IPFW IPFW server, acting as a firewall (how to pass traffic ?)

Hello everyone,

Experimenting IPFW, I would really appreciate some help to improve my abilities !
I actually know how to use it as a workstation firewall, but now, I would like to learn how to use it as an easy full firewall (just for experimenting).

Here is an easy network map describing what I’m doing :
for-ipfw.png


Here is what I do on the IPFW firewall (it’s a FreeBSD mini-PC) :
Code:
# NETWORK
sysrc ifconfig_ue0="DHCP"
sysrc ifconfig_ue1="inet 172.16.0.254 netmask 255.255.255.0“

# FIREWALL
sysrc firewall_enable="YES” firewall_script="/etc/regles-ipfw.sh” firewall_nat_enable="YES”

# GATEWAY
sysrc gateway_enable="YES


# FIREWALL SCRIPT :
vi /etc/regles-ipfw.sh
#!/bin/sh
#
ipfw -q -f flush
cmd="ipfw -q add”
#
WAN="ue0“
LAN1="ue1“
#
$cmd 101 check-state
#
# GO OUT
$cmd 110 allow tcp from any to any out via $WAN setup keep-state
$cmd 111 allow udp from any to any out via $WAN keep-state
$cmd 112 allow icmp from any to any out via $WAN keep-state
#
# FROM IPFW TO LAN1
$cmd 113 allow icmp from any to any out via $LAN1 keep-state
#
# FROM LAN1 TO IPFW
$cmd 114 allow icmp from any to any in via $LAN1
#
# ESC :wq

service ipfw start

Here is what I do on the Laptop :
Code:
ifconfig re1 inet 172.16.0.1 netmask 255.255.255.0
route add default 172.16.0.254

Question :
- I understand that the firewall has to be a gateway (so gateway_enable=YES in /etc/rc.conf)
- I also understand that there is a need of NAT ability (so firewall_nat_enable=YES)

But, from the laptop, if I succeed in pinging the IPFW with ipfw firewall started (service ipfw start), I don’t succeed in sending a ping to 1.1.1.1 (for example). I tried to look at fwd and nat commands.. I don’t find.
Traffic is not relayed by the IPFW server.
How do you do that ? Is that possible ?
Someone can help me ?
I did not find how to do this. I found for NAT dest, but not for that.

Thank you very much for your help in advance,
It's always really appreciated !
 
Can you share the output of ifconfig ue1 to confirm that the NIC for the LAN side of the firewall host is up and has the address you expect?
 
This can't work without correct NAT rules - and their correct placement.

I suggest studying and considering using most of the /etc/rc.firewall 'simple' ruleset, which is designed to accomplish the sort of network you outline.

That requires abandoning most of the unfortunate IPFW section of the Handbook. It involves a few extra rules which we can help with such as allowing icmp and using kernel NAT instead of natd(8) but that's straightforward.
 
Ok. Thank you very much smithi.
I didn't look at /etc/rc.firewall
I have a bit to explore in that. I'll try with kernel NAT and not natd
I'll be back if I don't find.
 
Back
Top