ipfw portfording problems
Glen Prestidge
tool_box at westnet.com.au
Sun Jun 10 03:50:09 UTC 2007
HI all
I am trying to setup the SC VNC which i want to use for when i need to support my customers.
I am having problems placing these firewall rules so that it will allow the traffic.
Here are my rules
############################
#
# Define your variables
#
fwcmd="/sbin/ipfw" #leave as is if using ipfw
oif="vr0" #set to outside interface name
onwr="10.1.1.0/8" #set to outside network range
oip="10.1.1.4" #set to outside ip address
iif="re0" #set to internal interface name
inwr="192.168.1.0/24" #set to internal network range
iip="192.168.1.1" #set to internal ip address
ntp="202.72.191.202"
ns1="203.10.1.17" #set to primary name server best if = oif
#
# End of required user input if you only intend to allow ssh connections to
# this box from the outside. If other services are required, edit line 96
# as necessary.
#
# Rules with descriptions
#
#
# Force a flush of the current firewall rules before we reload
$fwcmd -f flush
#
# Allow your loop back to work
$fwcmd add allow all from any to any via lo0
#
# Prevent spoofing of your loopback
$fwcmd add deny log all from any to 127.0.0.0/8
#
# Stop spoofing of your internal network range
$fwcmd add deny log ip from $inwr to any in via $oif
#
# Stop spoofing from inside your private ip range
$fwcmd add deny log ip from not $inwr to any in via $iif
#
# Stop private networks (RFC1918) from entering the outside interface.
$fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
$fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
# $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
$fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
$fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
# $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif
#
# Stop draft-manning-dsua-01.txt nets on the outside interface
$fwcmd add deny all from 0.0.0.0/8 to any in via $oif
$fwcmd add deny all from 169.254.0.0/16 to any in via $oif
$fwcmd add deny all from 192.0.2.0/24 to any in via $oif
$fwcmd add deny all from 224.0.0.0/4 to any in via $oif
$fwcmd add deny all from 240.0.0.0/4 to any in via $oif
$fwcmd add deny all from any to 0.0.0.0/8 in via $oif
$fwcmd add deny all from any to 169.254.0.0/16 in via $oif
$fwcmd add deny all from any to 192.0.2.0/24 in via $oif
$fwcmd add deny all from any to 224.0.0.0/4 in via $oif
$fwcmd add deny all from any to 240.0.0.0/4 in via $oif
$fwcmd add deny all from 210.22.175.130 to any in via $oif
# Divert all packets through natd
$fwcmd add divert natd all from any to any via $oif
# Checks packets against dynamic rule set below.
$fwcmd add check-state
#
#
# Allow all established connections to persist (setup required
# for new connections).
$fwcmd add allow tcp from any to any established
#ALL VNC
$fwcmd add fwd 192.168.1.30,5900 tcp from any to any dst-port 5900
# Allow packets in via the VPN interface
$fwcmd add allow ip from any to any in recv ng0
# Allow the rest of the VPN data through
$fwcmd add allow gre from any to any
#
# Allow incoming requests to reach the following services:
# To allow multiple services you may list them separated
# by a coma, for example ...to $oip 22,25,110,80 setup
$fwcmd add allow log tcp from any to $oip 22 setup
# $fwcmd add allow log tcp from any to $oip 80 setup
$fwcmd add allow tcp from any to $oip 25,53 setup
$fwcmd add allow tcp from any to #oip 21 setup
$fwcmd add allow tcp from any to $oip 110 setup
$fwcmd add allow log tcp from any to $oip dst-port 5900 setup
# $fwcmd add allow log tcp from any to any dst-port 5900 setup
$fwcmd add allow log tcp from any to any $iop setup
$fwcmd add allow log tcp from any to $iop setup
$fwcmd add allow log tcp from any to any dst-port 1723 setup
#
# Allow DNS traffic from internet to query your DNS (for reverse
# lookups etc).
$fwcmd add allow udp from any to $ns1 53
#
# Allow time update traffic
$fwcmd add allow udp from $ntp 123 to $oip 123
#
# Allow UDP from local extrernal network so I can tracert from local servers
$fwcmd add allow udp from any 53 to any
