No subject

Игорь Попов igor at garant.koenig.ru
Thu Jan 15 00:25:21 PST 2004 

	Hi,
up to now I have used freebsd with ipfw2 based on stateless rules. From 
freebsd article freebsd-dialup I have taken example of using nat and pure 
statefull ipfw. I have made some changes, but it does not work, I returned to 
example, but result the same.
Somebody can advice me with statefull ipfw and natd.

There are my not working rules:  

#!/bin/sh
#
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference.  Helps to make it easier to read.
fwcmd="/sbin/ipfw -q"

# Force a flushing of the current rules before we reload.
${fwcmd} -f flush

${fwcmd} add 300 deny log ip from any to any not verrevpath in recv tun0

# Divert all packets through the tunnel interface.
${fwcmd} add divert natd ip from any to any via tun0
#${fwcmd} add count ip from any to any via tun0

# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
${fwcmd} add check-state

${fwcmd} add deny log tcp from any to any established

# Allow all localhost connections
${fwcmd} add allow tcp from me to any out via lo0 setup keep-state
${fwcmd} add deny  tcp from me to any out via lo0
${fwcmd} add allow ip  from me to any out via lo0 keep-state

# Allow all connections from my network card that I initiate
${fwcmd} add allow tcp from me to any out xmit any setup keep-state
${fwcmd} add deny  log tcp from me to any 
${fwcmd} add allow ip from me to any out xmit any keep-state

# Everyone on the localnet is allowed to connect to the following
# services on the machine.  This string specifically allows connections
# to ftp, sshd, smtp, dns, http, pop3, proxy.
${fwcmd} add allow tcp from 100.100.100.0/24 to me dst-port 
21,22,25,53,80,110,443,3128 in recv fxp0 setup keep-state
${fwcmd} add allow tcp from 192.168.1.0/24 to me dst-port 25,53,110,3128 in 
recv 192.168.1.1 setup keep-state

# Allow all udp connections from my network
${fwcmd} add allow udp from any to any via fxp0 keep-state
${fwcmd} add allow udp from any to any via 192.168.1.1 keep-state

# Enable ICMP
# Deny and log all pings from inet and localnet
${fwcmd} add deny  log icmp from any to me icmptypes 8,13
${fwcmd} add allow icmp from me to any keep-state
${fwcmd} add allow icmp from 100.100.100.0/24 to any in recv fxp0 keep-state
${fwcmd} add allow icmp from 192.168.1.0/24 to any in recv 192.168.1.1 
keep-state

#Allow all for users that whill use some services via NAT
#${fwcmd} add allow tcp from 100.100.100.0/24{1,11} to 80.253.4.0/24 via fxp0 
setup keep-state
${fwcmd} add allow log tcp from 100.100.100.0/24 to 80.253.4.0/24 dst-port 
80,1521,1526,3389 recv fxp0 xmit tun0 setup keep-state

# This sends a RESET to all ident packets.
${fwcmd} add reset log tcp from any to me 113 in recv tun0

# Deny all the rest.
${fwcmd} add deny log ip from any to any

More information about the freebsd-ipfw mailing list