help needed for ipfw rules
Alex de Kruijff
freebsd at akruijff.dds.nl
Tue Oct 4 19:51:59 PDT 2005
On Mon, Sep 26, 2005 at 05:26:12PM +0300, Ertan Kucukoglu wrote:
> Hi,
>
> I have a problem blocking foreign intruders for specific ports in ipfw.
>
> One of my friends have 4.X-Stable running in production for proxy,
> e-mail, virus etc. Server also have natd and ipfw installed on it. We
> have following rule set.
> -----
> 00050 2132 1212881 divert 8668 ip from any to any via dc1
> 00100 1078 4537400 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 00400 0 0 allow tcp from 192.168.0.0/24 to me 23
> 00500 0 0 deny tcp from 192.168.0.69 to me 1863
> 00550 0 0 deny tcp from 192.168.0.63 to me 1863
> 00600 0 0 deny tcp from 192.168.0.69 to me 80
> 00650 0 0 deny tcp from 192.168.0.63 to me 80
> 01000 0 0 allow tcp from 192.168.0.0/16 to me 21
> 01010 0 0 deny tcp from any to me 21
> 01100 0 0 allow tcp from 212.58.X.X to me 1433 via dc1 (ip
> intentionally hided)
> 01110 0 0 deny tcp from any to me 1433 via dc1
> 65000 5467 3180867 allow ip from any to any
> 65535 4654 322885 deny ip from any to any
> -----
>
> Natd is diverting port 1433 to an internal machine.
>
> When I try with a different ip address on Internet than 212.58.x.x, and
> I can easily get connect to directed servers' 1433 port.
>
> I'm sure that I'm missing something, but I can not recognize what it is
> at the moment. Any help will be appreciated.
>
> Regards,
Your forgetting that natd changes the destation ip address so that it is
not me. Try putting the block rule before the divert. This is also good
for performance.
--
Alex
Please copy the original recipients, otherwise I may not read your reply.
Howto's based on my ppersonal use, including information about
setting up a firewall and creating traffic graphs with MRTG
http://www.kruijff.org/alex/FreeBSD/
More information about the freebsd-questions
mailing list