Share your knowledge at the LQ Wiki.
Go Back > Forums > Other *NIX Forums > *BSD
User Name
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.


  Search this Thread
Old 10-27-2003, 07:14 AM   #1
LQ Newbie
Registered: Sep 2003
Posts: 9

Rep: Reputation: 0
IPFW gateway firewall

I cannot get my windows box from behind the firewall to connect to the internet. I cannot ping anything from the windows box, including the server; but i can pull up an ssh session from my server. When i ping from the server to a web address, $ipfw show tells me that i send one packet to my dns and the icmp packets are allowed to pass. But still the computer behind the firewall doesn't connect. My rules are here, i cannot figure out what is wrong with them. I have been trying for hours. Any help would be greatly appreciated. Thanks.

I am pretty much following this guide and it has been pretty good.

${fwcmd} -f flush
${fwcmd} add 00050 divert natd all from any to any via ${oif}

${fwcmd} add 00100 pass all from any to any via lo0
${fwcmd} add 00200 deny all from any to
${fwcmd} add 00300 deny all from to any

${fwcmd} add 00400 check-state
${fwcmd} add 00401 deny tcp from any to any in established
${fwcmd} add 00402 allow tcp from any to any out setup keep-state

${fwcmd} add 00500 allow udp from XXX.XXX.XXX.XXX 53 to any in recv ${oif}
${fwcmd} add 00501 allow udp from XXX.XXX.XXX.XXX 53 to any in recv ${oif}
${fwcmd} add 00502 allow udp from any to any out

${fwcmd} add 00600 allow icmp from any to any icmptypes 3
${fwcmd} add 00601 allow icmp from any to any icmptypes 4
${fwcmd} add 00602 allow icmp from any to any icmptypes 8 out
${fwcmd} add 00603 allow icmp from any to any icmptypes 0 in
${fwcmd} add 00604 allow icmp from any to any icmptypes 11 in

${fwcmd} add 00700 allow tcp from any to any 22 setup keep-state
Old 10-30-2003, 08:29 PM   #2
Senior Member
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Rep: Reputation: 58
Maybe the incoming packages of your established connections do not match rule 400, and get denied by rule 401?
Do your byte counters confirm this?

I find the same on all of my servers (up to FreeBSD 4.6). I think ipfw+nat are theoretically inappropriate to do advanced stateful filtering: since natd is (and should be) called as one of the first rules in your ruleset, outgoing packages create the dynamic allow rules for your public IP (the setup keep-state rule follows the natd redirection), while the incoming packages are compared to your private (nat-ed) IP (since the check-state rule follows the natd rule).
That is why the incoming packages never match the check-state rule.
The ssh connections work as ssh is on the gateway, and uses your public IP (thus natd does not mess with the IP).

I found no workaround, so I do not use advanced stateful rules, only stateful or static ones. Some say ipfilter+ipnat can do advanced stateful rules, but they are much more complicated to setup, so I haven't even tried them. Maybe things will improve in newer versions of FreeBSD.

Last edited by J_Szucs; 10-30-2003 at 08:30 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
sendmail on solaris with no hostname & ipfw (or other firewall) tutorials Maidros Solaris / OpenSolaris 1 07-10-2005 01:34 PM
MEPIS 3.3.1 Gateway Firewall TuxFreak MEPIS 3 07-07-2005 10:06 AM
simple ipfw default rc.firewall Reme *BSD 4 10-15-2003 09:04 PM
Firewall\Gateway Script ASP Linux - Security 5 09-22-2003 10:15 PM
IPFW Firewall pppd based ROTWEiLER *BSD 2 07-01-2003 02:44 AM > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 08:59 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration