Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 17 Jan 2005 21:25:51 +0000
From:      Srot BULL <pwd8jmr22w@me.point.ne.jp>
To:        Questions-ML FreeBSD <freebsd-questions@freebsd.org>
Subject:   IPFW - How to allow NAT client to CVSup
Message-ID:  <41EC2D5F.8060705@me.point.ne.jp>

next in thread | raw e-mail | index | archive | help
Hi to everyone,

I have 2 FreeBSD machines both running FreeBSD Stable 5.3 and both have 
ipfw as firewalls...
One is running ipfw with NAT functions.  Below is the is the rulesets for 
the machine:

#!/bin/sh
ipfw -q -f flush
CMD="ipfw -q add"
SKIP="skipto 00800"
KS="keep-state"
INIC="aue0"
$CMD 00005 allow all from any to any via rl0
$CMD 00010 allow all from any to any via lo0
$CMD 00014 divert natd ip from any to any in via $INIC
$CMD 00015 check-state

$CMD 00020 $SKIP tcp from any to 192.168.0.1 53 out via $INIC setup $KS
$CMD 00021 $SKIP udp from any to 192.168.0.1 53 out via $INIC $KS
$CMD 00030 $SKIP udp from any to 192.168.0.1 67 out via $INIC $KS
$CMD 00040 $SKIP tcp from any to any 80 out via $INIC setup $KS
$CMD 00050 $SKIP tcp from any to any 443 out via $INIC setup $KS
$CMD 00060 $SKIP tcp from any to any 25 out via $INIC setup $KS
$CMD 00061 $SKIP tcp from any to any 110 out via $INIC setup $KS
#------------ Allow out FBSD (make install & CVSUP) functions -----------=#
$CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root
#------------------------------------------------------------------------=#
$CMD 00080 $SKIP icmp from any to any out via $INIC $KS
$CMD 00090 $SKIP tcp from any to any 37 out via $INIC setup $KS
$CMD 00100 $SKIP tcp from any to any 119 out via $INIC setup $KS
$CMD 00110 $SKIP tcp from any to any 22 out via $INIC setup $KS
$CMD 00120 $SKIP tcp from any to any 43 out via $INIC setup $KS
$CMD 00130 $SKIP udp from any to any 123 out via $INIC $KS
$CMD 00140 $SKIP tcp from any to any 873 out via $INIC $KS
$CMD 00141 $SKIP udp from any to any 873 out via $INIC $KS

$CMD 00300 deny all from 192.168.0.0/16 to any in via $INIC
$CMD 00301 deny all from 172.16.0.0/12 to any in via $INIC
$CMD 00302 deny all from 10.0.0.0/8 to any in via $INIC
$CMD 00303 deny all from 127.0.0.0/8 to any in via $INIC
$CMD 00304 deny all from 0.0.0.0/8 to any in via $INIC
$CMD 00305 deny all from 169.254.0.0/16 to any in via $INIC
$CMD 00306 deny all from 192.0.2.0/24 to any in via $INIC
$CMD 00308 deny all from 224.0.0.0/3 to any in via $INIC
#$CMD 00310 deny icmp from any to any in via $INIC
$CMD 00315 deny tcp from any to any 113 in via $INIC
$CMD 00320 deny tcp from any to any 137 in via $INIC
$CMD 00321 deny tcp from any to any 138 in via $INIC
$CMD 00322 deny tcp from any to any 139 in via $INIC
$CMD 00323 deny tcp from any to any 81 in via $INIC
$CMD 00330 deny all from any to any frag in via $INIC
$CMD 00332 deny tcp from any to any established in via $INIC

$CMD 00360 allow udp from any to 192.168.0.1 67 in via $INIC $KS
$CMD 00400 deny log all from any to any in via $INIC
$CMD 00450 deny log all from any to any out via $INIC
$CMD 00800 divert natd ip from any to any out via $INIC
$CMD 00801 allow ip from any to any
$CMD 00999 deny log all from any to any

This is the ruleset that I am using for the other machine that I want to be 
able to cvsup...

#!/bin/sh
ipfw -q -f flush
CMD="ipfw -q add"
KS="keep-state"
INIC="bge0"
$CMD 00010 allow all from any to any via lo0
$CMD 00015 check-state
$CMD 00020 allow tcp from any to 192.168.0.1 53 out via $INIC setup $KS
$CMD 00021 allow udp from any to 192.168.0.1 53 out via $INIC $KS
$CMD 00030 allow udp from any to 192.168.0.1 67 out via $INIC $KS
$CMD 00040 allow tcp from any to any 80 out via $INIC setup $KS
$CMD 00050 allow tcp from any to any 443 out via $INIC setup $KS
$CMD 00060 allow tcp from any to any 25 out via $INIC setup $KS
$CMD 00061 allow tcp from any to any 110 out via $INIC setup $KS
$CMD 00070 allow tcp from me to any out via $INIC setup $KS uid root
$CMD 00080 allow icmp from any to any out via $INIC $KS
$CMD 00090 allow tcp from any to any 37 out via $INIC setup $KS
$CMD 00100 allow tcp from any to any 119 out via $INIC setup $KS
$CMD 00110 allow tcp from any to any 22 out via $INIC setup $KS
$CMD 00120 allow tcp from any to any 43 out via $INIC setup $KS
$CMD 00130 allow udp from any to any 123 out via $INIC $KS

$CMD 00300 deny all from 192.168.0.0/16 to any in via $INIC
$CMD 00301 deny all from 172.16.0.0/12 to any in via $INIC
$CMD 00302 deny all from 10.0.0.0/8 to any in via $INIC
$CMD 00303 deny all from 127.0.0.0/8 to any in via $INIC
$CMD 00304 deny all from 0.0.0.0/8 to any in via $INIC
$CMD 00305 deny all from 169.254.0.0/16 to any in via $INIC
$CMD 00306 deny all from 192.0.2.0/24 to any in via $INIC
$CMD 00307 deny all from 204.152.64.0/23 to any in via $INIC
$CMD 00308 deny all from 224.0.0.0/3 to any in via $INIC
$CMD 00315 deny tcp from any to any 113 in via $INIC
$CMD 00320 deny tcp from any to any 137 in via $INIC
$CMD 00321 deny tcp from any to any 138 in via $INIC
$CMD 00322 deny tcp from any to any 139 in via $INIC
$CMD 00323 deny tcp from any to any 81 in via $INIC
$CMD 00330 deny all from any to any frag in via $INIC
$CMD 00332 deny tcp from any to any established in via $INIC
$CMD 00360 allow udp from any to 192.168.0.1 67 in via $INIC $KS

$CMD 00400 deny log all from any to any in via $INIC
$CMD 00999 deny log all from any to any

As you can see I am using the rulesets that are found in the Handbook.  I 
have tried
$CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root
but still no go
$CMD 00070 $SKIP tcp from me to any 5999 out via $INIC setup $KS
but still no go

Can anybody share their ipfw rulesets with me?  To allow my other PC to 
cvsup...
Thanks in advance...

Srot BULL



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41EC2D5F.8060705>