IPFW How to control natd ports in IPFW.

bryn1u

Well-Known Member

Thanks: 9
Messages: 338

#1
Hello guys,

I start using natd because of OpenVPN. I have a simple rule below:
Code:
#!/bin/sh
# ipfw config/rules
# from FBSD Handbook, rc.firewall, et. al.

# Flush all rules before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add "
vif="em0"

ipfw -q nat 1 config if em0
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via em0
ipfw -q add nat 1 all from any to any in via em0

# allow all for localhost
$cmd 00010 allow ip from any to any via lo0

$cmd 0080 reass all from any to any in
$cmd 00101 check-state

### SSH:
$cmd allow tcp from any to any dst-port 22 in via $vif setup keep-state
$cmd allow tcp from any to any dst-port 22 out via $vif setup keep-state

### DNS:
$cmd 00108 allow tcp from any to any dst-port 53 via $vif setup keep-state
$cmd 00111 allow udp from any to any dst-port 53 via $vif keep-state

# allow HTTP HTTPS replies
$cmd 00400 allow tcp from any to any dst-port 80 in via $vif setup limit src-addr 2
$cmd 00410 allow tcp from any to any dst-port 443 in via $vif setup limit src-addr 2
$cmd 00200 allow tcp from any to any dst-port 80 out via $vif setup keep-state
$cmd 00220 allow tcp from any to any dst-port 443 out via $vif setup keep-state


# inbound catchall
$cmd 56599 deny log ip from any to any in via $vif
The problem is that i don't need to open port 1194 for OpenVPN and client is able to connect without any problem with server. How should it looks like to can control traffic through port in/from nat?
 

Brief

New Member


Messages: 2

#2
Hello guys,

I start using natd because of OpenVPN. I have a simple rule below:
Code:
#!/bin/sh
# ipfw config/rules
# from FBSD Handbook, rc.firewall, et. al.

# Flush all rules before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add "
vif="em0"

ipfw -q nat 1 config if em0
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via em0
ipfw -q add nat 1 all from any to any in via em0

# allow all for localhost
$cmd 00010 allow ip from any to any via lo0

$cmd 0080 reass all from any to any in
$cmd 00101 check-state

### SSH:
$cmd allow tcp from any to any dst-port 22 in via $vif setup keep-state
$cmd allow tcp from any to any dst-port 22 out via $vif setup keep-state

### DNS:
$cmd 00108 allow tcp from any to any dst-port 53 via $vif setup keep-state
$cmd 00111 allow udp from any to any dst-port 53 via $vif keep-state

# allow HTTP HTTPS replies
$cmd 00400 allow tcp from any to any dst-port 80 in via $vif setup limit src-addr 2
$cmd 00410 allow tcp from any to any dst-port 443 in via $vif setup limit src-addr 2
$cmd 00200 allow tcp from any to any dst-port 80 out via $vif setup keep-state
$cmd 00220 allow tcp from any to any dst-port 443 out via $vif setup keep-state


# inbound catchall
$cmd 56599 deny log ip from any to any in via $vif
The problem is that i don't need to open port 1194 for OpenVPN and client is able to connect without any problem with server. How should it looks like to can control traffic through port in/from nat?
hi,I have a question I would like to ask you .
When you use ssh to connect to the IP address of the server em0, is your server stuck?
My server is always stuck, when I enter the command "top, htop…". If the natd is not enabled, it is very smooth.
How about you ?
This is my post, thank you.
https://forums.freebsd.org/threads/my-openvpn-tun-mode-server-is-always-stuck.66909/
 
Top