Date: Thu, 17 Sep 2009 10:14:15 -0400 From: Robert Huff <roberthuff@rcn.com> To: questions@freebsd.org Subject: ipfw + NAT doesn't work Message-ID: <19122.17463.670129.782291@jerusalem.litteratus.org>
next in thread | raw e-mail | index | archive | help
I have a machine running
FreeBSD 9.0-CURRENT #3: Tue Sep 15 18:49:58 EDT 2009 amd64
It has this in the config file for the running kernel:
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options IPFIREWALL_NAT #ipfw kernel nat support
options LIBALIAS
It (10.0.0.1) connects correctly to another machine (10.0.0.3);
I know because .3 mounts one of .1's disks using Samba.
With the ipfw rules appended below, I can't NAT, nor should I
be able to. ("em0" faces the Internet; "em1" faces the other
machine.)
However: using these I still can't get through
ipfw add 5000 nat 15 all from any to any
ipfw nat 15 config log same_ports ip 10.0.0.0/8
Have I forgotten something? Or misunderstood something?
If not ... how do I figure out what's wrong?
Respectfully,
Robert Huff
00100 3830 864746 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00350 110 42464 allow udp from any 67-68 to any dst-port 67-68
00600 0 0 allow ip6 from any to any via lo0
00610 0 0 deny ip6 from any to ::1
00620 0 0 deny ip6 from ::1 to any
00630 3 256 allow ip6 from :: to ff02::/16 proto ipv6-icmp
00640 0 0 allow ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp
00650 4 304 allow ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp
00660 0 0 allow ip6 from 2001:db8:2:1::1 to 2001:db8:2:1::/64
00670 0 0 allow ip6 from 2001:db8:2:1::/64 to 2001:db8:2:1::1
00680 0 0 allow ip6 from fe80::/10 to ff02::/16
00690 0 0 allow ip6 from 2001:db8:2:1::/64 to ff02::/16
00700 0 0 allow ip6 from any to any established proto tcp
00710 0 0 allow ip6 from any to any frag
00720 0 0 allow ip6 from any to 2001:db8:2:1::1 dst-port 25 setup proto tcp
00730 0 0 allow ip6 from 2001:db8:2:1::1 to any setup proto tcp
00740 0 0 deny ip6 from any to any setup proto tcp
00750 0 0 allow ip6 from any 53 to 2001:db8:2:1::1 proto udp
00760 0 0 allow ip6 from 2001:db8:2:1::1 to any dst-port 53 proto udp
00770 0 0 allow ip6 from any 123 to 2001:db8:2:1::1 proto udp
00780 0 0 allow ip6 from 2001:db8:2:1::1 to any dst-port 123 proto udp
00790 0 0 allow ip6 from any to any ip6 icmp6types 1 proto ipv6-icmp
00800 0 0 allow ip6 from any to any ip6 icmp6types 2,135,136 proto ipv6-icmp
06000 0 0 deny log logamount 100 tcp from any to any dst-port 137 in via em0
06050 32 3000 deny log logamount 100 udp from any to any dst-port 137 in via em0
06100 0 0 deny log logamount 100 tcp from any to any dst-port 138 in via em0
06150 15 3465 deny log logamount 100 udp from any to any dst-port 138 in via em0
06200 0 0 deny log logamount 100 tcp from any to any dst-port 139 in via em0
06250 0 0 deny log logamount 100 udp from any to any dst-port 139 in via em0
07000 0 0 deny log logamount 100 tcp from any to any dst-port 111 in via em0
07050 0 0 deny log logamount 100 udp from any to any dst-port 111 in via em0
07100 0 0 deny log logamount 100 tcp from any to any dst-port 530 in via em0
07150 0 0 deny log logamount 100 udp from any to any dst-port 530 in via em0
07200 0 0 deny log logamount 100 tcp from any to any dst-port 161 in recv em0
07225 0 0 deny log logamount 100 udp from any to any dst-port 161 in recv em0
07250 0 0 deny log logamount 100 tcp from any to any dst-port 162 in recv em0
07275 0 0 deny log logamount 100 udp from any to any dst-port 162 in recv em0
07300 0 0 deny log logamount 100 tcp from any to any dst-port 194
07310 0 0 deny log logamount 100 udp from any to any dst-port 194
07320 0 0 deny log logamount 100 tcp from any to any dst-port 529
07330 0 0 deny log logamount 100 udp from any to any dst-port 529
07340 0 0 deny log logamount 100 tcp from any to any dst-port 994
07350 0 0 deny log logamount 100 udp from any to any dst-port 994
07360 0 0 deny log logamount 100 tcp from any to any dst-port 6667
07370 0 0 deny log logamount 100 udp from any to any dst-port 6667
10000 45012 38961511 allow tcp from any to any established
10100 1452 112487 allow ip from any to any out via em0
10200 0 0 allow tcp from 10.0.0.0/8 to any dst-port 80
10300 0 0 allow tcp from any 80 to any dst-port 1024-65535 via em0
10400 0 0 allow tcp from any 443 to any dst-port 1024-65535 via em0
10500 0 0 deny log logamount 100 tcp from any 1024-65535 to any dst-port 80 via em0
10600 0 0 deny log logamount 100 tcp from any 1024-65535 to any dst-port 443 via em0
65000 1548 325720 allow ip from any to any
65535 20 2383 allow ip from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19122.17463.670129.782291>