Nat problem

perikillo perikillo at gmail.com
Thu Apr 28 08:32:29 PDT 2005 

Hello Frank.

I think you are using ipfilter, but what about the rules on ipfilter.conf? 
The handbook has a very good explanation about ipfilter, my rules are based 
on the handbook and the ipfilter how to.

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html
http://www.obfuscation.org/ipf/ipf-howto.txt

Look this are my rules on ipfilter.conf, my connection is DSL, ed0 is my 
internal interface and tun0 is my public interface on Freensd 4.11 p4.

block in on tun0 all head 1
block in quick on tun0 from 192.168.0.0/16 <http://192.168.0.0/16> to any 
group 1
block in quick on tun0 from 172.16.0.0/12 <http://172.16.0.0/12> to any 
group 1
block in quick on tun0 from 10.0.0.0/8 <http://10.0.0.0/8> to any group 1
block in quick on tun0 from 127.0.0.0/8 <http://127.0.0.0/8> to any group 1
block in quick on tun0 from 0.0.0.0/8 <http://0.0.0.0/8> to any group 1
block in quick on tun0 from 169.254.0.0/16 <http://169.254.0.0/16> to any 
group 1
block in quick on tun0 from 192.0.2.0/24 <http://192.0.2.0/24> to any group 
1
block in quick on tun0 from 204.152.64.0/23 <http://204.152.64.0/23> to any 
group 1
block in quick on tun0 from 224.0.0.0/3 <http://224.0.0.0/3> to any group 1
block in quick on tun0 from 192.168.0.0/8 <http://192.168.0.0/8> to any 
group 1
block in quick on tun0 from 192.168.0.0/16 <http://192.168.0.0/16> to any 
group 1 
block in quick on tun0 from 192.168.0.0/24 <http://192.168.0.0/24> to any 
group 1
block in quick on tun0 from 192.168.0.0/32 <http://192.168.0.0/32> to any 
group 1
block in quick on tun0 from 192.168.0.255/32 <http://192.168.0.255/32> to 
any group 1
block in quick on tun0 all with frags group 1 to any group 1
block in quick on tun0 proto tcp all with short group 1 
block in quick on tun0 all with opt lsrr group 1
block in quick on tun0 all with opt ssrr group 1
block in quick on tun0 proto tcp from any to any flags FUP group 1
block in quick on tun0 all with ipopts group 1
block in quick on tun0 proto icmp all icmp-type 8 group 1
block in quick on tun0 proto tcp from any to any port = 113 group 1
block in quick on tun0 proto tcp/udp from any to any port = 135 group 1
block in quick on tun0 proto tcp/udp from any to any port = 137 group 1
block in quick on tun0 proto tcp/udp from any to any port = 138 group 1
block in quick on tun0 proto tcp/udp from any to any port = 139 group 1
block in quick on tun0 proto tcp/udp from any to any port = 81 group 1
block in quick on tun0 proto tcp/udp from any to any port = 445 group 1
block in quick on tun0 proto tcp/udp from any to any port = 500 group 1
block in quick on tun0 proto tcp/udp from any to any port = 593 group 1
block in log first quick on tun0 group 1

block out on tun0 all head 2
#DNS1_IP and DNS2_IP are my dns servers from my ISP.
pass out quick on tun0 proto tcp from any to MYDNS1_IP/32 port=53 flags S 
keep state group 2
pass out quick on tun0 proto udp from any to MYDNS1_IP/32 port=53 keep state 
group 2
pass out quick on tun0 proto tcp from any to MYDNS2_IP/32 port=53 flags S 
keep state group 2
pass out quick on tun0 proto udp from any to MYDNS2_IP/32 port=53 keep state 
group 2
#With this rules i can connect to the webservers 
pass out quick on tun0 proto tcp from any to any port = 80 flags S keep 
state group 2
pass out quick on tun0 proto tcp from any to any port = 443 flags S keep 
state group 2
pass out quick on tun0 proto tcp from any to any port = 21 flags S keep 
state group 2
pass out quick on tun0 proto tcp from any to any port = 23 flags S keep 
state group 2
pass out quick on tun0 proto tcp from any to any port = 5999 flags S keep 
state group 2
pass out quick on tun0 proto tcp from any to any port = 43 flags S keep 
state group 2
#With this rule i can ping the outside world
pass out quick on tun0 proto icmp from any to any icmp-type 8 keep state 
group 2
block out log first quick on tun0 all group 2

pass in quick on ed0 all
pass out quick on ed0 all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on lp0 all
pass out quick on lo0 all 

block in quick all
block out quick all

And ipnat.rules
map tun0 0/0 ->0/32 proxy port ftp ftp/tcp
map tun0 0/0 ->0/32 portmap tcp/udp 20000/60000
map tun0 0/0 ->0/32

Hope this can help you Frank.

On 4/27/05, Frank de Bot <freebsd at searchy.nl> wrote:
> 
> Hi,
> 
> I got my FreeBSD box set up as a NAT gateway. I got it working partialy;
> icmp pinging from inside to the internet works. But as soon as I try to
> make a tcp connection (loading a webpage or so) it just sits still!
> 
> The external interface is fxp0
> The internal interface is gif3 (this is a ipip tunnel)
> 
> ipnat.conf is:
> 
> map fxp0 10.0.1.0/24 <http://10.0.1.0/24> -> 0.0.0.0/32<http://0.0.0.0/32>portmap tcp/udp 1025:65000
> map fxp0 10.0.1.0/24 <http://10.0.1.0/24> -> 0.0.0.0/32<http://0.0.0.0/32>
> 
> I find it very odd, because pings travel and are natted without
> problems. What can be wrong?
> 
> Thanks in advanced,
> 
> Frank de Bot!
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list