1. K

    Solved ipfw + NAT mystery

    So I just learned that there's two methods to doing NAT in FreeBSD. The apparently old natd + divert way, which is documented in the handbook, and the new in-kernel ipfw+nat way, that is randomly documented by Google. Is anyone ever going to update the handbook to over ipfw+NAT? The man page...
  2. L

    FreeBSD Policy Based Routing with ipfw nat + fwd using 2 or more Poor Man's ssh VPNs

    Hello, thanks to the posts that I found on this forum, I could implement a gateway in FreeBSD that allows me to do flexible policy routing through different interfaces. I'm going to share. System: FreeBSD freebsd 12.0-STABLE FreeBSD 12.0-STABLE r346132 NEWKERNEL amd64 NEWKERNEL compiled...
  3. fishfox

    Firewalling jail > host and jail <-> jail traffic

    I'm using ezjail and IPFW, at least thus far. So far I have subnet. My gateway is .1, my host server is .2, and my first jail is at .3 I noticed that from within my jail at .3 I can knock on the outside if .2. I added this rule to my host but it makes no difference: add 10032...
  4. Nyakov

    Solved jail + vnet + SLAAC + ipfw

    I decided to share my setup for SLAAC on jail vnet. 1. Create bridge and epair interface in /etc/rc.conf #Configure bridge interface for jails vnet #epair0 - jail interface cloned_interfaces="bridge0 epair0" #create bridge and epair ifconfig_bridge0="ether xx:xx:xx:xx:xx:xx addm re0 SYNCDHCP"...
  5. U

    no NAT/routing through iocage OpenVPN gateway jail/host

    Hi folks, I'm somewhat of a *BSD novice, having rather used various builds for appliance devices, such as pfSense, opnSense, FreeNAS, etc. I've recently set up a new FreeNAS box from scratch, and built/building a jail for the express purpose of maintaining OpenVPN client connections, and then...
  6. saeedpersa


    Dear Friends I installed ShadowSocks VPN with Port: 59080 and Configured IPFW and ByPass this port Here is my IPFW Configure: IPF="ipfw -q add" ipfw -q -f flush TRUST="x.109.x.143" #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to $IPF 30 deny all...
  7. F

    Intermediate IP address

    Hi devs ! I had an idea about how can I reduce my costings but now I need someone who help me translating my idea into PF/IPFW rules. I would like to buy a cheap dedicated server unprotected against DDoS and a VPS protected anti-DDoS. I would like to host on dedicated server few games (udp...
  8. J

    IPFW Transparent proxy squid

    Someone could tell me how I can make a transparent proxy with the IPFW and the squid, it's a bit urgent. Thanks.
  9. D

    Build Onion (TOR) router with high restrictive firewall, and TORs DNS.

    Assumptions: Onion router for web browsing with tor DNS, and unlock 80, and 443 port. What we need: Some time. Some PC or Server or ThinClient, for me is Fuitsu Futro s450 with 2GB of ram and USB LAN adapter, for future is possible to instal into it Network Card at PCI-e or PCI bus. 1. Install...
  10. m0nkey_

    IPFW Using IPFW to NAT a jail inside a VM == Slow network connectivity inside jail

    I've been pulling my hair out over this for days! I have a VM, jails on a loopback interface and using IPFW to NAT the traffic. My findings show that it slows to a crawl. I've also tested with PF and it works like a charm. Network speeds within the jail are fine. I've tested this on Vultr...
  11. J

    Solved In-kernel NAT dropping large UDP return packets

    When a T-Mobile "femto-cell" is trying to establish its IPv4, IPSEC tunnel to the T-Mobile provisioning servers, the 4640-byte return packet is silently dropped by the in-kernel NAT, even though it "matches" the outbound packet from less than 100 ms prior. All other operations of the firewall...
  12. Angelo Klin

    IPFW Private VPN + Firewall on a VPS

    Hello All, With all the fuzz and issues with security and privacy these days I decided to give it a go with a VPN, mostly for the fun and challenge. I am partially done with a scenario that sounds very typical these days, although it is not necessary plain vanilla. The overall idea is...
  13. Y

    ipfw kernel panic solution

    I don't know if it's Ryzen which is causing this and if it's the Ryzen-bug or if it is something else. Commands like this are causing kernel-panics: ipfw table test create type number algo number:array ipfw table test add 1001 ipfw table test add 1002 ipfw table test add 1003 ipfw table test...
  14. J

    Robust sh script to obtain all IPv6 address on an interface?

    While ipfw supplies me6, I need the list of IPv6 addresses for a specific interface to be used in an ipfw ruleset. "Screen scraping" ifconfig is one option, but having a firewall at the whim of the human-readable output of even ifconfig is concerning. Is there a better way with the "stock"...
  15. J

    IPFW Cannot Get IPFW NAT to work

    I have spent days trying to get what I thought should be a simple set of ipfw nat rules set up. With less than zero success. I have read the documentation and scoured the web, and I assume I am just missing something. Scenario: I have one NIC card with four public IPs. I am running a bunch...
  16. S

    How to enforce ftp client open a specific port for data when deal with Active-mode ftp servers?

    To strength security of the firewall (we all know that ftp is a challenge for firewall security) I want enforce ftp-client establish only a specific port for data. My box is an ftp client in terms of ftp communication. I don't need ftp server on my box (we live in era of cloud services!), but...
  17. S

    IPFW OpenVPN and IPFW rules

    Hello, I cannot setup firewall for OpenVPN. I don't know where is problem. Only way to make VPN working is stop IPFW via service ipfw stop. Can someone help me to set correct IPFW rules please? Here is OpenVPN config: port 9066 proto udp4 dev tun server
  18. Duffyx

    IPv6 address on WAN interface

    I've been digging into IPv6 lately and have been successful in setting up a working dual-stack network. Altough I'm not pleased with my current setup; that is when it comes down to where the IPv6 address of my gateway box is assigned. I use the isc-dhclient to get a prefix delegation, and rtsold...
  19. kazix

    IPFW, Jail and network alias

    Hello, I'm trying to configure IPFW on machine with jail (FreeBSD 11.1) Host have one big lagg0, and when jail starting create alias on this lagg0. lagg0: flags=8843... metric 0 mtu 1500 options=401ba.... ether .... inet netmask 0xffffff00 broadcast
  20. A

    IPFW Why can I add port numbers to established and what does that do ?

    Almost every single ipfw ruleset I create has this as the very first rule: allow tcp from any to any established ... and I just noticed that ipfw allows me to specify a port on this rule: allow tcp from any to any 22 established If I create a new connection to port 22, I need a rule to allow...