I'm new to IPFW so apologies if I'm just making a rookie mistake somewhere.
Following the setup as shown in the handbook, I have rule 00125 set to divert a list of ports to rule 00500 for NAT redirection. In my case, ports 21, 22, 25, 37, 53, 80, 443, 110 & 3544.
This works properly for most the ports except for port 443 (and some others). For this case, the rule is completely skipped and gets to rule 00299 (deny and log all out through the ouput interface).
Even creating specific rules only for port 443 (00130) TCP and UDP packages fail to divert and eventually reach 00299.
Most of these blocked packages are going out to Google.com but somewhere in there it's also denying me access to the FreeBSD FTP site : (
In the last 24 hours that it's been up, the system has generated 10 security log files. Please help.
Here's the abridged version of /etc/ipfw.rules. The complete file is attached.
Following the setup as shown in the handbook, I have rule 00125 set to divert a list of ports to rule 00500 for NAT redirection. In my case, ports 21, 22, 25, 37, 53, 80, 443, 110 & 3544.
This works properly for most the ports except for port 443 (and some others). For this case, the rule is completely skipped and gets to rule 00299 (deny and log all out through the ouput interface).
Even creating specific rules only for port 443 (00130) TCP and UDP packages fail to divert and eventually reach 00299.
Most of these blocked packages are going out to Google.com but somewhere in there it's also denying me access to the FreeBSD FTP site : (
In the last 24 hours that it's been up, the system has generated 10 security log files. Please help.
Here's the abridged version of /etc/ipfw.rules. The complete file is attached.
Code:
#!/bin/sh
# Flush out the list before beginning
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
oif="ue0" # Outside NIC
iif="re0" # Inside NIC
wif="wlan0" # Wireless
skip="skipto 500"
ks="keep-state"
good_tcpo="21, 22, 25, 37, 53, 80, 443, 110, 3544"
# Allow all traffic through internal interfaces
$cmd 00005 allow all from any to any via $iif
$cmd 00010 allow all from any to any via $wif
# No restrictions on Loopback Interface
$cmd 00015 allow all from any to any via lo0
# inbound NAT packets
$cmd 100 divert natd ip from any to any in via $oif
$cmd 00101 check-state
# Allow access to DNS server
$cmd 00110 allow tcp from any to 24.116.0.53 53 via $oif setup keep-state
$cmd 00111 allow udp from any to 24.116.0.53 53 via $oif keep-state
$cmd 00112 allow tcp from any to 24.116.2.50 53 via $oif setup keep-state
$cmd 00113 allow udp from any to 24.116.2.50 53 via $oif keep-state
# Allow access to ISP's DHCP server.
#$cmd 00120 allow log udp from any to any 67 out via $oif keep-state
$cmd 00118 allow udp from any to 184.155.130.8 67 out via $oif keep-state
# Authorize outbound packets
$cmd 119 $skip udp from any to 24.116.2.50 53 out via $oif $ks
$cmd 120 $skip udp from any to 24.116.0.53 53 out via $oif $ks
$cmd 121 $skip udp from any to 184.155.130.8 67 out via $oif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $oif setup $ks
$cmd 126 $skip udp from any to any $good_tcpo out via $oif setup $ks
# Create a rule specifically for port 443
$cmd 130 $skip tcp from any to any 443 out via $oif setup $ks
$cmd 140 $skip icmp from any to any out via $oif $ks
# Allow output HTTP and HTTPS connections
$cmd 0200 allow tcp from any to any 80 out via $oif setup keep-state
$cmd 0220 allow tcp from any to any 443 out via $oif setup keep-state
# Allow outbound email connections
$cmd 0230 allow tcp from any to any 25 out via $oif setup keep-state
$cmd 0231 allow tcp from any to any 110 out via $oif setup keep-state
# Allow outbound ping
$cmd 00250 allow icmp from any to any out via $oif keep-state
# Allow NTP
$cmd 0260 allow tcp from any to any 37 out via $oif setup keep-state
# Allow outbound SSH
$cmd 0280 allow tcp from any to any 22 out via $oif setup keep-state
# Deny and log all other outbound connections
$cmd 00299 deny log all from any to any out via $oif