Re: IPFW + NATD rules
On Sun, Aug 27, 2006 at 01:04:54PM +0500, ?? ?? wrote: > I'm a junior in FreeBSD, and I faced with problem. You should know that others have mailers that are thread enabled. This means that when you compose a new mail, but you that the reply sort cut others may not read this, because it end up in the list. I redirected the mail to questions@ becuase this is not related to the stable development brance. > I've a FreeBSD 6.1-stable box as a gate+firewall, and I want to divert > incoming requests to my web-server, placed in DeMilitarized Zone > (DMZ). To do this I wrote down settings in /etc/rc.conf as shown > above: > > natd_flags="-redirect_port tcp 80 192.168.1.234 80" > natd_flags="-redirect_poort tcp 443 192.168.1.234 443" You proberbly can not have two lines. > I think, that all packets incoming from Internet will be diverted from > the External interface via DMZ interface to my We-server. Is it right? > If not, why not, and what the way to make it working? Yes, but you made some mistakes: 1. You have two lines, where only one is allowed. 2. The file format is wrong: should be tcp forward_ip:port port 3. You made a typo 4. Did you setup ipfw? I've done this with a seperate config file. firewall_enable="YES" firewall_type="/etc/firewall.conf" natd_enable="YES" natd_flags="-f /etc/natd.conf" natd_interface="fxp0" /etc/firewall.conf contains: add divert 8668 ip from any to any (note: src_ip and dst_ip changes here, so keep this in mind if you add rules) add allow ip from any to any /etc/natd.conf contains: redirect_port tcp ip_to_goto:port local_port Did you setup ipfw and directed packes to natd? You also need to setup i -- Alex Please copy the original recipients, otherwise I may not read your reply. Howtos based on my personal use, including information about setting up a firewall and creating traffic graphs with MRTG http://alex.kruijff.org/FreeBSD/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
problems with ipfw + natd rules
Hello,
i have a problem with ipfw + natd. The problem is that my FreeBSD server
isn't routing internet. First I have used FreeBSD4.9-STABLE, then i tried to
upgrade to FreeBSD4.9-RELEASE-p4. Result is the same - no internet for lan
users. Take a look at my configuration files:
rc.conf:
defaultrouter="213.190.42.1"
hostname="localhost"
ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" # inside (lan)
interface
ifconfig_rl1="inet 213.190.42.48 netmask 255.255.255.0" # outside (internet)
interface
#some other stuff goes here
gateway_enable="YES"
natd_enable="YES"
natd_program="/sbin/natd"
natd_interface="rl1"
natd_flags=""
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.conf"
firewall_quiet="YES"
firewall_logging="YES"
ipfw.conf:
fwcmd="/sbin/ipfw -q"
${fwcmd} -f flush
${fwcmd} add 100 divert 8668 ip from any to any via rl1
${fwcmd} add 200 pass ip from any to any via lo0
${fwcmd} add 300 deny log ip from any to 127.0.0.0/8
${fwcmd} add 400 pass tcp from any 22,80,110,119,143,443,3306,5190,6667-7000
to any via rl1
${fwcmd} add 500 pass tcp from any to any
22,80,110,119,143,443,3306,5190,6667-7000 via rl1
${fwcmd} add 600 pass udp from any to any 53 via rl1
${fwcmd} add 700 pass udp from any 53 to any via rl1
${fwcmd} add 800 pass ip from any to any via rl0
${fwcmd} add 900 deny log all from any to any via rl1
# ipfw show
00100 80 48557 divert 8668 ip from any to any via rl1
002000 0 allow ip from any to any via lo0
003000 0 deny log ip from any to 127.0.0.0/8
00400 54 59678 allow tcp from any
22,80,110,119,143,443,3306,5190,6667-7000 to any via rl1
00500 26 1473 allow tcp from any to any dst-port
22,80,110,119,143,443,3306,5190,6667-7000 via rl1
006003177 allow udp from any to any dst-port 53 via rl1
007000 0 allow udp from any 53 to any via rl1
00800 226 101368 allow ip from any to any via rl0
00900 62 40857 deny log ip from any to any via rl1
65535 1598 333640 deny ip from any to any
/etc/sysctl.conf:
net.link.ether.ipfw=1
# cat /etc/services | grep natd
natd8668/divert # Network Address Translation
When I comment out 400 and 500 rules and add "allow all from any to any via
rl1" it's all ok. The problem is somewhere in 400 and 500 rules.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: problems with ipfw + natd rules
On Wed, 2004-03-31 at 20:27, Prodigy wrote:
> ${fwcmd} add 400 pass tcp from any 22,80,110,119,143,443,3306,5190,6667-7000
> to any via rl1
> ${fwcmd} add 500 pass tcp from any to any
> 22,80,110,119,143,443,3306,5190,6667-7000 via rl1
>
> When I comment out 400 and 500 rules and add "allow all from any to any via
> rl1" it's all ok. The problem is somewhere in 400 and 500 rules.
