IPFW - How to allow NAT client to CVSup

Srot BULL pwd8jmr22w at me.point.ne.jp
Mon Jan 17 04:25:52 PST 2005 

Hi to everyone,

I have 2 FreeBSD machines both running FreeBSD Stable 5.3 and both have 
ipfw as firewalls...
One is running ipfw with NAT functions.  Below is the is the rulesets for 
the machine:

#!/bin/sh
ipfw -q -f flush
CMD="ipfw -q add"
SKIP="skipto 00800"
KS="keep-state"
INIC="aue0"
$CMD 00005 allow all from any to any via rl0
$CMD 00010 allow all from any to any via lo0
$CMD 00014 divert natd ip from any to any in via $INIC
$CMD 00015 check-state

$CMD 00020 $SKIP tcp from any to 192.168.0.1 53 out via $INIC setup $KS
$CMD 00021 $SKIP udp from any to 192.168.0.1 53 out via $INIC $KS
$CMD 00030 $SKIP udp from any to 192.168.0.1 67 out via $INIC $KS
$CMD 00040 $SKIP tcp from any to any 80 out via $INIC setup $KS
$CMD 00050 $SKIP tcp from any to any 443 out via $INIC setup $KS
$CMD 00060 $SKIP tcp from any to any 25 out via $INIC setup $KS
$CMD 00061 $SKIP tcp from any to any 110 out via $INIC setup $KS
#------------ Allow out FBSD (make install & CVSUP) functions -----------=#
$CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root
#------------------------------------------------------------------------=#
$CMD 00080 $SKIP icmp from any to any out via $INIC $KS
$CMD 00090 $SKIP tcp from any to any 37 out via $INIC setup $KS
$CMD 00100 $SKIP tcp from any to any 119 out via $INIC setup $KS
$CMD 00110 $SKIP tcp from any to any 22 out via $INIC setup $KS
$CMD 00120 $SKIP tcp from any to any 43 out via $INIC setup $KS
$CMD 00130 $SKIP udp from any to any 123 out via $INIC $KS
$CMD 00140 $SKIP tcp from any to any 873 out via $INIC $KS
$CMD 00141 $SKIP udp from any to any 873 out via $INIC $KS

$CMD 00300 deny all from 192.168.0.0/16 to any in via $INIC
$CMD 00301 deny all from 172.16.0.0/12 to any in via $INIC
$CMD 00302 deny all from 10.0.0.0/8 to any in via $INIC
$CMD 00303 deny all from 127.0.0.0/8 to any in via $INIC
$CMD 00304 deny all from 0.0.0.0/8 to any in via $INIC
$CMD 00305 deny all from 169.254.0.0/16 to any in via $INIC
$CMD 00306 deny all from 192.0.2.0/24 to any in via $INIC
$CMD 00308 deny all from 224.0.0.0/3 to any in via $INIC
#$CMD 00310 deny icmp from any to any in via $INIC
$CMD 00315 deny tcp from any to any 113 in via $INIC
$CMD 00320 deny tcp from any to any 137 in via $INIC
$CMD 00321 deny tcp from any to any 138 in via $INIC
$CMD 00322 deny tcp from any to any 139 in via $INIC
$CMD 00323 deny tcp from any to any 81 in via $INIC
$CMD 00330 deny all from any to any frag in via $INIC
$CMD 00332 deny tcp from any to any established in via $INIC

$CMD 00360 allow udp from any to 192.168.0.1 67 in via $INIC $KS
$CMD 00400 deny log all from any to any in via $INIC
$CMD 00450 deny log all from any to any out via $INIC
$CMD 00800 divert natd ip from any to any out via $INIC
$CMD 00801 allow ip from any to any
$CMD 00999 deny log all from any to any

This is the ruleset that I am using for the other machine that I want to be 
able to cvsup...

#!/bin/sh
ipfw -q -f flush
CMD="ipfw -q add"
KS="keep-state"
INIC="bge0"
$CMD 00010 allow all from any to any via lo0
$CMD 00015 check-state
$CMD 00020 allow tcp from any to 192.168.0.1 53 out via $INIC setup $KS
$CMD 00021 allow udp from any to 192.168.0.1 53 out via $INIC $KS
$CMD 00030 allow udp from any to 192.168.0.1 67 out via $INIC $KS
$CMD 00040 allow tcp from any to any 80 out via $INIC setup $KS
$CMD 00050 allow tcp from any to any 443 out via $INIC setup $KS
$CMD 00060 allow tcp from any to any 25 out via $INIC setup $KS
$CMD 00061 allow tcp from any to any 110 out via $INIC setup $KS
$CMD 00070 allow tcp from me to any out via $INIC setup $KS uid root
$CMD 00080 allow icmp from any to any out via $INIC $KS
$CMD 00090 allow tcp from any to any 37 out via $INIC setup $KS
$CMD 00100 allow tcp from any to any 119 out via $INIC setup $KS
$CMD 00110 allow tcp from any to any 22 out via $INIC setup $KS
$CMD 00120 allow tcp from any to any 43 out via $INIC setup $KS
$CMD 00130 allow udp from any to any 123 out via $INIC $KS

$CMD 00300 deny all from 192.168.0.0/16 to any in via $INIC
$CMD 00301 deny all from 172.16.0.0/12 to any in via $INIC
$CMD 00302 deny all from 10.0.0.0/8 to any in via $INIC
$CMD 00303 deny all from 127.0.0.0/8 to any in via $INIC
$CMD 00304 deny all from 0.0.0.0/8 to any in via $INIC
$CMD 00305 deny all from 169.254.0.0/16 to any in via $INIC
$CMD 00306 deny all from 192.0.2.0/24 to any in via $INIC
$CMD 00307 deny all from 204.152.64.0/23 to any in via $INIC
$CMD 00308 deny all from 224.0.0.0/3 to any in via $INIC
$CMD 00315 deny tcp from any to any 113 in via $INIC
$CMD 00320 deny tcp from any to any 137 in via $INIC
$CMD 00321 deny tcp from any to any 138 in via $INIC
$CMD 00322 deny tcp from any to any 139 in via $INIC
$CMD 00323 deny tcp from any to any 81 in via $INIC
$CMD 00330 deny all from any to any frag in via $INIC
$CMD 00332 deny tcp from any to any established in via $INIC
$CMD 00360 allow udp from any to 192.168.0.1 67 in via $INIC $KS

$CMD 00400 deny log all from any to any in via $INIC
$CMD 00999 deny log all from any to any

As you can see I am using the rulesets that are found in the Handbook.  I 
have tried
$CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root
but still no go
$CMD 00070 $SKIP tcp from me to any 5999 out via $INIC setup $KS
but still no go

Can anybody share their ipfw rulesets with me?  To allow my other PC to 
cvsup...
Thanks in advance...

Srot BULL

More information about the freebsd-questions mailing list