no access to web server behind ipfw

Chen Xu xuchen66 at gmail.com
Tue Oct 14 11:31:30 PDT 2008 

Dear All,

I think I need help from the group. The situation is kind of simple,
but I can not get it work for me.

I wanted to access to a web server behind of firewall/gateway

191.168.1.1 (firewall/gateway/natd)
192.168.1.10 (internal web server)

191.168.1.1 has these info.
=========
FreeBSD 5.3-RELEASE-p26

Kernel complied with following lines:
----
options    IPFIREWALL
options    IPFIREWALL_VERBOSE
options    IPFIREWALL_VERBOSE_LIMIT=5
options    IPDIVERT

rc.conf has those lines:
-----
# Add stuff for firewall - ipfw
firewall_enable="YES"
firewall_type="OPEN"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
gateway_enable="YES"

# Enable natd.
natd_enable="YES"
natd_interface="fxp0"
#natd_flags="-dynamic -m"                  # preserve port numbers if possible
natd_flags="-f /etc/natd.conf"                  # preserve port
numbers if possible

/etc/natd.conf
----
port 8668
interface fxp0
redirect_port tcp 192.168.1.10:80 80


/etc/ipfw.rules
----
#!/bin/sh
ipfw -q -f flush

cmd="ipfw -q add"
skip="skipto 500"
pif=fxp0
ks="keep-state"
good_tcpo="22"

ipfw -q -f flush

$cmd 002 allow all from any to any via em0  # exclude LAN traffic
$cmd 003 allow all from any to any via lo0  # exclude loopback traffic

$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state

# Authorized outbound packets
$cmd 120 $skip udp from any to x.x.x.11 53 out via $pif $ks
$cmd 121 $skip udp from any to x.x.x.12 53 out via $pif $ks
## --> block only one PC running windows (192.168.1.2)
$cmd 123 deny tcp from 192.168.1.2 to any 80 out via $pif
$cmd 124 $skip tcp from any to any 80 out via $pif setup $ks

#
$cmd 129 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
$cmd 135 $skip udp from any to any 123 out via $pif $ks

# root can do cvsup etc. like a GOD
$cmd 140 allow tcp from me to any out via $pif $ks uid root

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback
$cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback
$cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #Sun cluster
$cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #Class D &
E multicast

# Authorized inbound packets
$cmd 421 allow tcp from any to 192.168.1.10 80 in via $pif setup limit
src-addr 5

$cmd 450 deny log ip from any to any

# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any

######################## end of rules  ##################

apparently rule 421 is not enough to access the webserver 192.168.1.10 at
port 80. I need help here.

Thanks,
Chen

More information about the freebsd-questions mailing list