Hello
I am running 4.7-release p6 as a gateway (ipfw+natd). Thanks to
those of you who helped me firm up my ruleset. Natd is running
and configured, however, I am not able to do port redirection or
http from the outside. (Firewall disk crashed over the weekend,
and I didn't have things properly backed up).
My firewall log is flooded with this message:
[date and time]churgeon /kernel: ipfw: Deny UDP 10.142.240.1:67 255.255.255.255:68 in
via ed1
When I run sockstat, I see that dhclient is listening for udp packets on port 68:
root dhclient 62 4 udp4 *:68 *:*
Attached is my ipfw ruleset. I'd like to know if I need to allow
these packets (if they're required by dhclient, etc.).
Just in case, I've attached natd.conf and rc.conf, as well. Thanks for any help.
---
Joshua Lokken
FreeBSD: The Power to Serve!
[EMAIL PROTECTED]
-------------------------------->
Need a new email address that people can remember
Check out the new EudoraMail at
http://www.eudoramail.com
fwcmd="/sbin/ipfw"
oif="ed1"
oip="xxx.xxx.xxx.xxx"
iif="rl0"
inwr="10.0.0.0/8"
iip="10.0.0.1"
ns1="204.127.198.4"
ns2="216.148.227.68"
ns3="207.228.252.107"
ns4="64.246.26.64"
$fwcmd -f flush
$fwcmd add allow all from any to any via lo0
$fwcmd add divert natd all from any to any via $oif
$fwcmd add allow icmp from any to any icmptypes 3,4,11,12
$fwcmd add check-state
$fwcmd add allow udp from $oip to any via $oif keep-state
$fwcmd add allow tcp from any to $oip 22,25,80,110,443,6346,22002,22003,22010 setup
via $oif keep-state
$fwcmd add allow ip from $oip to any keep-state out via $oif
$fwcmd add allow ip from $inwr to any keep-state via $iif
$fwcmd add 65435 deny log ip from any to any
# natd.conf
# flags
interface ed1
dynamic yes
unregistered_only yes
# Web and mail
redirect_port tcp 10.0.0.10:8080 80
redirect_port udp 10.0.0.10:8080 80
redirect_port tcp 10.0.0.10:443 443
redirect_port udp 10.0.0.10:443 443
# SSH
redirect_port tcp 10.0.0.2:22 22002
redirect_port udp 10.0.0.2:22 22002
redirect_port tcp 10.0.0.3:22 22003
redirect_port udp 10.0.0.3:22 22003
redirect_port tcp 10.0.0.10:22 22010
redirect_port udp 10.0.0.10:22 22010
# VNC
redirect_port tcp 10.0.0.2:5900-5910 5900-5910
redirect_port udp 10.0.0.2:5900-5910 5900-5910
# -- sysinstall generated deltas -- # Sat Feb 15 13:14:18 2003
# Created: Sat Feb 15 13:14:18 2003
network_interfaces="lo0 ed1 rl0"
hostname="churgeon.joshualokken.com"
ifconfig_ed1="DHCP"
ifconfig_rl0="inet 10.0.0.1 netmask 255.0.0.0"
inetd_enable="NO"
kern_securelevel_enable="YES"
kern_securelevel="1"
nfs_reserved_port_only="YES"
sendmail_enable="NONE"
sshd_enable="YES"
syslogd_enable="YES"
syslogd_flags="-ss"
gateway_enable="YES"
firewall_enable="YES"
natd_enable="YES"
natd_interface="ed1"
natd_flags="-f /etc/natd.conf"
firewall_script="/etc/firewall.conf"
tcp_extensions="YES"
icmp_drop_redirect="YES"
