ipfw + NAT doesn't work
Robert Huff
roberthuff at rcn.com
Thu Sep 17 14:15:04 UTC 2009
I have a machine running
FreeBSD 9.0-CURRENT #3: Tue Sep 15 18:49:58 EDT 2009 amd64
It has this in the config file for the running kernel:
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options IPFIREWALL_NAT #ipfw kernel nat support
options LIBALIAS
It (10.0.0.1) connects correctly to another machine (10.0.0.3);
I know because .3 mounts one of .1's disks using Samba.
With the ipfw rules appended below, I can't NAT, nor should I
be able to. ("em0" faces the Internet; "em1" faces the other
machine.)
However: using these I still can't get through
ipfw add 5000 nat 15 all from any to any
ipfw nat 15 config log same_ports ip 10.0.0.0/8
Have I forgotten something? Or misunderstood something?
If not ... how do I figure out what's wrong?
Respectfully,
Robert Huff
00100 3830 864746 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00350 110 42464 allow udp from any 67-68 to any dst-port 67-68
00600 0 0 allow ip6 from any to any via lo0
00610 0 0 deny ip6 from any to ::1
00620 0 0 deny ip6 from ::1 to any
00630 3 256 allow ip6 from :: to ff02::/16 proto ipv6-icmp
00640 0 0 allow ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp
00650 4 304 allow ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp
00660 0 0 allow ip6 from 2001:db8:2:1::1 to 2001:db8:2:1::/64
00670 0 0 allow ip6 from 2001:db8:2:1::/64 to 2001:db8:2:1::1
00680 0 0 allow ip6 from fe80::/10 to ff02::/16
00690 0 0 allow ip6 from 2001:db8:2:1::/64 to ff02::/16
00700 0 0 allow ip6 from any to any established proto tcp
00710 0 0 allow ip6 from any to any frag
00720 0 0 allow ip6 from any to 2001:db8:2:1::1 dst-port 25 setup proto tcp
00730 0 0 allow ip6 from 2001:db8:2:1::1 to any setup proto tcp
00740 0 0 deny ip6 from any to any setup proto tcp
00750 0 0 allow ip6 from any 53 to 2001:db8:2:1::1 proto udp
00760 0 0 allow ip6 from 2001:db8:2:1::1 to any dst-port 53 proto udp
00770 0 0 allow ip6 from any 123 to 2001:db8:2:1::1 proto udp
00780 0 0 allow ip6 from 2001:db8:2:1::1 to any dst-port 123 proto udp
00790 0 0 allow ip6 from any to any ip6 icmp6types 1 proto ipv6-icmp
00800 0 0 allow ip6 from any to any ip6 icmp6types 2,135,136 proto ipv6-icmp
06000 0 0 deny log logamount 100 tcp from any to any dst-port 137 in via em0
06050 32 3000 deny log logamount 100 udp from any to any dst-port 137 in via em0
06100 0 0 deny log logamount 100 tcp from any to any dst-port 138 in via em0
06150 15 3465 deny log logamount 100 udp from any to any dst-port 138 in via em0
06200 0 0 deny log logamount 100 tcp from any to any dst-port 139 in via em0
06250 0 0 deny log logamount 100 udp from any to any dst-port 139 in via em0
07000 0 0 deny log logamount 100 tcp from any to any dst-port 111 in via em0
07050 0 0 deny log logamount 100 udp from any to any dst-port 111 in via em0
07100 0 0 deny log logamount 100 tcp from any to any dst-port 530 in via em0
07150 0 0 deny log logamount 100 udp from any to any dst-port 530 in via em0
07200 0 0 deny log logamount 100 tcp from any to any dst-port 161 in recv em0
07225 0 0 deny log logamount 100 udp from any to any dst-port 161 in recv em0
07250 0 0 deny log logamount 100 tcp from any to any dst-port 162 in recv em0
07275 0 0 deny log logamount 100 udp from any to any dst-port 162 in recv em0
07300 0 0 deny log logamount 100 tcp from any to any dst-port 194
07310 0 0 deny log logamount 100 udp from any to any dst-port 194
07320 0 0 deny log logamount 100 tcp from any to any dst-port 529
07330 0 0 deny log logamount 100 udp from any to any dst-port 529
07340 0 0 deny log logamount 100 tcp from any to any dst-port 994
07350 0 0 deny log logamount 100 udp from any to any dst-port 994
07360 0 0 deny log logamount 100 tcp from any to any dst-port 6667
07370 0 0 deny log logamount 100 udp from any to any dst-port 6667
10000 45012 38961511 allow tcp from any to any established
10100 1452 112487 allow ip from any to any out via em0
10200 0 0 allow tcp from 10.0.0.0/8 to any dst-port 80
10300 0 0 allow tcp from any 80 to any dst-port 1024-65535 via em0
10400 0 0 allow tcp from any 443 to any dst-port 1024-65535 via em0
10500 0 0 deny log logamount 100 tcp from any 1024-65535 to any dst-port 80 via em0
10600 0 0 deny log logamount 100 tcp from any 1024-65535 to any dst-port 443 via em0
65000 1548 325720 allow ip from any to any
65535 20 2383 allow ip from any to any
More information about the freebsd-questions
mailing list