Those lines (400 and 500) sure look like they could cause trouble. Try
chopping them up per port number/range across multiple lines.
ipfw and natd are nice for the quick-and-dirty setups, but if you need
something more predictable, configurable, and debuggableswitch to
ipfilter and ipnat. You'll find yourself very much in control over your
firewall/nat environment.
Andre
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: problems with ipfw + natd rules
I tried to allow only 80 port, but the result is the same. I have also tried
ipf + ipnat, but i need to block internet connection to some users by MAC
address, and ipf doesn't know, what MAC address is. Maybe i can block MAC
addresses with ipf + ipnat somehow? Btw FreeBSD version is 4.9.
> On Wed, 2004-03-31 at 20:27, Prodigy wrote:
> > ${fwcmd} add 400 pass tcp from any
22,80,110,119,143,443,3306,5190,6667-7000
> > to any via rl1
> > ${fwcmd} add 500 pass tcp from any to any
> > 22,80,110,119,143,443,3306,5190,6667-7000 via rl1
> >
> > When I comment out 400 and 500 rules and add "allow all from any to any
via
> > rl1" it's all ok. The problem is somewhere in 400 and 500 rules.
>
> Those lines (400 and 500) sure look like they could cause trouble. Try
> chopping them up per port number/range across multiple lines.
>
> ipfw and natd are nice for the quick-and-dirty setups, but if you need
> something more predictable, configurable, and debuggableswitch to
> ipfilter and ipnat. You'll find yourself very much in control over your
> firewall/nat environment.
>
> Andre
>
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfw natd rules not loading on startup
I performed a kernel+world update of my freebsd router, RELENG_8 branch, apparently from the version 6 months ago to current. I use ipfw and a shell script that gets loaded at startup. I noticed after rebooting that ipfw did not load two rules, both of type "divert natd". However, if I run the script manually, or call it from the end of /etc/rc, it will add these rules as well. Currently I am using a workaround. I could not find any mention of warnings or errors in the logs. I couldn't find any way of making ipfw log errors. I tried piping my script's output to a file, but it did not say anything useful. Noone I asked knew what to do. I noticed that there has been a revamp of ipfw and its supporting scripts recently, so it's possible something broke along the way (for example, a missing rc dependency on natd?). Advice would be appreciated. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipfw natd rules not loading on startup
On Sat, May 15, 2010 at 02:33:10AM +0200, umage wrote: > I performed a kernel+world update of my freebsd router, RELENG_8 branch, > apparently from the version 6 months ago to current. I use ipfw and a > shell script that gets loaded at startup. I noticed after rebooting that > ipfw did not load two rules, both of type "divert natd". However, if I > run the script manually, or call it from the end of /etc/rc, it will add > these rules as well. Currently I am using a workaround. Best to ask -STABLE. There's been some breakage of ipfw since end of April. I'm unsure as to whether they've all be resolved yet. Cheers. -- Jonathan Chen | To do is to be -- Nietzsche | To be is to do -- Sartre | Scooby do be do -- Scooby ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ipfw natd rules not loading on startup
Just a sidenote:
On Sat, 15 May 2010 02:33:10 +0200, umage wrote:
> However, if I
> run the script manually, or call it from the end of /etc/rc, it will add
> these rules as well. Currently I am using a workaround.
It's not a good idea to modify /etc/rc. In your case, using the
mechanism s of /etc/rc(.shutdown).local is a good way to call
scripts that do not fit the rc.d concept. See "man rc.local"
for details.
So I would suggest something for /etc/rc.local like this:
#!/bin/sh
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
elif [ -r /etc/rc.conf.local ]; then
. /etc/rc.conf.local
fi
fi
echo -n " custom-firewall"
/your/firewall/script.sh --here
The final dot + newline in the messages will be added by rc,
if I remember correctly.
--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
