Site Navigation

Date:      Thu, 1 Aug 2002 15:18:09 -0500
From:      "Robert D Hughes" <rob@robhughes.com>
To:        <barbish@a1poweruser.com>
Cc:        "FBIPFW" <freebsd-ipfw@freebsd.org>
Subject:   RE: natd & keep-state
Message-ID:  <B95B566BD245174196CA4EE29E5818830D611A@HEXCH01.robhughes.com>

---

next in thread | raw e-mail | index | archive | help

---

Setup and keep-state are in pretty much every rule. I think your issue is that you're trying to use in via/out via. Try just using via  and see if that works. There are places to use those, but for general rules you just want to make sure a packet is passing through a paticular interface. When that packet comes back, it still has to pass through that same interface, but will no longer match due to the "in" or "out" statements you've used. That's probably what's causing your rules to fail. Remember, ipfw goes until it hits a match, whether it's a pass or deny, then stops. If you recompiled your kernel with the DEFAULT_TO_ACCEPT option, you'd get gobs of packets matching on it.
 
And uh, that's why I do rules the way I do, because I tried it your way and it didn't work.
 
Sample rules:
 
        case ${natd_enable} in
        [Yy][Ee][Ss])
                if [ -n "${natd_interface}" ]; then
                        ${fwcmd} add divert natd all from any to any via ${natd_interface}
                fi
                ;;
        esac
 
        # Stop RFC1918 nets on the outside interface
        ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
        ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
        ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
         #Check state info and pass established traffic
        ${fwcmd} add check-state
 
        # Allow TCP through if setup succeeded
        ${fwcmd} add pass tcp from any to any established
 
        # Allow IP fragments to pass through
        ${fwcmd} add pass all from any to any frag

        ${fwcmd} add pass udp from any 67-68 to any 67-68 via ${oif}
 
        #SSH rules to firewall and others
        ${fwcmd} add pass tcp from any to me ssh setup keep-state in
        ${fwcmd} add pass tcp from any to me sftp setup keep-state in
        ${fwcmd} add pass tcp from any to ${manager2} ssh setup keep-state
        ${fwcmd} add pass tcp from any to ${manager2} sftp setup keep-state
 
        # Allow access to our DNS
        ${fwcmd} add pass tcp from any to me 53 keep-state setup in
        ${fwcmd} add pass udp from any to me 53 keep-state in
        ${fwcmd} add pass tcp from me 53 to any keep-state setup out
        ${fwcmd} add pass udp from me 53 to any keep-state out
        # Allow access to our WWW
        # Allow setup of incoming email
        ${fwcmd} add pass tcp from me to any 25 setup keep-state out
        ${fwcmd} add pass tcp from any to me 25 setup keep-state in
        ${fwcmd} add pass tcp from any to ${www1} 80 setup via ${oif}
        ${fwcmd} add pass tcp from any to ${www1} 443 setup
        ${fwcmd} add pass tcp from any to any 389 setup via any
 
        #Special section to allow demo access to the NNM system
        ${fwcmd} add pass tcp from any to ${www2} 8880 setup
        ${fwcmd} add pass tcp from any to ${www2} 2953 setup
        ${fwcmd} add pass tcp from any to ${www2} 2954 setup
 
And on and on for a total of around a hundred rules, both before and after this sample.

	-----Original Message----- 
	From: Joe & Fhe Barbish [mailto:barbish@a1poweruser.com] 
	Sent: Thu 8/1/2002 2:49 PM 
	To: Robert D Hughes 
	Cc: FBIPFW 
	Subject: RE: natd & keep-state
	
	

	Bob, thanks very much for your offer.
	
	If your rules file has keep-state rules in it, I would be interested in seeing it.
	
	The problem is natd with ipfw keep-state rules   not   ipfw with natd.
	
	This being the list where IPFW internals and design problems are talked over,
	I really want a experienced person like you  to provide independent verification 
	that there is a bug in natd with ipfw keep-state rules.
	
	Just humor me and test the simple rules file I provided in my original post and
	make it work on your box.  I bet you can not get it to work. 
	
	I say there's a bug in natd and need help bring it to light before this list group.
	
	Can you help in this effort?
	
	Thanks
	Joe
	
	-----Original Message-----
	From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Robert D Hughes
	Sent: Thursday, August 01, 2002 2:45 PM
	To: FBIPFW
	Subject: RE: natd & keep-state
	
	-----Original Message-----
	From: Joe & Fhe Barbish [mailto:barbish@a1poweruser.com]
	Sent: Wed 7/31/2002 9:07 PM
	To: FBIPFW
	Cc:
	Subject: natd & keep-state
	
	
	
	        IPFW list members
	      
	        Advanced Stateful extensions were introduced in FBSD 4.0. When they
	        first can out I changed my ipfw rules from stateless and simple
	        stateful to using only Advanced Stateful rules for my user
	        ppp -nat ISP connection. The ipfw rule set that works with user
	      
	
	        It might help if you described in more detail what problems you're having. I'm running a rather much more complex rule set that works using fine ipfw and natd, including port redirects, passive and active ftp, etc. Would you like to look at my rule set?
	
	        Rob
	
	Nrz vfj:v?
	ry y{y?
	
	

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B95B566BD245174196CA4EE29E5818830D611A>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact