Date: Thu, 15 Jan 2004 10:23:31 +0200 From: =?koi8-r?b?6cfP0tgg8M/Qz9c=?= <igor@garant.koenig.ru> To: freebsd-ipfw@freebsd.org Message-ID: <200401151023.31347.igor@garant.koenig.ru>
next in thread | raw e-mail | index | archive | help
Hi,
up to now I have used freebsd with ipfw2 based on stateless rules. From
freebsd article freebsd-dialup I have taken example of using nat and pure
statefull ipfw. I have made some changes, but it does not work, I returned to
example, but result the same.
Somebody can advice me with statefull ipfw and natd.
There are my not working rules:
#!/bin/sh
#
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw -q"
# Force a flushing of the current rules before we reload.
${fwcmd} -f flush
${fwcmd} add 300 deny log ip from any to any not verrevpath in recv tun0
# Divert all packets through the tunnel interface.
${fwcmd} add divert natd ip from any to any via tun0
#${fwcmd} add count ip from any to any via tun0
# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
${fwcmd} add check-state
${fwcmd} add deny log tcp from any to any established
# Allow all localhost connections
${fwcmd} add allow tcp from me to any out via lo0 setup keep-state
${fwcmd} add deny tcp from me to any out via lo0
${fwcmd} add allow ip from me to any out via lo0 keep-state
# Allow all connections from my network card that I initiate
${fwcmd} add allow tcp from me to any out xmit any setup keep-state
${fwcmd} add deny log tcp from me to any
${fwcmd} add allow ip from me to any out xmit any keep-state
# Everyone on the localnet is allowed to connect to the following
# services on the machine. This string specifically allows connections
# to ftp, sshd, smtp, dns, http, pop3, proxy.
${fwcmd} add allow tcp from 100.100.100.0/24 to me dst-port
21,22,25,53,80,110,443,3128 in recv fxp0 setup keep-state
${fwcmd} add allow tcp from 192.168.1.0/24 to me dst-port 25,53,110,3128 in
recv 192.168.1.1 setup keep-state
# Allow all udp connections from my network
${fwcmd} add allow udp from any to any via fxp0 keep-state
${fwcmd} add allow udp from any to any via 192.168.1.1 keep-state
# Enable ICMP
# Deny and log all pings from inet and localnet
${fwcmd} add deny log icmp from any to me icmptypes 8,13
${fwcmd} add allow icmp from me to any keep-state
${fwcmd} add allow icmp from 100.100.100.0/24 to any in recv fxp0 keep-state
${fwcmd} add allow icmp from 192.168.1.0/24 to any in recv 192.168.1.1
keep-state
#Allow all for users that whill use some services via NAT
#${fwcmd} add allow tcp from 100.100.100.0/24{1,11} to 80.253.4.0/24 via fxp0
setup keep-state
${fwcmd} add allow log tcp from 100.100.100.0/24 to 80.253.4.0/24 dst-port
80,1521,1526,3389 recv fxp0 xmit tun0 setup keep-state
# This sends a RESET to all ident packets.
${fwcmd} add reset log tcp from any to me 113 in recv tun0
# Deny all the rest.
${fwcmd} add deny log ip from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200401151023.31347.igor>