Re: ipfw natd rules not loading on startup
Just a sidenote: On Sat, 15 May 2010 02:33:10 +0200, umage wrote: > However, if I > run the script manually, or call it from the end of /etc/rc, it will add > these rules as well. Currently I am using a workaround. It's not a good idea to modify /etc/rc. In your case, using the mechanism s of /etc/rc(.shutdown).local is a good way to call scripts that do not fit the rc.d concept. See "man rc.local" for details. So I would suggest something for /etc/rc.local like this: #!/bin/sh if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf elif [ -r /etc/rc.conf.local ]; then . /etc/rc.conf.local fi fi echo -n " custom-firewall" /your/firewall/script.sh --here The final dot + newline in the messages will be added by rc, if I remember correctly. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipfw natd rules not loading on startup
On Sat, May 15, 2010 at 02:33:10AM +0200, umage wrote: > I performed a kernel+world update of my freebsd router, RELENG_8 branch, > apparently from the version 6 months ago to current. I use ipfw and a > shell script that gets loaded at startup. I noticed after rebooting that > ipfw did not load two rules, both of type "divert natd". However, if I > run the script manually, or call it from the end of /etc/rc, it will add > these rules as well. Currently I am using a workaround. Best to ask -STABLE. There's been some breakage of ipfw since end of April. I'm unsure as to whether they've all be resolved yet. Cheers. -- Jonathan Chen | To do is to be -- Nietzsche | To be is to do -- Sartre | Scooby do be do -- Scooby ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ipfw natd rules not loading on startup
I performed a kernel+world update of my freebsd router, RELENG_8 branch, apparently from the version 6 months ago to current. I use ipfw and a shell script that gets loaded at startup. I noticed after rebooting that ipfw did not load two rules, both of type "divert natd". However, if I run the script manually, or call it from the end of /etc/rc, it will add these rules as well. Currently I am using a workaround. I could not find any mention of warnings or errors in the logs. I couldn't find any way of making ipfw log errors. I tried piping my script's output to a file, but it did not say anything useful. Noone I asked knew what to do. I noticed that there has been a revamp of ipfw and its supporting scripts recently, so it's possible something broke along the way (for example, a missing rc dependency on natd?). Advice would be appreciated. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: IPFW + NATD rules
On Sun, Aug 27, 2006 at 01:04:54PM +0500, ?? ?? wrote: > I'm a junior in FreeBSD, and I faced with problem. You should know that others have mailers that are thread enabled. This means that when you compose a new mail, but you that the reply sort cut others may not read this, because it end up in the list. I redirected the mail to questions@ becuase this is not related to the stable development brance. > I've a FreeBSD 6.1-stable box as a gate+firewall, and I want to divert > incoming requests to my web-server, placed in DeMilitarized Zone > (DMZ). To do this I wrote down settings in /etc/rc.conf as shown > above: > > natd_flags="-redirect_port tcp 80 192.168.1.234 80" > natd_flags="-redirect_poort tcp 443 192.168.1.234 443" You proberbly can not have two lines. > I think, that all packets incoming from Internet will be diverted from > the External interface via DMZ interface to my We-server. Is it right? > If not, why not, and what the way to make it working? Yes, but you made some mistakes: 1. You have two lines, where only one is allowed. 2. The file format is wrong: should be tcp forward_ip:port port 3. You made a typo 4. Did you setup ipfw? I've done this with a seperate config file. firewall_enable="YES" firewall_type="/etc/firewall.conf" natd_enable="YES" natd_flags="-f /etc/natd.conf" natd_interface="fxp0" /etc/firewall.conf contains: add divert 8668 ip from any to any (note: src_ip and dst_ip changes here, so keep this in mind if you add rules) add allow ip from any to any /etc/natd.conf contains: redirect_port tcp ip_to_goto:port local_port Did you setup ipfw and directed packes to natd? You also need to setup i -- Alex Please copy the original recipients, otherwise I may not read your reply. Howtos based on my personal use, including information about setting up a firewall and creating traffic graphs with MRTG http://alex.kruijff.org/FreeBSD/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: problems with ipfw + natd rules
