ports in ipfw. > > One of my friends have 4.X-Stable running in production for proxy, > e-mail, virus etc. Server also have natd and ipfw installed on it. We > have following rule set. > ----- > 00050 2132 1212881 divert 8668 ip from any to any via dc1 > 00100 1078 4537400 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 allow tcp from 192.168.0.0/24 to me 23 > 00500 0 0 deny tcp from 192.168.0.69 to me 1863 > 00550 0 0 deny tcp from 192.168.0.63 to me 1863 > 00600 0 0 deny tcp from 192.168.0.69 to me 80 > 00650 0 0 deny tcp from 192.168.0.63 to me 80 > 01000 0 0 allow tcp from 192.168.0.0/16 to me 21 > 01010 0 0 deny tcp from any to me 21 > 01100 0 0 allow tcp from 212.58.X.X to me 1433 via dc1 (ip > intentionally hided) > 01110 0 0 deny tcp from any to me 1433 via dc1 > 65000 5467 3180867 allow ip from any to any > 65535 4654 322885 deny ip from any to any > ----- > > Natd is diverting port 1433 to an internal machine. > > When I try with a different ip address on Internet than 212.58.x.x, and > I can easily get connect to directed servers' 1433 port. > > I'm sure that I'm missing something, but I can not recognize what it is > at the moment. Any help will be appreciated. > > Regards, Your forgetting that natd changes the destation ip address so that it is not me. Try putting the block rule before the divert. This is also good for performance. -- Alex Please copy the original recipients, otherwise I may not read your reply. Howto's based on my ppersonal use, including information about setting up a firewall and creating traffic graphs with MRTG http://www.kruijff.org/alex/FreeBSD/