ipfw and nat problem

David van Rensburg - PC Network david at pcnetwork.co.za
Mon Jul 18 18:14:06 UTC 2011 

Hi

Ive been having a problem with ipfw and nat. I can get nat to work but I want the following:
My lan must only have access to outgoing port 80
I want to be able to allow some lan users access to ftp and outgoing 3389 (remote desktop), but by default only port 80
I have transparent proxy work in ipfw.
I want to be able to limit outgoing and incoming to the freebsd server according to port.
I want a default deny.

ANY help or point me in the right direction would be great. I have been googling for a week now and cant find anything similar. Most examples don't use a default deny and don't allow certain services to the lan users.

oif="rl0"
freebsd box with 2 network cards
192.168.1.3 - lan side (all lan clients 192.168.1.x)
192.168.0.2 - router side of card (machine default gateways to 192.168.0.1 which is the router)
Rc.conf:
gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-s -u -m"
firewall_enable="YES"
firewall_logging_enable="YES"
firewall_quiet="NO"
#firewall_type="simple blah"
firewall_script="/etc/firewall.local"

natd_flags="-f /etc/natd.conf"

Im using the following rules which isn't working properly eg the actual freebsd can ftp out for some reason.
00100   0     0 divert 8668 ip from not me to any via rl0
00150   0     0 fwd 192.168.1.3,3128 tcp from not me to any dst-port 80
00250  24  1440 allow ip from any to any via lo0
00350   0     0 deny ip from any to 127.0.0.0/8
00450   0     0 deny ip from 127.0.0.0/8 to any
00550   0     0 deny tcp from any to any frag
00650   0     0 check-state
00750 241 27480 allow tcp from any to any established
00850  24  5676 allow ip from any to any out keep-state
00950   0     0 allow tcp from any to any dst-port 22 in
01050   0     0 allow tcp from any to any dst-port 22 out
01150   0     0 allow udp from any to any dst-port 53 in
01250   0     0 allow tcp from any to any dst-port 53 in
01350   0     0 allow udp from any to any dst-port 53 out
01450   0     0 allow tcp from any to any dst-port 53 out
01550   0     0 allow tcp from 192.168.1.99 to any dst-port 3389
01650 462 53744 deny ip from any to any
65535 122 12588 allow ip from any to any


David van Rensburg
PC Network
Tel: 0215107600
Fax: 0215104165
www.pcnetwork.co.za<http://www.pcnetwork.co.za/>

This electronic communication and the attached file(s) are subject to terms and conditions which can be accessed on the following link:
http://www.pcnetwork.co.za/terms as well as the acceptable usage policy which can be accessed on: http://www.pcnetwork.co.za/aup
If you are unable to view the above, please contact support at pcnetwork.co.za<mailto:support at pcnetwork.co.za> for a copy.

More information about the freebsd-ipfw mailing list