Date: Mon, 17 Jan 2005 21:25:51 +0000 From: Srot BULL <pwd8jmr22w@me.point.ne.jp> To: Questions-ML FreeBSD <freebsd-questions@freebsd.org> Subject: IPFW - How to allow NAT client to CVSup Message-ID: <41EC2D5F.8060705@me.point.ne.jp>
index | next in thread | raw e-mail
Hi to everyone, I have 2 FreeBSD machines both running FreeBSD Stable 5.3 and both have ipfw as firewalls... One is running ipfw with NAT functions. Below is the is the rulesets for the machine: #!/bin/sh ipfw -q -f flush CMD="ipfw -q add" SKIP="skipto 00800" KS="keep-state" INIC="aue0" $CMD 00005 allow all from any to any via rl0 $CMD 00010 allow all from any to any via lo0 $CMD 00014 divert natd ip from any to any in via $INIC $CMD 00015 check-state $CMD 00020 $SKIP tcp from any to 192.168.0.1 53 out via $INIC setup $KS $CMD 00021 $SKIP udp from any to 192.168.0.1 53 out via $INIC $KS $CMD 00030 $SKIP udp from any to 192.168.0.1 67 out via $INIC $KS $CMD 00040 $SKIP tcp from any to any 80 out via $INIC setup $KS $CMD 00050 $SKIP tcp from any to any 443 out via $INIC setup $KS $CMD 00060 $SKIP tcp from any to any 25 out via $INIC setup $KS $CMD 00061 $SKIP tcp from any to any 110 out via $INIC setup $KS #------------ Allow out FBSD (make install & CVSUP) functions -----------=# $CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root #------------------------------------------------------------------------=# $CMD 00080 $SKIP icmp from any to any out via $INIC $KS $CMD 00090 $SKIP tcp from any to any 37 out via $INIC setup $KS $CMD 00100 $SKIP tcp from any to any 119 out via $INIC setup $KS $CMD 00110 $SKIP tcp from any to any 22 out via $INIC setup $KS $CMD 00120 $SKIP tcp from any to any 43 out via $INIC setup $KS $CMD 00130 $SKIP udp from any to any 123 out via $INIC $KS $CMD 00140 $SKIP tcp from any to any 873 out via $INIC $KS $CMD 00141 $SKIP udp from any to any 873 out via $INIC $KS $CMD 00300 deny all from 192.168.0.0/16 to any in via $INIC $CMD 00301 deny all from 172.16.0.0/12 to any in via $INIC $CMD 00302 deny all from 10.0.0.0/8 to any in via $INIC $CMD 00303 deny all from 127.0.0.0/8 to any in via $INIC $CMD 00304 deny all from 0.0.0.0/8 to any in via $INIC $CMD 00305 deny all from 169.254.0.0/16 to any in via $INIC $CMD 00306 deny all from 192.0.2.0/24 to any in via $INIC $CMD 00308 deny all from 224.0.0.0/3 to any in via $INIC #$CMD 00310 deny icmp from any to any in via $INIC $CMD 00315 deny tcp from any to any 113 in via $INIC $CMD 00320 deny tcp from any to any 137 in via $INIC $CMD 00321 deny tcp from any to any 138 in via $INIC $CMD 00322 deny tcp from any to any 139 in via $INIC $CMD 00323 deny tcp from any to any 81 in via $INIC $CMD 00330 deny all from any to any frag in via $INIC $CMD 00332 deny tcp from any to any established in via $INIC $CMD 00360 allow udp from any to 192.168.0.1 67 in via $INIC $KS $CMD 00400 deny log all from any to any in via $INIC $CMD 00450 deny log all from any to any out via $INIC $CMD 00800 divert natd ip from any to any out via $INIC $CMD 00801 allow ip from any to any $CMD 00999 deny log all from any to any This is the ruleset that I am using for the other machine that I want to be able to cvsup... #!/bin/sh ipfw -q -f flush CMD="ipfw -q add" KS="keep-state" INIC="bge0" $CMD 00010 allow all from any to any via lo0 $CMD 00015 check-state $CMD 00020 allow tcp from any to 192.168.0.1 53 out via $INIC setup $KS $CMD 00021 allow udp from any to 192.168.0.1 53 out via $INIC $KS $CMD 00030 allow udp from any to 192.168.0.1 67 out via $INIC $KS $CMD 00040 allow tcp from any to any 80 out via $INIC setup $KS $CMD 00050 allow tcp from any to any 443 out via $INIC setup $KS $CMD 00060 allow tcp from any to any 25 out via $INIC setup $KS $CMD 00061 allow tcp from any to any 110 out via $INIC setup $KS $CMD 00070 allow tcp from me to any out via $INIC setup $KS uid root $CMD 00080 allow icmp from any to any out via $INIC $KS $CMD 00090 allow tcp from any to any 37 out via $INIC setup $KS $CMD 00100 allow tcp from any to any 119 out via $INIC setup $KS $CMD 00110 allow tcp from any to any 22 out via $INIC setup $KS $CMD 00120 allow tcp from any to any 43 out via $INIC setup $KS $CMD 00130 allow udp from any to any 123 out via $INIC $KS $CMD 00300 deny all from 192.168.0.0/16 to any in via $INIC $CMD 00301 deny all from 172.16.0.0/12 to any in via $INIC $CMD 00302 deny all from 10.0.0.0/8 to any in via $INIC $CMD 00303 deny all from 127.0.0.0/8 to any in via $INIC $CMD 00304 deny all from 0.0.0.0/8 to any in via $INIC $CMD 00305 deny all from 169.254.0.0/16 to any in via $INIC $CMD 00306 deny all from 192.0.2.0/24 to any in via $INIC $CMD 00307 deny all from 204.152.64.0/23 to any in via $INIC $CMD 00308 deny all from 224.0.0.0/3 to any in via $INIC $CMD 00315 deny tcp from any to any 113 in via $INIC $CMD 00320 deny tcp from any to any 137 in via $INIC $CMD 00321 deny tcp from any to any 138 in via $INIC $CMD 00322 deny tcp from any to any 139 in via $INIC $CMD 00323 deny tcp from any to any 81 in via $INIC $CMD 00330 deny all from any to any frag in via $INIC $CMD 00332 deny tcp from any to any established in via $INIC $CMD 00360 allow udp from any to 192.168.0.1 67 in via $INIC $KS $CMD 00400 deny log all from any to any in via $INIC $CMD 00999 deny log all from any to any As you can see I am using the rulesets that are found in the Handbook. I have tried $CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root but still no go $CMD 00070 $SKIP tcp from me to any 5999 out via $INIC setup $KS but still no go Can anybody share their ipfw rulesets with me? To allow my other PC to cvsup... Thanks in advance... Srot BULLhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41EC2D5F.8060705>