IPFW acting weird OR invalid ruleset?

Steve Bertrand iaccounts at ibctech.ca
Tue Jun 29 13:00:56 PDT 2004 

> Hey everyone.  Below is my natd.conf file and my rc.firewall.rule file. I
> cannot figure it out, but if one of my machines that is behind my
> Masqurading Firewall tries to d/l a file that is on a FTP site, it fails
> to connect.

Are you using a passive FTP connection?

Steve

>
> FreeBSD 5.2.1 machine with 2 nics.
>
> xl0 outside Nic
> fxp0 inside Nic
>
> rc.conf:
>
> # enable firewall
> firewall_enable="YES"
> # set path to custom firewall config
> firewall_type="/etc/fw/rc.firewall.rules"
> # be non-verbose? set to YES after testing
> firewall_quiet="NO"
> # enable natd, the NAT daemon
> natd_enable="YES"
> # which is the interface to the internet that we hide behind?
> natd_interface="xl0"
> # flags for natd
> natd_flags="-f /etc/fw/natd.conf"
>
>
> natd.conf:
>
> unregistered_only
> interface xl0
> use_sockets
> dynamic
> # dyamically open fw for ftp, irc
> punch_fw 2000:50
>
>
> rc.firewall.rules:
>
> # be quiet and flush all rules on start
> -q flush
>
> # allow local traffic, deny RFC 1918 addresses on the outside
> add 00100 allow ip from any to any via lo0
> add 00110 deny ip from any to 127.0.0.0/8
> add 00120 deny ip from any to any not verrevpath in
> add 00301 deny ip from 10.0.0.0/8 to any in via xl0
> add 00302 deny ip from 172.16.0.0/12 to any in via xl0
> add 00303 deny ip from 192.168.0.0/16 to any in via xl0
>
> # check if incoming packets belong to a natted session, allow through if
> yes
> add 01000 divert natd ip from any to me in via xl0
> add 01001 check-state
>
> # allow some traffic from the local net to the router
> #SMTP
> add 02000 allow tcp from any to any 25 setup keep-state
>
> # SSH
> add 04000 allow tcp from any to me dst-port 22 in via fxp0 setup
> keep-state
> add 04001 allow tcp from any to me dst-port 22 in via xl0 setup keep-state
>
> #IMAP-SSL
> add 04010 allow tcp from any to me dst-port 143 in via fxp0 setup
> keep-state
> add 04011 allow tcp from any to me dst-port 143 in via xl0 setup
> keep-state
>
> # NTP
> add 04020 allow tcp from any to me dst-port 123 in via fxp0 setup
> keep-state
> add 04021 allow udp from any to me dst-port 123 in via fxp0 keep-state
> add 04020 allow tcp from any to me dst-port 123 in via xl0 setup
> keep-state
> add 04021 allow udp from any to me dst-port 123 in via xl0 keep-state
>
> #webmin
> add 04030 allow tcp from any to me dst-port 10000 in via fxp0 setup
> keep-state
> add 04031 allow tcp from any to me dst-port 10000 in via xl0 setup
> keep-state
>
> #http
> add 04040 allow tcp from any to me dst-port 80 in via fxp0 setup
> keep-state
> add 04041 allow tcp from any to me dst-port 80 in via xl0 setup keep-state
>
> # DNS
> add 04050 allow udp from any to me dst-port 53 in via fxp0
> add 04051 allow udp from any to me dst-port 53 in via xl0
> add 04052 allow tcp from any to me dst-port 53 in via fxp0
> add 04053 allow tcp from any to me dst-port 53 in via xl0
>
> #POP
> add 04060 allow tcp from any to me dst-port 110 in via fxp0 setup
> keep-state
> add 04061 allow tcp from any to me dst-port 110 in via xl0 setup
> keep-state
>
> #HTTPS
> add 04070 allow tcp from any to me dst-port 443 in via fxp0 setup
> keep-state
> add 04071 allow tcp from any to me dst-port 443 in via xl0 setup
> keep-state
>
> #IMAPS
> add 04080 allow tcp from any to me dst-port 993 in via fxp0 setup
> keep-state
> add 04081 allow tcp from any to me dst-port 993 in via xl0 setup
> keep-state
>
> # drop everything else
> add 04090 deny ip from any to me
>
> # pass outgoing packets (to be natted) on to a special NAT rule
> add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via fxp0
> keep-state
>
> # allow all outgoing traffic from the router
> add 05010 allow ip from me to any out keep-state
>
> # drop everything that has come so far. This means it doesn't belong to an
> # established connection, don't log the most noisy scans.
> add 59998 deny icmp from any to me
> add 59999 deny ip from any to me dst-port 135,137-139,445,4665
> add 60000 deny log tcp from any to any established
> add 60001 deny log ip from any to any
>
> # this is the NAT rule. Only outgoing packets from the local net will come
> here.
> # First, nat them, then pass them on (again, you may choose to be more
> restrictive)
> add 61000 divert natd ip from 192.168.1.0/24 to any out via xl0
> add 61001 allow ip from any to any
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list