Re: no access to web server behind ipfw
Chen Xu wrote: $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state You use in via $pif, I'm not 100% sure but I think you should only use via $pif. # Authorized inbound packets $cmd 421 allow tcp from any to 192.168.1.10 80 in via $pif setup limit src-addr 5 I think it's bad to use statefull rules for inbound connections. -- Christer Hermansson http://www.chdevelopment.se ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: no access to web server behind ipfw
Hi Christer, I followed the example from the handbook. Yes, it is OK to divert in and out separately. skipto is used to point to the divert out rule number when it is outbound. I run into problem only when with natd to redirect from gateway to local machine. tcpdump shows that packets of both directions are actually go through fine, but only head is there, body was ripped off. I am looking into OpenBSD's PF right now. It is such a simple goal to reach but seems not so easy. -Chen * Christer Hermansson [EMAIL PROTECTED] [081017 14:54]: Chen Xu wrote: $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state You use in via $pif, I'm not 100% sure but I think you should only use via $pif. # Authorized inbound packets $cmd 421 allow tcp from any to 192.168.1.10 80 in via $pif setup limit src-addr 5 I think it's bad to use statefull rules for inbound connections. -- Christer Hermansson http://www.chdevelopment.se ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
no access to web server behind ipfw
Dear All, I think I need help from the group. The situation is kind of simple, but I can not get it work for me. I wanted to access to a web server behind of firewall/gateway 191.168.1.1 (firewall/gateway/natd) 192.168.1.10 (internal web server) 191.168.1.1 has these info. = FreeBSD 5.3-RELEASE-p26 Kernel complied with following lines: optionsIPFIREWALL optionsIPFIREWALL_VERBOSE optionsIPFIREWALL_VERBOSE_LIMIT=5 optionsIPDIVERT rc.conf has those lines: - # Add stuff for firewall - ipfw firewall_enable=YES firewall_type=OPEN firewall_script=/etc/ipfw.rules firewall_logging=YES gateway_enable=YES # Enable natd. natd_enable=YES natd_interface=fxp0 #natd_flags=-dynamic -m # preserve port numbers if possible natd_flags=-f /etc/natd.conf # preserve port numbers if possible /etc/natd.conf port 8668 interface fxp0 redirect_port tcp 192.168.1.10:80 80 /etc/ipfw.rules #!/bin/sh ipfw -q -f flush cmd=ipfw -q add skip=skipto 500 pif=fxp0 ks=keep-state good_tcpo=22 ipfw -q -f flush $cmd 002 allow all from any to any via em0 # exclude LAN traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 120 $skip udp from any to x.x.x.11 53 out via $pif $ks $cmd 121 $skip udp from any to x.x.x.12 53 out via $pif $ks ## -- block only one PC running windows (192.168.1.2) $cmd 123 deny tcp from 192.168.1.2 to any 80 out via $pif $cmd 124 $skip tcp from any to any 80 out via $pif setup $ks # $cmd 129 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 130 $skip icmp from any to any out via $pif $ks $cmd 135 $skip udp from any to any 123 out via $pif $ks # root can do cvsup etc. like a GOD $cmd 140 allow tcp from me to any out via $pif $ks uid root # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D E multicast # Authorized inbound packets $cmd 421 allow tcp from any to 192.168.1.10 80 in via $pif setup limit src-addr 5 $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif $cmd 510 allow ip from any to any end of rules ## apparently rule 421 is not enough to access the webserver 192.168.1.10 at port 80. I need help here. Thanks, Chen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]