Like I described I allready use this flag. The problem with having divert at the top is that I get thrown off my ssh connection every time when I try to reload natd or ipfw. Does it matter if I allow ssh from my network before I divert packets to natd?
Try having the very first rule divert ip from any to any to natd Then, you
can configure NATD to only effect RFC1918 packets by adding a -u to the
command line. NAT will take the packet, process it if it's an RFC 1918
address, if not, allow it to pass and then reinject it into the firewall at
rule 2 (or next available rule) and continue processing the ruleset.
I've not been awake for long and have had little to no Mt Dew yet so don'tI use a natd config file with all these flags so that is taken care of.
hold this against me. Without going over this for awhile, which I recommend
when doing a firewall, this may be something in the neighborhood that you're
looking for.
In your /usr/local/etc/natd.sh
#!/bin/sh natd -interface xl2 -s -m -u
Or if you start it from rc.conf:
natd_flags="-s -m -u "
The -s tells it to use sockets so that FTP doesn't get broken. You may notHm.. You really mean I should add that first allow line there? This four rules together is basically the same as ipfw add allow ip from any to any isn't it?
need this.
The -m tells natd to attempt to use the same socket as the originating host.
The -u tells natd to only translate RFC 1918 packets.
In your firewall rules file:
###############
# more fwrules
fwcmd="/sbin/ipfw"
extif="xl2"
dmzif="fxp0"
lanif="xl0"
motorif="xl1"
#
#
$fwcmd -f flush
#
#
#NATD Divert
$fwcmd add 1 divert natd all from any to any via xl2
#
#You want blocked outbound ports to match early on in the firewall.
#
# Blocking ports out to Internet that I don't like:
$fwcmd add 100 deny tcp from any to any 135-139 out via $extif
$fwcmd add 100 deny tcp from any to any 445 out via $extif
#
#Then your allows:
#
#Network Allows
$fwcmd add 300 allow ip from any to any via $extif
$fwcmd add 300 allow ip from any to any via $dmxif
$fwcmd add 300 allow ip from any to any via $lanif
$fwcmd add 300 allow ip from any to any via $motorif
# Allow http to the whole dmz from Internet:Aren't these two rules overlapping the first 300 rule?
$fwcmd add 400 allow tcp from any to w.x.y.80/28 http via $extif
#
# Allow smtp and pop3 to the mailserver from Internet:
$fwcmd add 500 allow tcp from any to w.x.y.84 smtp,pop3 via $extif
Haven't been able to try them out yet, but I don't feel allowing The first 300 rule will probably help me having the firewall allowing traffic for me, but I wasn't really planning to allow everything in. And will deny rules have effect when the traffic allready is allowed?#Lastly, your denies # #Network Denies # # Default Block $fwcmd add 65000 deny ip from any to any
Hope this helps you out.
Arvinn
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
