I need help with IPFW. I have a server freebsd FreeBSD 7.4 at home with BIND, Samba and Email services and 3 other workstations. The problem appeared when I moved from PPP to PPPoE and started using mpd5. I can't reach any web sites only from the server even not pinging the outside world, the local network remained without problem. My ipfw rules are as follows (only the relevant lines given):
The kernel is compiled with all the necessary options. When pinging any outside domain name from the server, it just gets stuck, but pinging it with its IP number gets a response. When I comment the last line all the server services are wide open to the rest of the world, as checked with nmap from an external server, and of course the problem disappears. Any help and suggestions with the firewall is welcomed and will be appreciated. Thank you in advance.
Cutter
Code:
!/bin/sh
ipfw="/sbin/ipfw"
ournet="192.168.1.0/24" # Our internal network
# em0 - local network NIC 192.168.1.1
# em1 - NIC 10.0.0.1 connecting to externel ADSL modem 10.0.0.138
# ng0 - interface created by mpd5
#
$ipfw -f flush
#
$ipfw add deny tcp from $ournet to any 25 via any # Prevent sending spam from periphery
$ipfw add allow all from me to any # Permit everithing outgoing from the server
$ipfw add divert natd all from any to any via ng0 # Divert internet connection to virtual servers
$ipfw add allow all from any to me via lo0 # Allow connection from localhost
$ipfw add allow all from any to me via em1 # Allow connection from modem NIC
$ipfw add allow all from any to me via em0 # Allow connection to server from local network
# Allow already established connections
$ipfw add allow all from any to any established # Keep the existing connections
$ipfw add allow icmp from any to any icmptypes 0,3,4,8,11 # Allow pinging my server
$ipfw add allow all from $ournet to any via any # Permit everything outgoing from the periphery
$ipfw add allow ip from any to any 53 # Open port for Domain information and resolution
$ipfw add drop all from any to me
The relevant portion from the rc.conf
firewall_enable="YES"
firewall_type="SIMPLE"
firewall_script="/root/fw-rules"
firewall_quiet="NO"
firewall_flags=""
Cutter