From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 15 00:25:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB2D916A4CE for ; Thu, 15 Jan 2004 00:25:20 -0800 (PST) Received: from t1.etype.net (relay1.koenig.su [195.135.213.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 055B343D46 for ; Thu, 15 Jan 2004 00:25:16 -0800 (PST) (envelope-from igor@garant.koenig.ru) Received: by t1.etype.net (Postfix, from userid 83) id 753DE450339; Thu, 15 Jan 2004 10:25:13 +0200 (EET) Received: from unix.garant.koenig.ru (unknown [195.135.212.65]) by t1.etype.net (Postfix) with ESMTP id B48E64500F1 for ; Thu, 15 Jan 2004 10:25:06 +0200 (EET) Received: (qmail 3368 invoked from network); 15 Jan 2004 08:23:31 -0000 Received: from ns.garant.koenig.ru (HELO unix.garant.koenig.ru) (100.100.100.41) by 0 with SMTP; 15 Jan 2004 08:23:31 -0000 From: =?koi8-r?b?6cfP0tgg8M/Qz9c=?= Organization: =?koi8-r?b?7Pfz?= To: freebsd-ipfw@freebsd.org Date: Thu, 15 Jan 2004 10:23:31 +0200 User-Agent: KMail/1.5.2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200401151023.31347.igor@garant.koenig.ru> Subject: X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jan 2004 08:25:21 -0000 Hi, up to now I have used freebsd with ipfw2 based on stateless rules. From freebsd article freebsd-dialup I have taken example of using nat and pure statefull ipfw. I have made some changes, but it does not work, I returned to example, but result the same. Somebody can advice me with statefull ipfw and natd. There are my not working rules: #!/bin/sh # # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw -q" # Force a flushing of the current rules before we reload. ${fwcmd} -f flush ${fwcmd} add 300 deny log ip from any to any not verrevpath in recv tun0 # Divert all packets through the tunnel interface. ${fwcmd} add divert natd ip from any to any via tun0 #${fwcmd} add count ip from any to any via tun0 # Allow all connections that have dynamic rules built for them, # but deny established connections that don't have a dynamic rule. # See ipfw(8) for details. ${fwcmd} add check-state ${fwcmd} add deny log tcp from any to any established # Allow all localhost connections ${fwcmd} add allow tcp from me to any out via lo0 setup keep-state ${fwcmd} add deny tcp from me to any out via lo0 ${fwcmd} add allow ip from me to any out via lo0 keep-state # Allow all connections from my network card that I initiate ${fwcmd} add allow tcp from me to any out xmit any setup keep-state ${fwcmd} add deny log tcp from me to any ${fwcmd} add allow ip from me to any out xmit any keep-state # Everyone on the localnet is allowed to connect to the following # services on the machine. This string specifically allows connections # to ftp, sshd, smtp, dns, http, pop3, proxy. ${fwcmd} add allow tcp from 100.100.100.0/24 to me dst-port 21,22,25,53,80,110,443,3128 in recv fxp0 setup keep-state ${fwcmd} add allow tcp from 192.168.1.0/24 to me dst-port 25,53,110,3128 in recv 192.168.1.1 setup keep-state # Allow all udp connections from my network ${fwcmd} add allow udp from any to any via fxp0 keep-state ${fwcmd} add allow udp from any to any via 192.168.1.1 keep-state # Enable ICMP # Deny and log all pings from inet and localnet ${fwcmd} add deny log icmp from any to me icmptypes 8,13 ${fwcmd} add allow icmp from me to any keep-state ${fwcmd} add allow icmp from 100.100.100.0/24 to any in recv fxp0 keep-state ${fwcmd} add allow icmp from 192.168.1.0/24 to any in recv 192.168.1.1 keep-state #Allow all for users that whill use some services via NAT #${fwcmd} add allow tcp from 100.100.100.0/24{1,11} to 80.253.4.0/24 via fxp0 setup keep-state ${fwcmd} add allow log tcp from 100.100.100.0/24 to 80.253.4.0/24 dst-port 80,1521,1526,3389 recv fxp0 xmit tun0 setup keep-state # This sends a RESET to all ident packets. ${fwcmd} add reset log tcp from any to me 113 in recv tun0 # Deny all the rest. ${fwcmd} add deny log ip from any to any