IPFW - How to allow NAT client to CVSup

Srot BULL Mon, 17 Jan 2005 04:26:08 -0800

Hi to everyone,

I have 2 FreeBSD machines both running FreeBSD Stable 5.3 and both have ipfw as firewalls... One is running ipfw with NAT functions. Below is the is the rulesets for the machine:

#!/bin/sh
ipfw -q -f flush
CMD="ipfw -q add"
SKIP="skipto 00800"
KS="keep-state"
INIC="aue0"
$CMD 00005 allow all from any to any via rl0
$CMD 00010 allow all from any to any via lo0
$CMD 00014 divert natd ip from any to any in via $INIC
$CMD 00015 check-state

$CMD 00020 $SKIP tcp from any to 192.168.0.1 53 out via $INIC setup $KS
$CMD 00021 $SKIP udp from any to 192.168.0.1 53 out via $INIC $KS
$CMD 00030 $SKIP udp from any to 192.168.0.1 67 out via $INIC $KS
$CMD 00040 $SKIP tcp from any to any 80 out via $INIC setup $KS
$CMD 00050 $SKIP tcp from any to any 443 out via $INIC setup $KS
$CMD 00060 $SKIP tcp from any to any 25 out via $INIC setup $KS
$CMD 00061 $SKIP tcp from any to any 110 out via $INIC setup $KS
#------------ Allow out FBSD (make install & CVSUP) functions -----------=#
$CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root
#------------------------------------------------------------------------=#
$CMD 00080 $SKIP icmp from any to any out via $INIC $KS
$CMD 00090 $SKIP tcp from any to any 37 out via $INIC setup $KS
$CMD 00100 $SKIP tcp from any to any 119 out via $INIC setup $KS
$CMD 00110 $SKIP tcp from any to any 22 out via $INIC setup $KS
$CMD 00120 $SKIP tcp from any to any 43 out via $INIC setup $KS
$CMD 00130 $SKIP udp from any to any 123 out via $INIC $KS
$CMD 00140 $SKIP tcp from any to any 873 out via $INIC $KS
$CMD 00141 $SKIP udp from any to any 873 out via $INIC $KS

$CMD 00300 deny all from 192.168.0.0/16 to any in via $INIC
$CMD 00301 deny all from 172.16.0.0/12 to any in via $INIC
$CMD 00302 deny all from 10.0.0.0/8 to any in via $INIC
$CMD 00303 deny all from 127.0.0.0/8 to any in via $INIC
$CMD 00304 deny all from 0.0.0.0/8 to any in via $INIC
$CMD 00305 deny all from 169.254.0.0/16 to any in via $INIC
$CMD 00306 deny all from 192.0.2.0/24 to any in via $INIC
$CMD 00308 deny all from 224.0.0.0/3 to any in via $INIC
#$CMD 00310 deny icmp from any to any in via $INIC
$CMD 00315 deny tcp from any to any 113 in via $INIC
$CMD 00320 deny tcp from any to any 137 in via $INIC
$CMD 00321 deny tcp from any to any 138 in via $INIC
$CMD 00322 deny tcp from any to any 139 in via $INIC
$CMD 00323 deny tcp from any to any 81 in via $INIC
$CMD 00330 deny all from any to any frag in via $INIC
$CMD 00332 deny tcp from any to any established in via $INIC

$CMD 00360 allow udp from any to 192.168.0.1 67 in via $INIC $KS
$CMD 00400 deny log all from any to any in via $INIC
$CMD 00450 deny log all from any to any out via $INIC
$CMD 00800 divert natd ip from any to any out via $INIC
$CMD 00801 allow ip from any to any
$CMD 00999 deny log all from any to any

This is the ruleset that I am using for the other machine that I want to be able to cvsup...

#!/bin/sh
ipfw -q -f flush
CMD="ipfw -q add"
KS="keep-state"
INIC="bge0"
$CMD 00010 allow all from any to any via lo0
$CMD 00015 check-state
$CMD 00020 allow tcp from any to 192.168.0.1 53 out via $INIC setup $KS
$CMD 00021 allow udp from any to 192.168.0.1 53 out via $INIC $KS
$CMD 00030 allow udp from any to 192.168.0.1 67 out via $INIC $KS
$CMD 00040 allow tcp from any to any 80 out via $INIC setup $KS
$CMD 00050 allow tcp from any to any 443 out via $INIC setup $KS
$CMD 00060 allow tcp from any to any 25 out via $INIC setup $KS
$CMD 00061 allow tcp from any to any 110 out via $INIC setup $KS
$CMD 00070 allow tcp from me to any out via $INIC setup $KS uid root
$CMD 00080 allow icmp from any to any out via $INIC $KS
$CMD 00090 allow tcp from any to any 37 out via $INIC setup $KS
$CMD 00100 allow tcp from any to any 119 out via $INIC setup $KS
$CMD 00110 allow tcp from any to any 22 out via $INIC setup $KS
$CMD 00120 allow tcp from any to any 43 out via $INIC setup $KS
$CMD 00130 allow udp from any to any 123 out via $INIC $KS

$CMD 00300 deny all from 192.168.0.0/16 to any in via $INIC
$CMD 00301 deny all from 172.16.0.0/12 to any in via $INIC
$CMD 00302 deny all from 10.0.0.0/8 to any in via $INIC
$CMD 00303 deny all from 127.0.0.0/8 to any in via $INIC
$CMD 00304 deny all from 0.0.0.0/8 to any in via $INIC
$CMD 00305 deny all from 169.254.0.0/16 to any in via $INIC
$CMD 00306 deny all from 192.0.2.0/24 to any in via $INIC
$CMD 00307 deny all from 204.152.64.0/23 to any in via $INIC
$CMD 00308 deny all from 224.0.0.0/3 to any in via $INIC
$CMD 00315 deny tcp from any to any 113 in via $INIC
$CMD 00320 deny tcp from any to any 137 in via $INIC
$CMD 00321 deny tcp from any to any 138 in via $INIC
$CMD 00322 deny tcp from any to any 139 in via $INIC
$CMD 00323 deny tcp from any to any 81 in via $INIC
$CMD 00330 deny all from any to any frag in via $INIC
$CMD 00332 deny tcp from any to any established in via $INIC
$CMD 00360 allow udp from any to 192.168.0.1 67 in via $INIC $KS

$CMD 00400 deny log all from any to any in via $INIC
$CMD 00999 deny log all from any to any

As you can see I am using the rulesets that are found in the Handbook. I have tried $CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root but still no go $CMD 00070 $SKIP tcp from me to any 5999 out via $INIC setup $KS but still no go

Can anybody share their ipfw rulesets with me? To allow my other PC to cvsup... Thanks in advance...

Srot BULL
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

IPFW - How to allow NAT client to CVSup

Reply via email to