Hi,
I just re-read the ipfw man page about one_pass = 0.
# sysctl -d net.inet.ip.fw.one_pass
net.inet.ip.fw.one_pass: Only do a single pass through ipfw when using
dummynet(4)
I think next to dummynet, the definition also counts for netgraph and NAT
rules, but not for every rule. So I doubt that one_pass=0 will do anything
after rule 10 applies.
But I won't call myself a master of ipfw. So will be happy to stand corrected.
Regards,
Ronald.
Van: Dries Michiels <dri...@freebsd.org>
Datum: maandag, 18 november 2024 13:23
Aan: Ronald Klop <ron...@freebsd.org>
CC: freebsd-i...@freebsd.org, freebsd...@freebsd.org, FreeBSD Net
<freebsd-net@freebsd.org>
Onderwerp: Re: IPFW statefull firewall ruleset - some sites or applications do
not work as expected
Hi, unfortunately that's not the case, as I have onepass to off, meaning that
after every rule, the packet continues to be processed by the next rule (so the
NAT does get reached).
Op do 14 nov 2024 om 11:17 schreef Ronald Klop <ron...@freebsd.org>:
Op 02-11-2024 om 16:30 schreef Dries Michiels:
> Hello,
>
> So I have a very basic ruleset, as described in the FreeBSD handbook, see below. I have
"blurred" my open ports as seen in the ruleset below.
> Igc0 is my WAN port and in the table "trusted_if" are like my LAN if and some
bridges.
>
> 00001 reass ip from any to any in
> 00010 allow ip from any to any via table(trustedif)
> 00050 deny log ip from any to any not antispoof in
> 00100 nat 1 ip4 from any to any in recv igc0
> 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state :default
> 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :default
> 05000 allow tcp from any to me *some open ports* in recv igc0 setup
keep-state :default
> 05001 allow udp from any to me *some open ports* in recv igc0 keep-state
:default
> 09998 deny log tcp from any to any
> 09999 deny log udp from any to any
> 10000 nat 1 ip4 from any to any out xmit igc0
> 65535 allow ip from any to any
>
> Now comes the tricky part. There are some applications that don't work
correctly with this ruleset.
> For example, itsme (belgium application) to identify yourself with a lot of
accounts, does not work.
> Recently my banking website also stopped working. So now I'm wondering how do
I start to troubleshoot this issue?
> Are there any ceavets with this ruleset when redirects are happening for
example? I'm also wondering if Belgian PF users have the same issue?£
>
> I'm hopeful to get to the bottom of this as its quite annoying needing to
switch wifi channels to my ISP's router which does work with these applications.
>
> Regards
> Dries
>
>
Hi,
It is a while ago that I build ipfw firewalls, but doesn't rule 10 match all
internal (from LAN) traffic, preventing outgoing (to WAN) packets to get to the
nat rules?
I would suggest something like this:
00001 reass ip from any to any in
00050 deny log ip from any to any not antispoof in
00100 nat 1 ip4 from any to any via igc0
00300 check-state :default
00200 allow ip from any to any in table(trustedif) keep-state :default
05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-state
:default
05001 allow udp from any to me *some open ports* in recv igc0 keep-state
:default
09999 deny log ip from any to any
65535 allow ip from any to any
Regards,
Ronald.
>
