LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   *BSD (https://www.linuxquestions.org/questions/%2Absd-17/)
-   -   IPFW gateway firewall (https://www.linuxquestions.org/questions/%2Absd-17/ipfw-gateway-firewall-109024/)

Reme 10-27-2003 07:14 AM
IPFW gateway firewall
 
I cannot get my windows box from behind the firewall to connect to the internet. I cannot ping anything from the windows box, including the server; but i can pull up an ssh session from my server. When i ping from the server to a web address, $ipfw show tells me that i send one packet to my dns and the icmp packets are allowed to pass. But still the computer behind the firewall doesn't connect. My rules are here, i cannot figure out what is wrong with them. I have been trying for hours. Any help would be greatly appreciated. Thanks.


I am pretty much following this guide and it has been pretty good.

http://www.onlamp.com/pub/a/bsd/2001...SD_Basics.html
http://www.onlamp.com/pub/a/bsd/2001...SD_Basics.html
http://www.onlamp.com/pub/a/bsd/2001...SD_Basics.html


${fwcmd} -f flush
${fwcmd} add 00050 divert natd all from any to any via ${oif}

${fwcmd} add 00100 pass all from any to any via lo0
${fwcmd} add 00200 deny all from any to 127.0.0.0/8
${fwcmd} add 00300 deny all from 127.0.0.0/8 to any

${fwcmd} add 00400 check-state
${fwcmd} add 00401 deny tcp from any to any in established
${fwcmd} add 00402 allow tcp from any to any out setup keep-state

${fwcmd} add 00500 allow udp from XXX.XXX.XXX.XXX 53 to any in recv ${oif}
${fwcmd} add 00501 allow udp from XXX.XXX.XXX.XXX 53 to any in recv ${oif}
${fwcmd} add 00502 allow udp from any to any out

${fwcmd} add 00600 allow icmp from any to any icmptypes 3
${fwcmd} add 00601 allow icmp from any to any icmptypes 4
${fwcmd} add 00602 allow icmp from any to any icmptypes 8 out
${fwcmd} add 00603 allow icmp from any to any icmptypes 0 in
${fwcmd} add 00604 allow icmp from any to any icmptypes 11 in

${fwcmd} add 00700 allow tcp from any to any 22 setup keep-state

J_Szucs 10-30-2003 08:29 PM
Maybe the incoming packages of your established connections do not match rule 400, and get denied by rule 401?
Do your byte counters confirm this?

I find the same on all of my servers (up to FreeBSD 4.6). I think ipfw+nat are theoretically inappropriate to do advanced stateful filtering: since natd is (and should be) called as one of the first rules in your ruleset, outgoing packages create the dynamic allow rules for your public IP (the setup keep-state rule follows the natd redirection), while the incoming packages are compared to your private (nat-ed) IP (since the check-state rule follows the natd rule).
That is why the incoming packages never match the check-state rule.
The ssh connections work as ssh is on the gateway, and uses your public IP (thus natd does not mess with the IP).

I found no workaround, so I do not use advanced stateful rules, only stateful or static ones. Some say ipfilter+ipnat can do advanced stateful rules, but they are much more complicated to setup, so I haven't even tried them. Maybe things will improve in newer versions of FreeBSD.


All times are GMT -5. The time now is 12:50 AM.