Date: Thu, 30 Oct 2008 13:36:58 +1100 From: Terry Sposato <terry@sucked-in.com> To: jackbarnett@gmail.com Cc: Polytropon <freebsd@edvax.de>, Freebsd questions <freebsd-questions@freebsd.org> Subject: Re: Firewalls in FreeBSD? Message-ID: <20081030133658.79084brlqjxwpv6s@webmail.tabmow.info> In-Reply-To: <49091B32.9060306@gmail.com> References: <49090BA3.5090407@gmail.com> <20081030031231.8a5fccb9.freebsd@edvax.de> <49091B32.9060306@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Jack Barnett <jackbarnett@gmail.com>:
>
> yes, that is my setup.
> hrm... well, I disabled the firewall completely, restarted, but still
> doesn't work.
> I have gateway and natd both enabled. x10 is the "external" interface
> (the one that is dhcp and connects to the cable modem).
> I don't want to redirect anything to my windows box. I just want
> anything that connects out from my windows box to be able to connect
> or send data back in.
> For example, I load up a client (game) and it connects out on XYZ
> port. The server will send data back on ABC.
> The problem, from what I can tell; is that I can get a connection out
> - but when the server tries to send data back on ABC it is discarded.
> Polytropon wrote:
>
> If I understood you correctly, your setting is:
>
> (Modem/Router)---DHCP---(FreeBSD)---("Windows")
>
> I may respond directly on your configuration settings:
>
> On Wed, 29 Oct 2008 20:19:31 -0500, Jack Barnett =20
> [1]<jackbarnett@gmail.com> wro
> te:
>
>
> gateway_enable=3D"YES"
> #firewall_enable=3D"YES"
> #firewall_type=3D"open"
> firewall_type=3D"simple"
> #firewall_type=3D"open"
> firewall_logging=3D"YES"
>
>
> Use instead:
>
> gateway_enable=3D"YES"
> natd_enable=3D"YES"
> natd_interface=3D"xl0"
>
> You may add special redirect directives to NATD's settings, such
> as
> natd_flags=3D"-redirect_port tcp 192.168.1.2:5900 5900"
> natd_flags=3D"-redirect_port tcp 192.168.1.5:23 6666"
>
> or
> natd_flags=3D"-redirect_address 192.168.1.2 141.44.165.58 \
> -redirect_address 192.168.1.5 141.44.165.58"
>
> Examples taken from a very old configuration. :-)
>
> Then,
>
> firewall_enable=3D"YES"
> firewall_type=3D"/etc/ipfw.conf"
>
> Then, be sure to have nice firewall settings, you can use things
> similar to this, enabling just the services you really need and want,
> it's easy to write your own one or to rewrite this:
>
> -f flush
> add divert natd ip from any to any via xl0
> add allow tcp from any to any ftp in recv xl0
> add allow tcp from any to any ssh in recv xl0
> add allow tcp from any to any auth in recv xl0
> add allow udp from any to any ntp in recv xl0
> add allow udp from any to any ntalk in recv xl0
> add deny udp from any to any x11 in recv xl0
> add reset tcp from any to any x11 in recv xl0
> add allow ipencap from any to any
> add allow ip from any to any
>
> This should work fine. NB to use the correct interface names.
>
> References
>
> 1. mailto:jackbarnett@gmail.com
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.or=
g"
>
Jack,
It is most likely caused by your ruleset not being stateful. If =20
packets are going out certain sessions and your firewall isn't then =20
allowing back in you would see the issue you are seeing. I am not sure =20
how this is accomplished via ipfw as I use pf but there would be a =20
tonne of documentation out there on how to make your rules stateful.
Regards,
Terry Sposato
terry@sucked-in.com
Have you been sucked in?
http://www.sucked-in.com
----------------------------------------------------------------------------=
---------
This message was sent from the Sucked In Webmail Interface - =20
http://www.sucked-in.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081030133658.79084brlqjxwpv6s>