IPFW gateway firewall
I cannot get my windows box from behind the firewall to connect to the internet. I cannot ping anything from the windows box, including the server; but i can pull up an ssh session from my server. When i ping from the server to a web address, $ipfw show tells me that i send one packet to my dns and the icmp packets are allowed to pass. But still the computer behind the firewall doesn't connect. My rules are here, i cannot figure out what is wrong with them. I have been trying for hours. Any help would be greatly appreciated. Thanks.
I am pretty much following this guide and it has been pretty good. http://www.onlamp.com/pub/a/bsd/2001...SD_Basics.html http://www.onlamp.com/pub/a/bsd/2001...SD_Basics.html http://www.onlamp.com/pub/a/bsd/2001...SD_Basics.html ${fwcmd} -f flush ${fwcmd} add 00050 divert natd all from any to any via ${oif} ${fwcmd} add 00100 pass all from any to any via lo0 ${fwcmd} add 00200 deny all from any to 127.0.0.0/8 ${fwcmd} add 00300 deny all from 127.0.0.0/8 to any ${fwcmd} add 00400 check-state ${fwcmd} add 00401 deny tcp from any to any in established ${fwcmd} add 00402 allow tcp from any to any out setup keep-state ${fwcmd} add 00500 allow udp from XXX.XXX.XXX.XXX 53 to any in recv ${oif} ${fwcmd} add 00501 allow udp from XXX.XXX.XXX.XXX 53 to any in recv ${oif} ${fwcmd} add 00502 allow udp from any to any out ${fwcmd} add 00600 allow icmp from any to any icmptypes 3 ${fwcmd} add 00601 allow icmp from any to any icmptypes 4 ${fwcmd} add 00602 allow icmp from any to any icmptypes 8 out ${fwcmd} add 00603 allow icmp from any to any icmptypes 0 in ${fwcmd} add 00604 allow icmp from any to any icmptypes 11 in ${fwcmd} add 00700 allow tcp from any to any 22 setup keep-state |
Maybe the incoming packages of your established connections do not match rule 400, and get denied by rule 401?
Do your byte counters confirm this? I find the same on all of my servers (up to FreeBSD 4.6). I think ipfw+nat are theoretically inappropriate to do advanced stateful filtering: since natd is (and should be) called as one of the first rules in your ruleset, outgoing packages create the dynamic allow rules for your public IP (the setup keep-state rule follows the natd redirection), while the incoming packages are compared to your private (nat-ed) IP (since the check-state rule follows the natd rule). That is why the incoming packages never match the check-state rule. The ssh connections work as ssh is on the gateway, and uses your public IP (thus natd does not mess with the IP). I found no workaround, so I do not use advanced stateful rules, only stateful or static ones. Some say ipfilter+ipnat can do advanced stateful rules, but they are much more complicated to setup, so I haven't even tried them. Maybe things will improve in newer versions of FreeBSD. |
All times are GMT -5. The time now is 12:50 AM. |