Fwd: ipfw rule placement
- Forwarded Message - DATE: Tue, 25 Feb 2003 16:06:22 From: Joshua Lokken [EMAIL PROTECTED] To: Questions [EMAIL PROTECTED] Hello, Primary harddisk failed on my 4.7-release gateway (ipfw+natd) box last weekend, and I had not backed things up properly. Attached is my ipfw ruleset. After the rebuild, I rewrote things from memory. When I remove the default deny rule from the list, nat works fine, port redirections and all, but with the deny rule in place, nat isn't working, so I'm thinking I have a rule in the wrong place. Can anyone point out any obvious missing/misplaced rules here? Thanks much. --- Joshua Lokken FreeBSD: The Power to Serve! [EMAIL PROTECTED] - End Forwarded Message - My apologies for the missing attachment... and for the M$ formatted file ;( Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com$fwcmd -f flush $fwcmd add allow all from any to any via lo0 $fwcmd add divert natd all from any to any via $oif $fwcmd add allow tcp from any to $oip 22,80,443,6346,22002,22003,22010 setup $fwcmd add allow tcp from any to any established $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 $fwcmd add check-state $fwcmd add allow ip from $oip to any keep-state out via $oif $fwcmd add allow ip from $inwr to any keep-state via $iif $fwcmd add 65435 deny log ip from any to any
Re: Fwd: ipfw rule placement
On 2003-02-25 16:09, Joshua Lokken [EMAIL PROTECTED] wrote: When I remove the default deny rule from the list, nat works fine, port redirections and all, but with the deny rule in place, nat isn't working, so I'm thinking I have a rule in the wrong place. Can anyone point out any obvious missing/misplaced rules here? For NAT to be working, you hav to make sure natd(8) is running and has a proper configuration file. Now, as far as the ipfw(8) rules are concerned, try using the following ruleset: # $fwcmd -f flush # $fwcmd add allow all from any to any via lo0 # $fwcmd add divert natd all from any to any via $oif # $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # $fwcmd add check-state # $fwcmd add allow udp from $oip to any via $oif keep-state # $fwcmd add allow tcp from any to $oip 22,80,443,6346,22002,22003,22010 setup via $oif keep-state # $fwcmd add allow ip from $oip to any keep-state out via $oif # $fwcmd add allow ip from $inwr to any keep-state via $iif # $fwcmd add 65435 deny log ip from any to any The changes from your own set of rules are summarized below: - moved icmp checking higher, since they're unrelated to tcp or udp and state checking - added a rule for udp packets, since DNS resolving and a few other useful things depend on them - moved check-state higher, to minimise the delay for packets that are parts of an existing connection (ipfw rules are checked sequentially, from start to end) - added keep-state in your 'setup' rule for incoming connections to $oip and 'via $oif' to make sure that packets destined for $oip are only accepted on $oif (good measure against spoofing) Before using this set of rules, make sure you give proper values to $iip, $oip, $iif, $oif and $inwr. - Giorgos To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Fwd: ipfw rule placement
On Wed, 26 Feb 2003 02:25:12 Giorgos Keramidas wrote: On 2003-02-25 16:09, Joshua Lokken [EMAIL PROTECTED] wrote: When I remove the default deny rule from the list, nat works fine, port redirections and all, but with the deny rule in place, nat isn't working, so I'm thinking I have a rule in the wrong place. Can anyone point out any obvious missing/misplaced rules here? For NAT to be working, you hav to make sure natd(8) is running and has a proper configuration file. Now, as far as the ipfw(8) rules are concerned, try using the following ruleset: # $fwcmd -f flush # $fwcmd add allow all from any to any via lo0 # $fwcmd add divert natd all from any to any via $oif # $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 # $fwcmd add check-state # $fwcmd add allow udp from $oip to any via $oif keep-state # $fwcmd add allow tcp from any to $oip 22,80,443,6346,22002,22003,22010 setup via $oif keep-state # $fwcmd add allow ip from $oip to any keep-state out via $oif # $fwcmd add allow ip from $inwr to any keep-state via $iif # $fwcmd add 65435 deny log ip from any to any The changes from your own set of rules are summarized below: - moved icmp checking higher, since they're unrelated to tcp or udp and state checking - added a rule for udp packets, since DNS resolving and a few other useful things depend on them - moved check-state higher, to minimise the delay for packets that are parts of an existing connection (ipfw rules are checked sequentially, from start to end) - added keep-state in your 'setup' rule for incoming connections to $oip and 'via $oif' to make sure that packets destined for $oip are only accepted on $oif (good measure against spoofing) Before using this set of rules, make sure you give proper values to $iip, $oip, $iif, $oif and $inwr. - Giorgos Indeed! I do have the variables listed defined, and have natd configured and working. Thank you very much--not only did you answer my question, but gave me a better understanding of ipfw! Joshua Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message