help needed for ipfw rules

Alex de Kruijff freebsd at akruijff.dds.nl
Tue Oct 4 19:51:59 PDT 2005


On Mon, Sep 26, 2005 at 05:26:12PM +0300, Ertan Kucukoglu wrote:
> Hi,
> 
> I have a problem blocking foreign intruders for specific ports in ipfw.
> 
> One of my friends have 4.X-Stable running in production for proxy, 
> e-mail, virus etc. Server also have natd and ipfw installed on it. We 
> have following rule set.
> -----
> 00050 2132 1212881 divert 8668 ip from any to any via dc1
> 00100 1078 4537400 allow ip from any to any via lo0
> 00200    0       0 deny ip from any to 127.0.0.0/8
> 00300    0       0 deny ip from 127.0.0.0/8 to any
> 00400    0       0 allow tcp from 192.168.0.0/24 to me 23
> 00500    0       0 deny tcp from 192.168.0.69 to me 1863
> 00550    0       0 deny tcp from 192.168.0.63 to me 1863
> 00600    0       0 deny tcp from 192.168.0.69 to me 80
> 00650    0       0 deny tcp from 192.168.0.63 to me 80
> 01000    0       0 allow tcp from 192.168.0.0/16 to me 21
> 01010    0       0 deny tcp from any to me 21
> 01100    0       0 allow tcp from 212.58.X.X to me 1433 via dc1 (ip 
> intentionally hided)
> 01110    0       0 deny tcp from any to me 1433 via dc1
> 65000 5467 3180867 allow ip from any to any
> 65535 4654  322885 deny ip from any to any
> -----
> 
> Natd is diverting port 1433 to an internal machine.
> 
> When I try with a different ip address on Internet than 212.58.x.x, and 
> I can easily get connect to directed servers' 1433 port.
> 
> I'm sure that I'm missing something, but I can not recognize what it is 
> at the moment. Any help will be appreciated.
> 
> Regards,

Your forgetting that natd changes the destation ip address so that it is
not me. Try putting the block rule before the divert. This is also good
for performance.

-- 
Alex

Please copy the original recipients, otherwise I may not read your reply.

Howto's based on my ppersonal use, including information about 
setting up a firewall and creating traffic graphs with MRTG
http://www.kruijff.org/alex/FreeBSD/



More information about the freebsd-questions mailing list