Hi everyone. First time poster, long time lurker. I am out of ideas on how to get port direction working with IPFW. Other than port redirection, the system works well and has been my workhorse for several years. My end goal is to expose an NGINX reverse proxy I have running in a jail on
I thought this page was a good example of a working system so I tried to tailor my firewall rules like this, but it didn't seem to help me:
Thread ipfw-nat-stateful-redirect-of-a-port.58753
Here is a basic description of my system:
Things I've tried:
Below are the relevant configuration files:
rc.conf:
/etc/ipfw.rules
/etc/systcl.conf
I'm at a loss at this point.
192.168.0.2
. When I try to run curl example.com
I get:
Code:
% curl example.com
curl: (7) Failed to connect to example.com port 80: Connection refused
I thought this page was a good example of a working system so I tried to tailor my firewall rules like this, but it didn't seem to help me:
Thread ipfw-nat-stateful-redirect-of-a-port.58753
Here is a basic description of my system:
- FreeBSD 12.1, generic kernel
- single WAN port, system acting as a gateway to remaining interfaces
- IPFW firewall using the kernel based NAT
- Firewall by default blocks all incoming and outgoing traffic.
- NGINX listening on port 80. Haven't enabled SSL or anything yet.
Things I've tried:
- My domain name A records are working properly. I can SSH into the machine itself from the outside using the domain name.
- I tried changing the port on NGINX to listen on port 8080 to make sure my ISP wasn't blocking the standard 80 port, but this resulted in the same
Connection refused
message - I can SSH into the jail from the LAN and I can pull receive data from the wider internet, so I think the networking here is OK. Running curl on the jail from the LAN I get traffic out so NGINX is running properly.
- To rule out the jail altogether, I tried redirecting an arbitrary high number port to SSH into another machine on the LAN. Got the same
Connection refused
type message back here. - I tried using the userland
natd
with IPFW, but I get the same results. I made the necessary modifications for getting natd running in the rc.conf file and made a natd.conf with the port redirection commands. - I ran
tcpdump -i igb0 tcp port 80 -vv
and triedcurl example.com
and I saw no traffic at all. What is interesting though is if I SSH into this machine from the outside, when I run tcpdump on that port, I also see no traffic on the WAN interface, so I'm probably not doing this right
Below are the relevant configuration files:
rc.conf:
Code:
ifconfig_igb0="DHCP -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
gateway_enable="YES"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm igb1 addm igb2 addm igb3 addm igb4 addm igb5 addm igb6 addm igb7"
ifconfig_igb1="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
ifconfig_igb2="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
ifconfig_igb3="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
ifconfig_igb4="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
ifconfig_igb5="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
ifconfig_igb6="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
ifconfig_igb7="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
ifconfig_bridge0_alias0="inet 192.168.0.1 netmask 255.255.255.0"
dhcpd_enable="YES"
dhcpd_ifaces="bridge0"
unbound_enable="YES"
firewall_enable="YES"
firewall_logging="YES"
firewall_script="/etc/ipfw.rules"
# FIXME: testing out in kernel NAT
firewall_nat_enable="YES"
# FIXME: put NATD back if in kernel NAT doesn't work out
natd_enable="NO"
#natd_interface="igb0"
#natd_flags="-dynamic -m -f /etc/natd.conf"
mountd_enable="YES"
nfs_server_enable="YES"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"
rpcbind_enable="YES"
mountd_flags="-r"
inetd_enable="YES"
ifconfig_igb0="DHCP"
jail_enable="YES"
/etc/ipfw.rules
Bash:
#!/bin/sh
# Set rules command prefix
cmd="/sbin/ipfw"
pif="igb0" # interface name of NIC attached to Internet
skip="skipto 400"
isp_dhcp="xxx.xxx.xxx.xxx"
dns="1.1.1.1, 9.9.9.9"
outgoing_tcp_ports="1194, 8883, 80, 8080, 443, 22, 50683, 8245, 8333"
outgoing_udp_ports="1194, 500, 51820, 5090, 6000-29999, 80, 8080, 443, 123"
server_incoming_tcp_ports="50683"
client_incoming_tcp_ports="443, 80"
client_incoming_tcp_ports="443, 80"
# Flush out the list before we begin.
$cmd -f flush
# configure NAT
$cmd nat 1 config if $pif unreg_only reset \
redirect_port tcp 192.168.0.2:80 80 \
redirect_port tcp 192.168.0.2:443 443 \
# No restrictions between LAN clients. Heaviest traffic first (the bridge)
$cmd add 10 allow all from any to any via bridge0
$cmd add 11 allow all from any to any via lo0
$cmd add 12 allow all from any to any via igb1
$cmd add 13 allow all from any to any via igb2
$cmd add 14 allow all from any to any via igb3
$cmd add 15 allow all from any to any via igb4
$cmd add 16 allow all from any to any via igb5
$cmd add 17 allow all from any to any via igb6
$cmd add 18 allow all from any to any via igb7
$cmd add 19 allow all from any to any via tap0
$cmd add 20 allow all from any to any via epair0a
# catch spoofing from outside
$cmd add 50 deny ip from any to any not antispoof in recv $pif
# NAT diversion
$cmd add 59 nat 1 ip4 from any to any in recv $pif # NAT any inbound packets
$cmd add 60 reass all from any to any in # reassemble inbound packets
# check all other conditions with the dynamic rules table
$cmd add 61 check-state
###################################################################
# outbound connection rules
###################################################################
# Allow access to public DNS over TLS
$cmd add 100 $skip tcp from me to $dns 853 out xmit $pif setup keep-state
# Allow access to ISP's DHCP server for cable/DSL configurations.
$cmd add 101 $skip udp from me to $isp_dhcp 67 out xmit $pif keep-state
# Allow good outgoing TCP, UDP, and ICMP
$cmd add 110 $skip tcp from any to any $outgoing_tcp_ports out xmit $pif setup keep-state
$cmd add 111 $skip udp from any to any $outgoing_udp_ports out xmit $pif keep-state
$cmd add 112 $skip icmp from any to any out xmit $pif keep-state
# deny and log all other outbound connections
$cmd add 199 deny log all from any to any out xmit $pif
/etc/systcl.conf
Code:
net.inet.tcp.tso="0"
net.inet.ip.fw.one_pass="0"
I'm at a loss at this point.