ipfw and natd routing problems
Peter Rosa
prosa at pro.sk
Fri Jul 28 17:55:17 UTC 2006
Hi,
> [ipfw]
> # check if incoming packets belong to a natted session, allow through if
> add 01000 divert natd ip from any to any in via sis0
> add 01001 check-state
Default behavior of ipfw is to *BLOCK EVERY PACKET* if you did not say
in your kernel-config "options IPFIREWALL_DEFAULT_TO_ACCEPT.
That's why all your connections time-out...
You need to add few rules for check-state to work:
add 01002 allow tcp from any to any via sis0 setup keep-state
add 01003 allow udp from any to any via sis0 keep-state
add 01004 allow icmp from any to any via sis0 keep-state
BE AWARE YOUR 'FIREWALL' IS COMPLETELY OPEN FOR ANY CONNECTION FROM
INSIDE AND EVEN OUTSIDE!!!
It is very well explained in man ipfw and even better in handbook:
(http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html)
Peter Rosa
More information about the freebsd-ipfw
mailing list