NAT/ipfw blocking internal traffic
Casey Scott
casey at scottmail.org
Thu Oct 31 20:10:52 UTC 2013
Hello,
My NAT and ipfw ruleset follow almost exactly what is given at
http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
The problem I'm encountering is that a portion of my outbound internal
traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so
I'm kind of at a loss since the config matches the handbook. Any suggestions
are appreciated.
uname -a
***********************************************
FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18
20:06:53 PDT 2013 root at hostname:/usr/src/sys/amd64/compile/hostname
amd64
***********************************************
/var/log/security:
***********************************************
Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
192.168.1.6:61681 in via fxp0
Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
192.168.1.6:61681 in via fxp0
Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
192.168.1.6:61681 in via fxp0
Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915
174.129.210.177:80 out via fxp0
Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876
65.126.84.88:80 out via fxp0
Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877
65.126.84.88:80 out via fxp0
Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921
208.85.40.45:80 out via fxp0
Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921
208.85.40.45:80 out via fxp0
***********************************************
firewall script:
***********************************************
#!/bin/sh
cmd="ipfw -q add"
skip="skipto 500"
pif=fxp0
ks="keep-state"
good_tcpo="22,25,37,43,53,80,443"
ipfw -q -f flush
$cmd 002 allow all from any to any via em0 # exclude LAN traffic
$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
# Authorized outbound packets
$cmd 136 $skip udp from any to any 53 out via $pif $ks
$cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 151 $skip icmp from any to any out via $pif $ks
$cmd 152 $skip udp from any to any 123 out via $pif $ks
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private
IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private
IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private
IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E
multicast
# Authorized inbound packets
$cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2
$cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2
$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2
$cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2
$cmd 450 deny log ip from any to any
# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
***********************************************
natd run options:
***********************************************
/sbin/natd -dynamic -m -n fxp0
***********************************************
-Casey
----- Forwarded Message -----
Hello,
My NAT and ipfw ruleset follow almost exactly what is given at
http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
The problem I'm encountering is that a portion of my outbound internal
traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so
I'm kind of at a loss since the config matches the handbook. Any suggestions
are appreciated.
uname -a
***********************************************
FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18
20:06:53 PDT 2013 root at hostname:/usr/src/sys/amd64/compile/hostname amd64
***********************************************
/var/log/security:
***********************************************
Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
192.168.1.6:61681 in via fxp0
Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
192.168.1.6:61681 in via fxp0
Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
192.168.1.6:61681 in via fxp0
Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915
174.129.210.177:80 out via fxp0
Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876
65.126.84.88:80 out via fxp0
Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877
65.126.84.88:80 out via fxp0
Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921
208.85.40.45:80 out via fxp0
Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921
208.85.40.45:80 out via fxp0
***********************************************
firewall script:
***********************************************
#!/bin/sh
cmd="ipfw -q add"
skip="skipto 500"
pif=fxp0
ks="keep-state"
good_tcpo="22,25,37,43,53,80,443"
ipfw -q -f flush
$cmd 002 allow all from any to any via em0 # exclude LAN traffic
$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
# Authorized outbound packets
$cmd 136 $skip udp from any to any 53 out via $pif $ks
$cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 151 $skip icmp from any to any out via $pif $ks
$cmd 152 $skip udp from any to any 123 out via $pif $ks
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Authorized inbound packets
$cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2
$cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2
$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2
$cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2
$cmd 450 deny log ip from any to any
# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
***********************************************
natd run options:
***********************************************
/sbin/natd -dynamic -m -n fxp0
***********************************************
-Casey
More information about the freebsd-ipfw
mailing list