Solved [Solved] IPFW + kernel NAT (allow incoming UDP)

Avessalom

New Member


Messages: 2

Hi,

Sorry my english language
de0 - WAN interface

I have a gateway on FreeBSD (FreeBSD 9.0-RELEASE)
Code:
gateway_enable="YES"
...
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_nat_interface="de0"
firewall_type="/etc/rc.firewall"
firewall_logging="YES"

Code:
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.enable: 1

I have Video Jabber on the PC (LAN network). It must connect from server in the WAN. It is connected (user can logged on server, make out/in calls), but video/audio is not working.

Technical requirements Video Jabber:
  • from local PC (Jabber Client) TCP >=1024 to server 5060
  • from local PC (Jabber Client) UDP >=1024 to server 5060
  • from local PC (Jabber Client) TCP >=1024 to server 5061
  • from local PC (Jabber Client) UDP 21000-21900 to server 5060 50000-52399 (in / out )

de0 = WAN = 193.14.14.15
de1 = LAN = 192.168.0.0/24
213.10.12.15 (977) - Jabber Video Server

Code:
00977          0             0 allow log udp from 213.10.12.15 to me via de0
01000   49373257   11334742828 allow udp from any 53 to any
01001     334762      23546919 allow udp from any to any dst-port 53
01002         30          1532 allow tcp from any to 193.14.14.15 dst-port 20,21 in via de0 setup
01003          0             0 allow tcp from 213.232.252.187 5000 to 193.14.14.15 dst-port 5000 keep-state
01003          0             0 allow tcp from 213.232.252.190 5000 to 193.14.14.15 dst-port 5000 keep-state
01003          0             0 allow tcp from 213.232.252.235 5000 to 193.14.14.15 dst-port 5000 keep-state
01010          0             0 allow log udp from me 21000-21900 to 213.10.12.15 dst-port 50000-52399
01011     485650     150318781 allow log udp from any to any
01012         10           480 allow tcp from any to 193.14.14.15 dst-port 21 setup in via de0
01013    1101158      56978808 allow tcp from any to 193.14.14.15 setup in via de0
01018          0             0 allow log udp from any 55777 to any dst-port 55777 in via de1
01021   21692684   16439350772 allow log ip from any to any via de1
01022        688         47997 allow log udp from any to any
01030    1230461      64483504 allow tcp from any to 193.14.14.15 dst-port 25,110,53,3389 setup in via de0
01060         10           400 allow tcp from any to 193.14.14.15 dst-port 53 in via de0
10130 3734796823 2836051773640 nat 1 ip from any to any via de0
10230          0             0 nat 1 log ip from any to any in via de0
65535    2114967     116369160 deny ip from any to any

Code:
ipfw nat 1 config log if de0 reset same_ports deny_in\
        redirect_port tcp 192.168.0.109:80 80\
        redirect_port tcp 192.168.0.109:22 24\
        redirect_port tcp 192.168.0.199:22 888\
        redirect_port tcp 192.168.0.69:3389 889
ipfw add 10130 nat 1 ip from any to any via de0

If I understand correct out packets from LAN work fine - 1021, 10230

Then user sends packets from PC (LAN) - ipfw check 1021, add gateway + change interface, check 10230, create string in nat-table, change IP, packets in the WAN (because I have - net.inet.ip.fw.one_pass: 1). Then packets incoming from WAN, I don't understand how that is going. I can add 950 allow all from any to any via de1 - and NAT is down. I can add 950 allow udp/tcp from server to me via de1 - and if I understand correctly packets are allowed, but he is allowed on local (gateway). I do not see packets here. 977 is also not working and I don't understand why (
 
OP
A

Avessalom

New Member


Messages: 2

Re: IPFW + kernel NAT (allow incoming UDP)

Solved.
Code:
10110 nat 1 log udp from server 50000-52399 to any dst-port 21000-21900
 
Top