Re: ipfw + NAT doesn't work
On Thu, Sep 17, 2009 at 02:53:12PM -0400, Robert Huff typed: Ruben de Groot writes: However: using these I still can't get through Through to what? You seem to be able to connect on a local subnet, but not to the internet through NAT, which you say is ok, because you shouldn't ? Please explain exactly what you want to do. 1) With the firewall enabled, but no NAT-related rules, I can't get out. This is as expected. 2) With the NAT rules added, I should be able to get out, but can't. Clear? I think so. What's your outgoing ip? The rules you posted: ipfw add 5000 nat 15 all from any to any ipfw nat 15 config log same_ports ip 10.0.0.0/8 ^^ Looks strange to me. Instead of 10.0.0.0/8 I believe you should use a single IP that you want to translate to (ie your outgoing IP address). Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipfw + NAT doesn't work
I have a machine running FreeBSD 9.0-CURRENT #3: Tue Sep 15 18:49:58 EDT 2009 amd64 It has this in the config file for the running kernel: options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default options IPFIREWALL_NAT #ipfw kernel nat support options LIBALIAS It (10.0.0.1) connects correctly to another machine (10.0.0.3); I know because .3 mounts one of .1's disks using Samba. With the ipfw rules appended below, I can't NAT, nor should I be able to. (em0 faces the Internet; em1 faces the other machine.) However: using these I still can't get through ipfw add 5000 nat 15 all from any to any ipfw nat 15 config log same_ports ip 10.0.0.0/8 Have I forgotten something? Or misunderstood something? If not ... how do I figure out what's wrong? Respectfully, Robert Huff 00100 3830 864746 allow ip from any to any via lo0 00200 00 deny ip from any to 127.0.0.0/8 00300 00 deny ip from 127.0.0.0/8 to any 00350 11042464 allow udp from any 67-68 to any dst-port 67-68 00600 00 allow ip6 from any to any via lo0 00610 00 deny ip6 from any to ::1 00620 00 deny ip6 from ::1 to any 00630 3 256 allow ip6 from :: to ff02::/16 proto ipv6-icmp 00640 00 allow ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp 00650 4 304 allow ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp 00660 00 allow ip6 from 2001:db8:2:1::1 to 2001:db8:2:1::/64 00670 00 allow ip6 from 2001:db8:2:1::/64 to 2001:db8:2:1::1 00680 00 allow ip6 from fe80::/10 to ff02::/16 00690 00 allow ip6 from 2001:db8:2:1::/64 to ff02::/16 00700 00 allow ip6 from any to any established proto tcp 00710 00 allow ip6 from any to any frag 00720 00 allow ip6 from any to 2001:db8:2:1::1 dst-port 25 setup proto tcp 00730 00 allow ip6 from 2001:db8:2:1::1 to any setup proto tcp 00740 00 deny ip6 from any to any setup proto tcp 00750 00 allow ip6 from any 53 to 2001:db8:2:1::1 proto udp 00760 00 allow ip6 from 2001:db8:2:1::1 to any dst-port 53 proto udp 00770 00 allow ip6 from any 123 to 2001:db8:2:1::1 proto udp 00780 00 allow ip6 from 2001:db8:2:1::1 to any dst-port 123 proto udp 00790 00 allow ip6 from any to any ip6 icmp6types 1 proto ipv6-icmp 00800 00 allow ip6 from any to any ip6 icmp6types 2,135,136 proto ipv6-icmp 06000 00 deny log logamount 100 tcp from any to any dst-port 137 in via em0 0605032 3000 deny log logamount 100 udp from any to any dst-port 137 in via em0 06100 00 deny log logamount 100 tcp from any to any dst-port 138 in via em0 0615015 3465 deny log logamount 100 udp from any to any dst-port 138 in via em0 06200 00 deny log logamount 100 tcp from any to any dst-port 139 in via em0 06250 00 deny log logamount 100 udp from any to any dst-port 139 in via em0 07000 00 deny log logamount 100 tcp from any to any dst-port 111 in via em0 07050 00 deny log logamount 100 udp from any to any dst-port 111 in via em0 07100 00 deny log logamount 100 tcp from any to any dst-port 530 in via em0 07150 00 deny log logamount 100 udp from any to any dst-port 530 in via em0 07200 00 deny log logamount 100 tcp from any to any dst-port 161 in recv em0 07225 00 deny log logamount 100 udp from any to any dst-port 161 in recv em0 07250 00 deny log logamount 