$fwcmd add allow udp from any to any 53
# Allow icmp packets for diagnostic purposes (ping traceroute)
# you may wish to leave commented out.
# $fwcmd add allow icmp from any to any
#
# Allow required ICMP
$fwcmd add allow icmp from any to any icmptypes 0
$fwcmd add allow icmp from any to any icmptypes 3
$fwcmd add allow icmp from any to any icmptypes 4
$fwcmd add allow icmp from any to any icmptypes 8
$fwcmd add allow icmp from any to any icmptypes 11
#
# Rules to allow VNC access through the FW (is this needed here? )
$fwcmd add allow tcp from any to any dst-port 5900 in via vr0
$fwcmd add allow tcp from any to any dst-port 5900 out via re0
# Allow any traffic from firewall ip to any going out the
# external interface
$fwcmd add allow ip from $oip to any keep-state out via $oif
#
# Allow any traffic from local network to any passing through the
# internal interface
$fwcmd add allow ip from $inwr to any keep-state via $iif
#
# Deny everything else
$fwcmd add 65435 deny log ip from any to any
#
#####################################################
#
# End firewall script.
The lines in bold are the lines i have entered. 192.168.1.30 is the machine in my internal network running the VNC viewer in listen mode listening on port 5900.
as you can see when a ipfw sh is done
00100 3 144 allow ip from any to any via lo0
00200 0 0 deny log logamount 100 ip from any to 127.0.0.0/8
00300 0 0 deny log logamount 100 ip from 192.168.1.0/24 to any in via vr0
00400 0 0 deny log logamount 100 ip from not 192.168.1.0/24 to any in via re0
00500 0 0 deny log logamount 100 ip from 192.168.0.0/16 to any in via vr0
00600 0 0 deny log logamount 100 ip from 172.16.0.0/12 to any in via vr0
00700 0 0 deny log logamount 100 ip from any to 192.168.0.0/16 in via vr0
00800 0 0 deny log logamount 100 ip from any to 172.16.0.0/12 in via vr0
00900 0 0 deny ip from 0.0.0.0/8 to any in via vr0
01000 0 0 deny ip from 169.254.0.0/16 to any in via vr0
01100 0 0 deny ip from 192.0.2.0/24 to any in via vr0
01200 0 0 deny ip from 224.0.0.0/4 to any in via vr0
01300 0 0 deny ip from 240.0.0.0/4 to any in via vr0
01400 0 0 deny ip from any to 0.0.0.0/8 in via vr0
01500 0 0 deny ip from any to 169.254.0.0/16 in via vr0
01600 0 0 deny ip from any to 192.0.2.0/24 in via vr0
01700 0 0 deny ip from any to 224.0.0.0/4 in via vr0
01800 0 0 deny ip from any to 240.0.0.0/4 in via vr0
01900 0 0 deny ip from 210.22.175.130 to any in via vr0
02000 288 28799 divert 8668 ip from any to any via vr0
02100 0 0 check-state
02200 185 18064 allow tcp from any to any established
02300 3 144 fwd 192.168.1.30,5900 tcp from any to any dst-port 5900
02400 0 0 allow ip from any to any in recv ng0
02500 288 32928 allow gre from any to any
02600 0 0 allow log logamount 100 tcp from any to 10.1.1.4 dst-port 22 setup
02700 0 0 allow tcp from any to 10.1.1.4 dst-port 25,53 setup
02800 0 0 allow tcp from any to 10.1.1.4 dst-port 110 setup
02900 0 0 allow log logamount 100 tcp from any to 10.1.1.4 dst-port 5900 setup ( packets aren't getting here)
03000 6 384 allow log logamount 100 tcp from any to any setup
03100 0 0 allow log logamount 100 tcp from any to any dst-port 1723 setup
03200 0 0 allow udp from any to 203.10.1.17 dst-port 53
03300 0 0 allow udp from 202.72.191.202 123 to 10.1.1.4 dst-port 123
03400 12 1178 allow udp from any 53 to any
03500 12 780 allow udp from any to any dst-port 53
03600 0 0 allow icmp from any to any icmptypes 0
03700 0 0 allow icmp from any to any icmptypes 3
03800 0 0 allow icmp from any to any icmptypes 4
03900 0 0 allow icmp from any to any icmptypes 8
04000 0 0 allow icmp from any to any icmptypes 11
04100 0 0 allow tcp from any to any dst-port 5900 in via vr0
04200 0 0 allow tcp from any to any dst-port 5900 out via re0
04300 0 0 allow ip from 10.1.1.4 to any out via vr0 keep-state
04400 0 0 allow ip from 192.168.1.0/24 to any via re0 keep-state
65435 3 1457 deny log logamount 100 ip from any to any
65535 1586 192759 allow ip from any to any
any ideas?
Glen
More information about the freebsd-ipfw
mailing list