On Wed, 26 Feb 2003 02:25:12
Giorgos Keramidas wrote:
>On 2003-02-25 16:09, Joshua Lokken <[EMAIL PROTECTED]> wrote:
>> When I remove the default deny rule from the list, nat works fine,
>> port redirections and all, but with the deny rule in place, nat
>> isn't working, so I'm thinking I have a rule in the wrong place.
>> Can anyone point out any obvious missing/misplaced rules here?
>
>For NAT to be working, you hav to make sure natd(8) is running and has
>a proper configuration file.
>
>Now, as far as the ipfw(8) rules are concerned, try using the
>following ruleset:
>
># $fwcmd -f flush
># $fwcmd add allow all from any to any via lo0
># $fwcmd add divert natd all from any to any via $oif
># $fwcmd add allow icmp from any to any icmptypes 3,4,11,12
># $fwcmd add check-state
># $fwcmd add allow udp from $oip to any via $oif keep-state
># $fwcmd add allow tcp from any to $oip 22,80,443,6346,22002,22003,22010 setup via
>$oif keep-state
># $fwcmd add allow ip from $oip to any keep-state out via $oif
># $fwcmd add allow ip from $inwr to any keep-state via $iif
># $fwcmd add 65435 deny log ip from any to any
>
>The changes from your own set of rules are summarized below:
>
> - moved icmp checking higher, since they're unrelated to tcp or udp
> and state checking
>
> - added a rule for udp packets, since DNS resolving and a few other
> useful things depend on them
>
> - moved check-state higher, to minimise the delay for packets that
> are parts of an existing connection (ipfw rules are checked
> sequentially, from start to end)
>
> - added keep-state in your 'setup' rule for incoming connections to
> $oip and 'via $oif' to make sure that packets destined for $oip
> are only accepted on $oif (good measure against spoofing)
>
>Before using this set of rules, make sure you give proper values to
>$iip, $oip, $iif, $oif and $inwr.
>
>- Giorgos
>
Indeed! I do have the variables listed defined, and have natd configured and working.
Thank you very much--not only did you answer my question, but gave me a better
understanding of ipfw!
Joshua
Need a new email address that people can remember
Check out the new EudoraMail at
http://www.eudoramail.com
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
