Hi I replace PfSense on my Box and i installed FreeBSD 12.1 acting as gateway.
I use IPFW as firewall
I have two network cards.
igb0 ( wan) with IP 192.168.1.2 -->> connected to my router (192.168.1.1). In my router I DMZ everything is coming to 192.168.1.2 ( wan address of firewall box)
igb1 (lan) with IP 10.18.3.1
Everything is fine, except that I cannot create a rule.
I want anything is coming to my external IP on wan ( igb0) on port 7070 to be forward on internal IP 10.18.3.30:7070 which is a machine on my LAN.
my rc.conf is
my ipfw.rules is
How can I say anything comes on port 192.168.1.2:7070 to redirect on port 10.18.3.30:7070
I use IPFW as firewall
I have two network cards.
igb0 ( wan) with IP 192.168.1.2 -->> connected to my router (192.168.1.1). In my router I DMZ everything is coming to 192.168.1.2 ( wan address of firewall box)
igb1 (lan) with IP 10.18.3.1
Everything is fine, except that I cannot create a rule.
I want anything is coming to my external IP on wan ( igb0) on port 7070 to be forward on internal IP 10.18.3.30:7070 which is a machine on my LAN.
my rc.conf is
Code:
ifconfig_igb0="inet 192.168.1.2 netmask 255.255.255.0"
ifconfig_igb1="inet 10.18.3.1 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
sshd_enable="YES"
dumpdev="AUTO"
sendmail_enable="NONE"
gateway_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_enable="YES"
firewall_type="open"
firewall_nat_enable="YES"
firewall_nat_interface="igb0"
nginx_enable="yes"
php_fpm_enable="YES"my ipfw.rules is
Code:
#!/bin/sh
ipfw -q -f flush
fwcmd="ipfw -q add"
# Loopback address
$fwcmd 100 allow ip from any to any via lo0
$fwcmd 200 deny ip from any to 127.0.0.0/8
$fwcmd 300 deny ip from 127.0.0.0/8 to any
$fwcmd 400 deny ip from any to ::1
$fwcmd 500 deny ip from ::1 to any
# Deny table 1 list of ip addresses for fail2ban
$fwcmd 550 deny tcp from 'table(1)' to any
# ipv6 ND DAD
$fwcmd 600 allow ipv6-icmp from :: to ff02::/16
# ipv6 RS, RA, NS, NA, redirect
$fwcmd 700 allow ipv6-icmp from fe80::/10 to fe80::/10
$fwcmd 800 allow ipv6-icmp from fe80::/10 to ff02::/16
# Allow ICMPv6 destination unreachable
$fwcmd 900 allow ipv6-icmp from any to any ip6 icmp6types 1
# Allow NS/NA/toobig (don't filter it out)
$fwcmd 1000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
# Allow packets for which a state has been build
$fwcmd 1100 check-state
# For services permitted below
$fwcmd 1200 allow tcp from me to any established
# Allow any connection out, adding state for each
$fwcmd 1300 allow tcp from me to any setup keep-state
$fwcmd 1400 allow udp from me to any keep-state
$fwcmd 1500 allow icmp from me to any keep-state
$fwcmd 1600 allow ipv6-icmp from me to any keep-state
# Allow DHCP
$fwcmd 1700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
$fwcmd 1800 allow udp from any 67 to me dst-port 68 in
$fwcmd 1900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
$fwcmd 2000 allow udp from fe80::/10 to me dst-port 546 in
# ICMP echo8,DestUnreacable3,SourcheQuench4,TimeExceeded11
$fwcmd 2100 allow icmp from any to me icmptypes 8
$fwcmd 2200 allow ipv6-icmp from any to me ip6 icmp6types 128,129
$fwcmd 2300 allow icmp from any to me icmptypes 3,4,11
$fwcmd 2400 allow ipv6-icmp from any to me ip6 icmp6types 3
# MyServices Accept and log ssh on 22
$fwcmd 2500 allow log logamount 100 tcp from any to me dst-port 22 setup
$fwcmd 2600 allow tcp from any to me dst-port 80
$fwcmd 2700 allow tcp from any to me dst-port 443
# Allow traffic via LAN interface
$fwcmd 5000 allow ip from any to any via igb1
# NAT with deny_in must be after allowed rules from above anything after this line will be denied if no matching nat is found.
ipfw -q nat 1 config if igb0 log deny_in reset same_ports
$fwcmd 55000 nat 1 all from any to any via igb0
# Accounting
$fwcmd 65000 count ip from any to any
# Drop Packets to ports where we don't want logging
$fwcmd 65100 deny { tcp or udp } from any to any dst-port 23,135-139,445 in
$fwcmd 65200 deny { tcp or udp } from any to any dst-port 1026,1027 in
$fwcmd 65300 deny { tcp or udp } from any to any dst-port 1433,1434 in
# Broadcasts and multicasts
$fwcmd 65400 deny ip from any to 255.255.255.255
$fwcmd 65510 deny ip from any to 224.0.0.0/24 in
# Noise from routers
$fwcmd 65520 deny udp from any to any dst-port 520 in
# Noise from webbrowsing
$fwcmd 65530 deny tcp from any 80,443 to any dst-port 1024-65535 in
# Log and drop all other ports
$fwcmd 65534 deny log logamount 500 ip from any to anyHow can I say anything comes on port 192.168.1.2:7070 to redirect on port 10.18.3.30:7070
