Question with IPFW

[goshanecr]

Hi friends!
Today i'm decide to organize my ipfw rules. And that what i do:


ipfw show
50-55 rules for connect to provider pptp server

00050   834   27304 allow ip from me to 10.0.0.1 via nfe0 out
00055 11729 1024957 allow ip from 10.0.0.1 to me via nfe0 in

200-370 - that rules denies connect to unneeded ports and allows connect to needed.

00100     0       0 check-state
00200     4     240 deny icmp from any to any in icmptypes 5,8,9,13,14,15,16,17
00300 11691  588087 deny tcp from any to me not dst-port 25,80,22222 in via ng0
00305     0       0 allow tcp from any to me dst-port 25,80,22222 in via ng0
00310     1      49 deny udp from any to me not dst-port 31194 in via ng0
00315     4    1639 allow udp from any to me dst-port 31194 in via ng0
00320     0       0 deny tcp from any to me not dst-port 53,80,22222 in via rl0
00325     0       0 allow tcp from any to me dst-port 53,80,22000 in via rl0
00330     0       0 deny udp from any to me not dst-port 53,123 in via rl0
00335     0       0 allow udp from any to me dst-port 53,123 in via rl0
00340     0       0 deny tcp from any to me not dst-port 53,80,22222 in via wlan0
00345     0       0 allow tcp from any to me dst-port 53,80,22222 in via wlan0
00350     0       0 deny udp from any to me not dst-port 53,123,31194 in via wlan0
00355     0       0 allow udp from any to me dst-port 53,123,31194 in via wlan0
00360     0       0 deny tcp from any to me not dst-port 53,80,22222 in via tun0
00370     0       0 deny udp from any to me not dst-port 123 in via tun0

In table 3 i have 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/24 and it must not come from WAN to me

00400     0       0 deny ip from table(3) to me in via ng0

I can do anything

00500    10     810 allow ip from me to any keep-state

Clients described in table 1 (192.168.1.0/24,192.168.0.0/24) forward to transparent proxy

00600     0       0 fwd 127.0.0.1,3128 ip from table(1) to not me dst-port 80,8080 via ng0 out

unsuccessful rule for nat to clients from table 2

00650     0       0 divert 8668 ip from table(2) to not me via ng0 out

All other deny and log

50000   139   13004 deny log logamount 100 ip from any to any

Please help me correct setup rules for my lan clients can go to internet with nat.

 

[aragon]

unsuccessful rule for nat to clients from table 2

00650     0       0 divert 8668 ip from table(2) to not me via ng0 out

Have you enabled natd(8) and is it running?

 

[goshanecr]

yes

natd_enable="YES"
natd_flags="-n ng0"
gateway_enable="YES"

Maybe something with sysctl variables?

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
net.link.ether.inet.max_age=1200
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0

kern.ipc.somaxconn=4096
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=32768