Im finding it very hard to get my head around ipfw and natd.
I am trying to setup a FreeBSD 4.7 box to replace Smoothwall / IPCop (both
of which i have found to be unflexible). Ive experience of FreeBSD servers
but this is my first fortay into firewalling with FreeBSD.
INTERNET <===> ( lnc0 DHCP ) FreeBSD-FW ( lnc1 192.168.0.254 ) <===>
Private-LAN ( 192.168.0.240/28 )
Firstly I want to acheive SmoothWall/IPCop firewall functionality and then
later use dummynet to add bandwith management capabilities.
i.e. I want to allow all outgoing TCP and UDP connections from the Private
LAN to the Internet and to allow responses back for those connections.
I want to allow ICMP from the Private LAN out to the Internet but NOT vice.
I want to deny all access to the Private LAN and the FreeBSD firewall itself
from the Internet.
I also need to understand how to add port forwarding from the Internet Nic
to the Private LAN.
Once this is all working ill be happy :-) and worry about bandwith with
dummynet later as a seperate thing.
So far with the help of various webpages and newsgroup articles and the
freebsd handbook I have managed to recompile the kernel and get it installed
with suport for the Firewall options.
I have also enabled ipfw, natd and dnsmasq, dnsmasq is working fine I think
my problem is the ipfw rules which are driving me nuts I have tried several
example configurations I have found, but alas to no avail.
Id greatly appreciate any help that anyone could lend me.
Thanks In Advance = Adam.
My /etc/rc.conf looks like this -
# Network Settings
ifconfig_lnc1="inet 192.168.0.254 netmask 255.255.255.240"
# Network Services
My /etc/ipfw.rules looks like this -
#Reset all Rules
$fwcmd -f flush
#Add Support for Nat
$fwcmd add 10 divert natd ip from any to any via lnc0
#Allow all data from my network card and localhost
$fwcmd add 100 allow ip from any to any via lo0
$fwcmd add 110 allow ip from any to any via lnc1
#Allow all connections that are Initiated from Private LAN
$fwcmd add 200 allow tcp from any to any out xmit lnc0 setup
#Allow Open connections to stay open
$fwcmd add 300 allow tcp from any to any via lnc0 established
#External Internet Access to Local Ports
$fwcmd add 1000 allow tcp from any to any 22 setup
#RESET all ident packets from External
$fwcmd add 2000 reset log tcp from any to any 113 in recv lnc0
#Allow UDP for DNS
$fwcmd add 3000 allow udp from any to any 53 out xmit lnc0
$fwcmd add 3001 allow udp from any 53 to any in recv lnc0
$fwcmd add 4000 allow icmp from any to any
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 27/01/2003