On 10/07/15 15:57, Mark Felder wrote: > Hi all, > > I've only used IPFW in the past for the most basic of tasks. I'd like to > use it with in-kernel NAT protecting both v4 and v6 and add > dummynet/pipe later, but I have to get the basic working first. I'm > either overlooking something obvious or there's a major issue. Has there > been work in CURRENT? I haven't tried on any RELEASE....
My experience with ipfw is almost exclusively on RELEASE, but I don't think that much has changed in the rules syntax. > > Problems I'm running into: > > * Inbound v4 traffic to the firewall is blocked, but inbound v6 traffic > to firewall and hosts behind it are not. Both v4 and v6 should be > handled by keywords: tcp, udp, ip, me. I'm sorry but I have made no tests with IPv6, so I can't help you on this one. I suspect you should also investigate using sysctl net.inet.ip.fw.one_pass=0. The ruleset below seems to require it in a few places. > > * TCP sessions seem to be killed every ~300s sysctl net.inet.ip.fw.dyn_ack_lifetime=<seconds> default is 300. > > * "in via $pif" doesn't seem to work. ex: block icmp from internet to > $pif fails to do anything. However, "block out via $pif" blocks it... I suspect this is related to one pass above. > > * Does IPFW not track outbound traffic to allow it back through -- > related/established ? I have trouble blocking inbound traffic without > blocking originated/outbound traffic because the firewall blocks the > return packets. It does only for stateful rules, with keep-state, which you are using. Which rules are failing to do that? > > * Port forwarding is failingl, probably due to the issues with the "in > via" that I'm experiencing. Research says once I have the redirect_port > configured I should be good to go as long as I match the traffic and > skip to the NAT rule. Skip rules don't stop processing, so it should hit > the next rule which is the last rule in my config -- allow from any to > any. (Documentation for in-kernel NAT is nonexistent and really needs > help). The rule 425 below should be working, but logs show that rule is > ignored and it's being blocked at 550. Comment out 550 and it works... As above, if I remember correctly this setup requires one_pass=1 to work, I'm not completely sure this is your problem though. I think it's worth a try. Please note that my structure is just an example, there are many other ways to organize your firewall. I have a setup that uses many stateful rules, but some people prefer stateless firewalling, which requires rules for both inbound and outbound traffic. Hope this helps. -- Guido Falsi <m...@madpilot.net> _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"