Date: Tue, 11 Jul 2000 22:10:47 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: "E. Michael" <emichael@mail3d.co.uk> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw/nat problem::dynamic ip Message-ID: <20000711221047.A523@dialin-client.earthlink.net> In-Reply-To: <396BAD64.7382BBB4@mail3d.co.uk>; from emichael@mail3d.co.uk on Tue, Jul 11, 2000 at 11:27:32PM %2B0000 References: <396BAD64.7382BBB4@mail3d.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 11, 2000 at 11:27:32PM +0000, E. Michael wrote: > Hi, > > The scenario is the following: > > The getway's IP is 192.168.110.1: > The outside interface (modem) is the tun0 using dynamic IP. > The natd runs with: > -n tun0 -use_sockets -same_ports -dynamic > and I dial with: > ppp -ddial ISP > > The ipfw ruleset is very simple: > > 00050 divert 8668 ip from any to any via tun0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 65000 allow ip from any to any > 65535 deny ip from any to any > > With this setup any host of my network can see the outside world.What I > am trying to do without success is to block the port 110 of my gateway > for the outside world. > I try by adding the following two rules: > ipfw add 1000 deny tcp from any to 192.168.110.1 110 via tun0 > ipfw add 1010 deny tcp from 192.168.110.1 110 to any via tun0 > Unfortunately, this does not prevent an external host to connect to > the port 110. The external hosts are trying to connect to the address on the tun0 interface, not the internal one. > Here is some output from natd when I ping yahoo from 192.168.110.10 > Out [UDP] [UDP] 192.168.110.10:1045 -> 212.67.128.102:53 aliased to > [UDP] 212.67.145.58:1045 -> 212.67.128.102:53 > In [UDP] [UDP] 212.67.128.102:53 -> 212.67.145.58:1045 aliased to > [UDP] 212.67.128.102:53 -> 192.168.110.10:1045 > Out [ICMP] [ICMP] 192.168.110.10 -> 216.32.74.55 8(0) aliased to > [ICMP] 212.67.145.58 -> 216.32.74.55 8(0) > In [ICMP] [ICMP] 216.32.74.55 -> 212.67.145.58 0(0) aliased to > [ICMP] 216.32.74.55 -> 192.168.110.10 0(0) > > (it seems ok for me) > > and when I ping yahoo from 192.168.110.1 > Out [UDP] [UDP] 212.67.145.58:1056 -> 212.67.128.102:53 aliased to > [UDP] 212.67.145.58:1056 -> 212.67.128.102:53 > In [UDP] [UDP] 212.67.128.102:53 -> 212.67.145.58:1056 aliased to > [UDP] 212.67.128.102:53 -> 212.67.145.58:1056 > Out [ICMP] [ICMP] 212.67.145.58 -> 216.32.74.50 8(0) aliased to > [ICMP] 212.67.145.58 -> 216.32.74.50 8(0) > In [ICMP] [ICMP] 216.32.74.50 -> 212.67.145.58 0(0) aliased to > [ICMP] 216.32.74.50 -> 212.67.145.58 0(0) > ^^^^^^^^^^^^^ > Shouldn't be 192.168.110.1 ? No. I would assume that 212.67.145.58 is the address of the tun0 interface. What does 192.168.110.1, the interior interface, have to do with it? > What am I doing wrong? Am I missing anything? You just seem to be a little confused. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000711221047.A523>