Sure. I took them straight out of the masquerading FAQ. Here they are.
Note: 128.195.180.200 is my (modified) IP address, 192.168.1.x is my local net.
As you can see, they are quite complicated, but they work.
Good luck
-Joe
# incoming, flush and set default policy of deny. Actually, the default policy
# is irrelevant because there is a catch all rule with deny and log
ipfwadm -I -f
ipfwadm -I -p deny
# local interface, local machines, going anywhere is valid
ipfwadm -I -a accept -V 192.168.1.1 -S 192.168.1.0/24 -D 0.0.0.0/0
# remote interface, claiming to be local machines, IP spoofing, get lost
ipfwadm -I -a deny -V 128.195.180.200 -S 192.168.1.0/24 -D 0.0.0.0/0 -o
# remote interface, any source, going to permanent IP address is valid
ipfwadm -I -a accept -V 128.195.180.200 -S 0.0.0.0/0 -D 128.195.180.200/32
# remote interface, any source, going to local is valid
ipfwadm -I -a accept -V 128.195.180.200 -S 0.0.0.0/0 -D 192.168.1.0/24
# loopback interface is valid
ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
# catch all rule, all other incoming is denied and logged
ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
# outgoing, flush and set default policy of deny. Actually, the default policy
# is irrelevant because there is a catch all rule with deny and log
ipfwadm -O -f
ipfwadm -O -p deny
# local interface, any source going to local net is valid
ipfwadm -O -a accept -V 192.168.1.1 -S 0.0.0.0/0 -D 192.168.1.0/24
# outgoing to local net on remote interface, stuffed routing, deny
ipfwadm -O -a deny -V 128.195.180.200 -S 0.0.0.0/0 -D 192.168.1.0/24 -o
# outgoing from local net on remote interface, stuffed masquerading, deny
ipfwadm -O -a deny -V 128.195.180.200 -S 192.168.1.0/24 -D 0.0.0.0/0 -o
# anything else outgoing on remote interface is valid
ipfwadm -O -a accept -V 128.195.180.200 -S 128.195.180.200/32 -D 0.0.0.0/0
# loopback interface is valid
ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
# catch all rule, all other outgoing is denied and logged
ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
# forwarding, flush and set default policy of deny. Actually, the default
# policy is irrelevant because there is a catch all rule with deny and log
ipfwadm -F -f
ipfwadm -F -p deny
# masquerade from local net on local interface to anywhere
ipfwadm -F -a m -W eth0 -S 192.168.1.0/24 -D 0.0.0.0/0
# catch all rule, all other forwarding is denied and logged
ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
Ed Jaeger wrote:
>
> I'm sure the problem is _not_ at the other sites as well, but my rule is
> really simple:
>
> /sbin/ipfwadm -F -a m -S 192.168.100.0/24 -D 0.0.0.0/0
>
> which I know is not the greatest, but the connection is a dialup & I shut
> off diald at night. Would you mind sending me your rules, since everything
> seems to work for you?
>
> Ed Jaeger, CFO, Bohlender Graebener Corporation
> [EMAIL PROTECTED]
> http://www.bgcorp.com
>
> ----------
> >I doubt that the problem is on their side. I am running a WinNT box through
> my
> >Linux firewall w/ masquerading, and I can access both sites just fine.
> >I am running kernel 2.0.33.
> >I assume your rules are screwed up. I noticed that the IP addresse of both
> sites
> >you mention start with 208. So the problem may be that you are not
> forwading
> >packets for these IP addresses.
--
Joachim Feise Microsoft Certified Solution Developer
mailto:[EMAIL PROTECTED] http://www.ics.uci.edu/~jfeise/
mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
