ipfw - nat problem

[fuhdan]

Hi all,

I have built an ipfw firewall with natd. When I set the firewall type to open and add no fw rules, I can access my web server. When I add my rules, the browser times out. I added 'log in all deny, rules. but there is no log entry. Here's my fw config:

00005 allow ip from any to any via em1  #em1 = LAN Interface
00010 allow ip from any to any via lo0
00014 divert 8668 ip from any to any in via em0  # em0 Public WAN Interface
00020 check-state

00310 skipto 901 tcp from any to 8.8.8.8 dst-port 53 out via em0 setup keep-state
00310 skipto 901 udp from any to 8.8.8.8 dst-port 53 out via em0 keep-state
00330 skipto 901 tcp from any to any dst-port 25 out via em0 setup keep-state
00340 skipto 901 tcp from any to any dst-port 80 out via em0 setup keep-state
00340 skipto 901 tcp from any to any dst-port 21 out via em0 setup keep-state
00341 skipto 901 tcp from any to any dst-port 443 out via em0 setup keep-state
00350 allow tcp from me to any out via em0 setup uid root keep-state
00360 skipto 901 icmp from any to any out via em0 keep-state
00399 deny log ip from any to any out via em0

00410 deny icmp from any to any in via em0
00415 deny tcp from any to any dst-port 113 in via em0
00420 deny tcp from any to any dst-port 137 in via em0
00421 deny tcp from any to any dst-port 138 in via em0
00422 deny tcp from any to any dst-port 139 in via em0
00423 deny tcp from any to any dst-port 81 in via em0
00430 deny ip from any to any frag in via em0
00432 deny tcp from any to any established in via em0
00440 allow tcp from any to me dst-port 22 in via em0 setup limit src-addr 2
00451 allow tcp from any to any dst-port 80 in via em0 setup limit src-addr 10
00460 allow tcp from any to any dst-port 443 in via em0 setup limit src-addr 10
00499 deny log ip from any to any in via em0
00901 divert 8668 ip from any to any out via em0
00902 allow ip from any to any
00999 deny log ip from any to any
65535 deny ip from any to any

Everytime I add the firewall script with

/etc/ipfw.rules &

it cuts the ssh session. I also see many entries in the log like:

Feb 26 18:32:35 fortknox kernel: ipfw: 399 Deny TCP xxx.xxx.xxx.xxx:22 yyy.yyy.yyy.yyy:58753 out via em0

where xxx.xxx.xxx.xxx is my current IP and yyy.yyy.yyy.yyy is the server's IP


Thanks for your help.

 

[cutter]

Hi,
Please clarify, you can't reach the web server from where? From outside, from your local network or from the server itself?
I would suggest that you start troubleshooting your script by building a simplified 5-6 lines script that works and then start adding additional conditions.
Cutter

 

[binyo66]

Same thing here. If I disable ipfw, then RealVNC run smoothly. Googling it up, I found that using IPFILTER will solve the problem. I think I am going to set up IPFILTER and see if it is solve the problem

 

[RusDyr]

Bad idea and definitely wrong googling.
Do what cutter said.

 

[fuhdan]

solved - ipfw - nat problem

I found the solution:
wrong:

00451 allow tcp from any to any dst-port 80 in via em0 setup limit src-addr 10

right:

00451 skipto 901 tcp from any to any dst-port 80 in via em0 setup limit src-addr 10

Then it works fine.

Just to clarify:
I couldn't reach the web server from the internet.