I tried to allow only 80 port, but the result is the same. I have also tried ipf + ipnat, but i need to block internet connection to some users by MAC address, and ipf doesn't know, what MAC address is. Maybe i can block MAC addresses with ipf + ipnat somehow? Btw FreeBSD version is 4.9. > On Wed, 2004-03-31 at 20:27, Prodigy wrote: > > ${fwcmd} add 400 pass tcp from any 22,80,110,119,143,443,3306,5190,6667-7000 > > to any via rl1 > > ${fwcmd} add 500 pass tcp from any to any > > 22,80,110,119,143,443,3306,5190,6667-7000 via rl1 > > > > When I comment out 400 and 500 rules and add "allow all from any to any via > > rl1" it's all ok. The problem is somewhere in 400 and 500 rules. > > Those lines (400 and 500) sure look like they could cause trouble. Try > chopping them up per port number/range across multiple lines. > > ipfw and natd are nice for the quick-and-dirty setups, but if you need > something more predictable, configurable, and debuggableswitch to > ipfilter and ipnat. You'll find yourself very much in control over your > firewall/nat environment. > > Andre > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: problems with ipfw + natd rules
On Wed, 2004-03-31 at 20:27, Prodigy wrote: > ${fwcmd} add 400 pass tcp from any 22,80,110,119,143,443,3306,5190,6667-7000 > to any via rl1 > ${fwcmd} add 500 pass tcp from any to any > 22,80,110,119,143,443,3306,5190,6667-7000 via rl1 > > When I comment out 400 and 500 rules and add "allow all from any to any via > rl1" it's all ok. The problem is somewhere in 400 and 500 rules. Those lines (400 and 500) sure look like they could cause trouble. Try chopping them up per port number/range across multiple lines. ipfw and natd are nice for the quick-and-dirty setups, but if you need something more predictable, configurable, and debuggableswitch to ipfilter and ipnat. You'll find yourself very much in control over your firewall/nat environment. Andre ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
problems with ipfw + natd rules
Hello, i have a problem with ipfw + natd. The problem is that my FreeBSD server isn't routing internet. First I have used FreeBSD4.9-STABLE, then i tried to upgrade to FreeBSD4.9-RELEASE-p4. Result is the same - no internet for lan users. Take a look at my configuration files: rc.conf: defaultrouter="213.190.42.1" hostname="localhost" ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" # inside (lan) interface ifconfig_rl1="inet 213.190.42.48 netmask 255.255.255.0" # outside (internet) interface #some other stuff goes here gateway_enable="YES" natd_enable="YES" natd_program="/sbin/natd" natd_interface="rl1" natd_flags="" firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.conf" firewall_quiet="YES" firewall_logging="YES" ipfw.conf: fwcmd="/sbin/ipfw -q" ${fwcmd} -f flush ${fwcmd} add 100 divert 8668 ip from any to any via rl1 ${fwcmd} add 200 pass ip from any to any via lo0 ${fwcmd} add 300 deny log ip from any to 127.0.0.0/8 ${fwcmd} add 400 pass tcp from any 22,80,110,119,143,443,3306,5190,6667-7000 to any via rl1 ${fwcmd} add 500 pass tcp from any to any 22,80,110,119,143,443,3306,5190,6667-7000 via rl1 ${fwcmd} add 600 pass udp from any to any 53 via rl1 ${fwcmd} add 700 pass udp from any 53 to any via rl1 ${fwcmd} add 800 pass ip from any to any via rl0 ${fwcmd} add 900 deny log all from any to any via rl1 # ipfw show 00100 80 48557 divert 8668 ip from any to any via rl1 002000 0 allow ip from any to any via lo0 003000 0 deny log ip from any to 127.0.0.0/8 00400 54 59678 allow tcp from any 22,80,110,119,143,443,3306,5190,6667-7000 to any via rl1 00500 26 1473 allow tcp from any to any dst-port 22,80,110,119,143,443,3306,5190,6667-7000 via rl1 006003177 allow udp from any to any dst-port 53 via rl1 007000 0 allow udp from any 53 to any via rl1 00800 226 101368 allow ip from any to any via rl0 00900 62 40857 deny log ip from any to any via rl1 65535 1598 333640 deny ip from any to any /etc/sysctl.conf: net.link.ether.ipfw=1 # cat /etc/services | grep natd natd8668/divert # Network Address Translation When I comment out 400 and 500 rules and add "allow all from any to any via rl1" it's all ok. The problem is somewhere in 400 and 500 rules. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"