100 tcp from any to any dst-port 162 in recv em0 07275 00 deny log logamount 100 udp from any to any dst-port 162 in recv em0 07300 00 deny log logamount 100 tcp from any to any dst-port 194 07310 00 deny log logamount 100 udp from any to any dst-port 194 07320 00 deny log logamount 100 tcp from any to any dst-port 529 07330 00 deny log logamount 100 udp from any to any dst-port 529 07340 00 deny log logamount 100 tcp from any to any dst-port 994 07350 00 deny log logamount 100 udp from any to any dst-port 994 07360 00 deny log logamount 100 tcp from any to any dst-port 6667 07370 00 deny log logamount 100 udp from any to any dst-port 6667 1 45012 38961511 allow tcp from any to any established 10100 1452 112487 allow ip from any to any out via em0 10200 00 allow tcp from 10.0.0.0/8 to any dst-port 80 10300 00 allow tcp from any 80 to any dst-port 1024-65535 via em0 10400 00 allow tcp from any 443 to any dst-port 1024-65535 via em0 10500 00 deny
Re: ipfw + NAT doesn't work
On Thu, Sep 17, 2009 at 10:14:15AM -0400, Robert Huff typed: I have a machine running FreeBSD 9.0-CURRENT #3: Tue Sep 15 18:49:58 EDT 2009 amd64 It has this in the config file for the running kernel: options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default options IPFIREWALL_NAT #ipfw kernel nat support options LIBALIAS It (10.0.0.1) connects correctly to another machine (10.0.0.3); I know because .3 mounts one of .1's disks using Samba. With the ipfw rules appended below, I can't NAT, nor should I be able to. (em0 faces the Internet; em1 faces the other machine.) However: using these I still can't get through Through to what? You seem to be able to connect on a local subnet, but not to the internet through NAT, which you say is ok, because you shouldn't ? Please explain exactly what you want to do. Have I forgotten something? Or misunderstood something? If not ... how do I figure out what's wrong? /var/log/security is a good place to start, as your config seems to log allmost all denies. BTW, CURRENT is a development branch. Fine if you want to run it, but you should do some basic debugging yourself before posting problems with it. And then the -questions list is probably not the best place to find answers. regards, Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re[2]: ipfw + NAT doesn't work
kes-...@yandex.ru writes: If not ... how do I figure out what's wrong? What is your ipfw rules? They were appended to the original post. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re[2]: ipfw + NAT doesn't work
Здравствуйте, Ruben. If not ... how do I figure out what's wrong? What is your ipfw rules? Вы писали 17 сентября 2009 г., 20:45:01: RdG On Thu, Sep 17, 2009 at 10:14:15AM -0400, Robert Huff typed: I have a machine running FreeBSD 9.0-CURRENT #3: Tue Sep 15 18:49:58 EDT 2009 amd64 It has this in the config file for the running kernel: options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default options IPFIREWALL_NAT #ipfw kernel nat support options LIBALIAS It (10.0.0.1) connects correctly to another machine (10.0.0.3); I know because .3 mounts one of .1's disks using Samba. With the ipfw rules appended below, I can't NAT, nor should I be able to. (em0 faces the Internet; em1 faces the other machine.) However: using these I still can't get through RdG Through to what? You seem to be able to connect on a local subnet, but RdG not to the internet through NAT, which you say is ok, because you shouldn't ? RdG Please explain exactly what you want to do. Have I forgotten something? Or misunderstood something? If not ... how do I figure out what's wrong? RdG /var/log/security is a good place to start, as your config seems to log allmost RdG all denies. RdG BTW, CURRENT is a development branch. Fine if you want to run it, but you RdG should do some basic debugging yourself before posting problems with it. And RdG then the -questions list is probably not the best place to find answers. -- С уважением, Коньков mailto:kes-...@yandex.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org