IPFW - How to allow NAT client to CVSup
James A. Coulter
jacoulter at jacoulter.net
Mon Jan 17 07:46:29 PST 2005
Srot BULL wrote:
> Hi to everyone,
>
> I have 2 FreeBSD machines both running FreeBSD Stable 5.3 and both have
> ipfw as firewalls...
> One is running ipfw with NAT functions. Below is the is the rulesets
> for the machine:
< -- snip rulesets -->
> As you can see I am using the rulesets that are found in the Handbook.
> I have tried
> $CMD 00070 $SKIP tcp from me to any out via $INIC setup $KS uid root
> but still no go
> $CMD 00070 $SKIP tcp from me to any 5999 out via $INIC setup $KS
> but still no go
>
> Can anybody share their ipfw rulesets with me? To allow my other PC to
> cvsup...
> Thanks in advance...
>
> Srot BULL
> _______________________________________________
I also had problems using a similar "stateful" ruleset with IPFW & NAT.
As I understand it, a stateful ruleset will not allow passive ftp
connections from machines behind the firewall (although I was able
to establish passive ftp from my gateway/router/firewall machine itself)
This problem is documented in the mailing lists if you want to research
it.
I ended up changing to a much simpler, non-stateful ruleset on my
gateway/router/firewall machine:
#!/bin/sh
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="dc1" # public interface name of Nic card
# facing the public internet
$cmd 005 allow all from any to any via dc0
$cmd 050 divert natd ip from any to any via $pif
$cmd 100 allow ip from any to any via lo0
$cmd 200 deny ip from any to 127.0.0.0/8
$cmd 300 deny ip from 127.0.0.0/8 to any
$cmd 65000 allow ip from any to any
$cmd 65535 deny log all ip from any to any
This ruleset allows me establish passive ftp from any machine behind
the firewall, including accomplishing CVSUP.
So far I haven't had any problems with security.
HTH
Jim Coulter
--
James A. Coulter
jacoulter at jacoulter.net
http://jacoulter.net
More information about the freebsd-questions
mailing list