On 8/25/15 4:02 PM, Petr Chocholáč wrote:
Hello ,
ignore my previous email, you have answered my questions here.
the firewall set you show is pretty horrible. It really needs a rewrite.
do you want to block the two LANs from each other or block any
machines on the LANs from reaching the firewall?
if not then you should start by adding two rules.
ipfw add 350 allow ip from any to any in recv {LAN interface}
ipfw add 351 allow ip from any to any out xmit {LAN interface}
as you do not want to block that traffic..
you should only be looking at traffic on the internet interface..
In your current rule set all the rules are being tested at all
interfaces which is a waste of CPU and also makes it very hard to work
out what is going on.
if you DO want to filter on other interfaces then send traffic for
each interface to a different set of rules, incoming and outgoing.
for example
add 350 skipto 1000 ip from any to any in recv rl0
add 360 skipto 1100 ip from any to any out xmit rl0
add 370 skipto 1200 ip from any to any in recv re0
add 380 skipto 1300 ip from any to any out xmit re0
etc...
then at each rule set (1000, 2000, 3000... you only have rules you
need for that exact flow..
also
you should use a table to hold all the subnets and addresses that are
there
for example:
you have:
08800 0 0 allow tcp from 85.70.0.0/16 to 86.49.91.98
dst-port 443 setup via rl0
08900 0 0 allow tcp from 85.71.0.0/16 to 86.49.91.98
dst-port 443 setup via rl0
09000 0 0 allow tcp from 84.42.232.0/21 to 86.49.91.98
dst-port 443 setup via rl0
09100 0 0 allow tcp from 84.42.240.0/20 to 86.49.91.98
dst-port 443 setup via rl0
09200 0 0 allow tcp from 80.188.157.0/24 to 86.49.91.98
dst-port 443 setup via rl0
09300 0 0 allow tcp from 89.102.9.0/24 to 86.49.91.98
dst-port 443 setup via rl0
09400 0 0 allow tcp from 89.102.0.0/16 to 86.49.91.98
dst-port 443 setup via rl0
this should all be:
allow tcp from table(1) to 86.49.91.98 dst-port 443 setup
and it would appear only in the rules to do with incoming packets to rl0
(i.e. in the rules starting with 1000)
you would populate the table with:
ipfw table 1 add 85.70.0.0/16
ipfw table 1 add 85.71.0.0/16
ipfw table 1 add 84.42.232.0/21
...
etc.
I can't actually read your ruleset enough without getting a headache
to tell you what is failing.
Also you talked about 10.x.x.x
in your email, and about 2 interfaces, but later you talked about
different addresses and 3 interfaces.
can you say what is the actual setup. (you do not have to give your
actual internet IP address.. though you already did.. I would replace
it with ${OUTSIDE} in the script that makes it..
thank you for your answer.
ad1.
i send my current firewall rules and record from tcpdump on re0 .
My LAN is 172.16.0.0/22 (10... it was easy. I think it does not matter)
My second LAN is 192.168.1.0/24(on this network connection to the
IMAP port 993 works)
My public IP is 86.49.91.98
ad2.
Tcpdump on rl0 shows nothing
ad3.
Yes . I have gateway_enable="YES" in /etc/rc.conf
ad4.
I think yes...
PS : Firewall is not my work . I inherited it.
Thank you very much
Petr Chocholac
Dne 24.8.2015 v 15:39 Allan Jude napsal(a):
On 2015-08-24 09:05, Petr Chocholáč wrote:
Hello,
I would like to ask you for advice. I can not connect to
imap.gmail.com
on port 993 from my local network. My LAN is behind freeBSD server
with
IPFW. Server has two network cards rl0=Internet and
re0=LAN(10.0.0.0/16). Tcpdump on re0 shows three SYN packets without
answers. What rules should i create?
I tried someting like this, without success:
#ipfw add 01500 allow ip from 10.0.0.0/16 to any in via re0
Thank you very much for any advice and your patience
Petr Chocholáč
Brno, Czech Republic
_______________________________________________
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to
"freebsd-current-unsubscr...@freebsd.org"
We would need to see all of your current firewall rules (ipfw show)
You'll want to tcpdump on rl0, to see if the packet is being
forwarded.
Do you have the machine configured as a gateway? (gateway_enable="YES"
in /etc/rc.conf)
Are you doing NAT (Network Address Translation) to remap the internal
(10.0.0.0/16) addresses to your internet routable IP?
_______________________________________________
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
_______________________________________________
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
