On Mon, Sep 26, 2005 at 05:26:12PM +0300, Ertan Kucukoglu wrote:
Hi,
I have a problem blocking foreign intruders for specific ports in ipfw.
One of my friends have 4.X-Stable running in production for proxy,
e-mail, virus etc. Server also have natd and ipfw installed on it. We
have following rule set.
-
00050 2132 1212881 divert 8668 ip from any to any via dc1
00100 1078 4537400 allow ip from any to any via lo0
002000 0 deny ip from any to 127.0.0.0/8
003000 0 deny ip from 127.0.0.0/8 to any
004000 0 allow tcp from 192.168.0.0/24 to me 23
005000 0 deny tcp from 192.168.0.69 to me 1863
005500 0 deny tcp from 192.168.0.63 to me 1863
006000 0 deny tcp from 192.168.0.69 to me 80
006500 0 deny tcp from 192.168.0.63 to me 80
010000 0 allow tcp from 192.168.0.0/16 to me 21
010100 0 deny tcp from any to me 21
011000 0 allow tcp from 212.58.X.X to me 1433 via dc1 (ip
intentionally hided)
011100 0 deny tcp from any to me 1433 via dc1
65000 5467 3180867 allow ip from any to any
65535 4654 322885 deny ip from any to any
-
Natd is diverting port 1433 to an internal machine.
When I try with a different ip address on Internet than 212.58.x.x, and
I can easily get connect to directed servers' 1433 port.
I'm sure that I'm missing something, but I can not recognize what it is
at the moment. Any help will be appreciated.
Regards,
Your forgetting that natd changes the destation ip address so that it is
not me. Try putting the block rule before the divert. This is also good
for performance.
--
Alex
Please copy the original recipients, otherwise I may not read your reply.
Howto's based on my ppersonal use, including information about
setting up a firewall and creating traffic graphs with MRTG
http://www.kruijff.org/alex/FreeBSD/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]