ipfw2 & natd & stateful
Craig Reyenga
creyenga at connectmail.carleton.ca
Mon May 19 13:14:58 PDT 2003
I'm pretty sure that NATD + stateful is impossible because in order to have
[unregistered ip] <-> [internet ip]
you need:
[unregistered ip] <-> [gateway]
[natd operates here]
[gateway] <-> [internet ip]
but ipfw doesnt do this, so your connections end up not working, because the
stateful rules don't make the second scenario, they make the first.
(I'd love to be proven wrong, as I have a similar setup.)
Hope this helps,
-Craig
----- Original Message -----
From: "Asenchi" <asenchi at asenchi.com>
To: <freebsd-questions at freebsd.org>
Sent: Monday, May 19, 2003 8:40 AM
Subject: ipfw2 & natd & stateful
> Hello Everyone.
>
> I have a bit of a problem. I want to switch my company's firewall to IPFW2
> but I can't seem to get the ruleset to work. After sidelining the notion,
I
> am ready to attack this again. I have had many problems with it. (You can
> see a discussion on this issue here:
> <http://www.freebsdforums.org/forums/showthread.php?s=&threadid=9061)
>
> It seems that NATD is stopping anyone on my internal network from getting
> through to websites. I does some how reach DNS but won't go anywhere else.
I
> have tried multiple things...
>
> I use this ruleset almost verbatim on another machine that isn't running
> NATD. Can anyone see anything here? I don't subscribe to this list with
this
> email address, so could you please cc me?
>
> Thanks in advance to anyone who can offer some light...
>
> ////curt////
>
> Here is the output of 'ipfw -d show'
>
> 00100 0 0 check-state
> 00200 4 164 deny log logamount 1000 ip from any to any established
> 00300 28 1789 divert 8668 ip from any to any via vr0
> 00400 0 0 deny log logamount 10 ip from 192.168.0.0/24 to any via vr0
> 00500 38 3897 allow { tcp or udp } from me to { 198.109.160.2 or dst-ip
> 198.109.160.3 or dst-ip d.n.s.1 or dst-ip d.n.s.2 } dst-port 53 out xmit
vr0
> keep-state
> 00600 306 31838 allow tcp from { o.u.t.2/29 or o.u.t.1 or 2.1.0.0/16 or
> 1.1.0.0/16 } to me dst-port 22 setup in recv vr0 keep-state
> 00700 22 992 allow tcp from me to any setup via vr0 keep-state
> 00800 2 120 deny log logamount 1000 { tcp or udp } from any to me
> 01000 7 336 allow log logamount 1000 tcp from i.n.t.r/24 to any dst-port
80
> 01100 0 0 allow tcp from 192.168.0.0/24 to any setup keep-state
> 01200 66 4168 allow { tcp or udp } from 192.168.0.0/24 to { d.n.s.3 or
> dst-ip d.n.s.4 or dst-ip d.n.s.1 or dst-ip d.n.s.2 } dst-port 53
keep-state
> 01300 0 0 allow tcp from any to 192.168.0.0/24{3,10,11,12,21,110} dst-port
> 6501-6504 setup in recv vr0 keep-state
> 01500 0 0 deny icmp from any to me icmptypes 8
> 01600 131 5560 allow icmp from any to any
> 01800 3 234 deny { tcp or udp } from any to any dst-port 137,138,520
> 01900 4 304 deny log logamount 1000 ip from any to any
> 65535 0 0 deny ip from any to any
>
> ## Dynamic rules (28):
> 01200 3 192 (9s) STATE udp 192.168.0.64 1072 <-> d.n.s.3 53
> 01200 5 320 (9s) STATE udp 192.168.0.64 1072 <-> d.n.s.2 53
> 00600 305 31778 (300s) STATE tcp m.y.i.p 3020 <-> o.u.t.1 22
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list