IPFW help
Himal Mandalia
that_guy_himal at hotmail.com
Sat Aug 13 23:58:44 GMT 2005
I've been trying to set up IPFW to do port forwarding so I can use a machine
on a private network as a web server. I'm using NAT, which works fine, but
can't seem to get port forwarding working unless I remove the "deny ip from
any to any" in my firewall script.
natd.conf:
interface en0
dynamic yes
use_sockets yes
same_ports yes
redirect_port tcp 192.168.0.2:80 80
firewall script:
/sbin/ipfw -q -f flush
cmd="/sbin/ipfw add"
oif="en0" #public iface
iif="en1" #private iface
oip=`ifconfig $oif | grep 'inet' | awk '{print $2}'`
optimus="192.168.0.2" #webserver on private segment
$cmd 00010 allow ip from any to any via lo0
$cmd 00020 deny log ip from any to 127.0.0.0/8
$cmd 00100 divert 8668 ip from any to any via $oif
$cmd 00400 fwd $optimus,80 tcp from any to $oip 80
$cmd 00500 allow tcp from any to any established
$cmd 00600 allow tcp from any to $oip ftp,ssh,http setup
$cmd 00700 allow tcp from any to $oip 5900-5909 setup
$cmd 00800 allow tcp from any to $oip
6881-6999,6669,3689,873,6346,1863,443,2628 setup
$cmd 00900 allow udp from any to $oip 27960-27969
$cmd 01000 allow icmp from any to any
$cmd 02000 allow icmp from any to any icmptypes 3,4,11,12
$cmd 03000 reset tcp from any to $oip 113
$cmd 04000 check-state
$cmd 05000 allow ip from $oip to any keep-state out via $oif
$cmd 06000 allow ip from 192.168.0.0/16 to any keep-state via $iif
$cmd 65000 deny ip from any to any
Removing the last line works, but then security's out of the window I
suppose. I'm sure it's just a problem with the order of the rules or
something like that. Any suggestions and help would be most welcome.
Thanks
_________________________________________________________________
Use MSN Messenger to send music and pics to your friends
http://messenger.msn.co.uk
More information about the freebsd-questions
mailing list