# Trouble with IPFW+NAT



## zlx (Jan 9, 2010)

Hi all! I have machine with system freebsd 7.2, i set up ipfw+nat on it. Fiew days ago i setup port forward from internal network to local network, before i discovered impossibility close access for some ports. Here my ipfw.sh :


```
#!/bin/sh


FwCMD="/sbin/ipfw -q"
LanIn="rl0"
LanOut="rl1"
IpIn="192.168.0.5"
IpOut="1.2.3.4"
NetMask="24"

local_1="192.168.0.6"
local_2="192.168.0.7"


${FwCMD} -f flush
${FwCMD} -f pipe flush
${FwCMD} -f queue flush


#${FwCMD} add check-state
${FwCMD} add allow ip from any to any via lo0

${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any


# disable x-scan
${FwCMD} add reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
# disable N-scan
${FwCMD} add reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
# disable FIN-scan
${FwCMD} add reject tcp from any to any not established tcpflags fin
# disable IP-Spoof
${FwCMD} add reject log ip from any to any not verrevpath in
# limiti
${FwCMD} add allow tcp from any to ${IpOut} 80 limit src-addr 15


${FwCMD} add deny ip from any to 192.168.0.0/16 in recv ${LanOut}
${FwCMD} add deny ip from 192.168.0.0/16 to any in recv ${LanOut}
${FwCMD} add deny ip from any to 172.16.0.0/12 in recv ${LanOut}
${FwCMD} add deny ip from 172.16.0.0/12 to any in recv ${LanOut}
${FwCMD} add deny ip from any to 10.0.0.0/8 in recv ${LanOut}
${FwCMD} add deny ip from 10.0.0.0/8 to any in recv ${LanOut}
${FwCMD} add deny ip from any to 169.254.0.0/16 in recv ${LanOut}
${FwCMD} add deny ip from 169.254.0.0/16 to any in recv ${LanOut}


#spamers
${FwCMD} add deny ip from 62.175.248.0/21 to any

# ICMP
${FwCMD} add deny icmp from any to any frag
${FwCMD} add allow icmp from any to any via ${LanIn}
${FwCMD} add allow icmp from any to ${IpOut} in via ${LanOut} icmptype 3,8,12
${FwCMD} add allow icmp from ${IpOut} to any out via ${LanOut} icmptype 0,3,4,11,12
${FwCMD} add allow icmp from ${IpOut} to any out via ${LanOut} frag


#server to network
${FwCMD} add allow tcp from any to any out via ${LanIn}
${FwCMD} add allow udp from any to any out via ${LanIn}


#dns
${FwCMD} add allow udp from any 53 to me in via ${LanOut}
${FwCMD} add allow udp from any 53 to me in via ${LanIn}

#ssh server
${FwCMD} add allow tcp from any to any 22 in via ${LanIn}
${FwCMD} add allow tcp from any to any 22 in via ${LanOut}

#web server
${FwCMD} add allow tcp from any to any 80 in via ${LanOut}
${FwCMD} add allow tcp from any to any 80 in via ${LanIn}

#ntp time
${FwCMD} add allow udp from any to any 123 via ${LanOut}
${FwCMD} add allow udp from any to any 123 via ${LanIn}


################################ NAT ############################

${FwCMD} nat 1 config log if ${LanOut} same_ports redirect_port tcp ${local_1}:3434 5001 redirect_port tcp ${local_2}:3434 5002
${FwCMD} add nat 1 ip from any to any via ${LanOut}

${FwCMD} nat 2 config log if ${LanIn} reset same_ports
${FwCMD} add nat 2 ip from any to any via ${LanIn}


##################################################################


${FwCMD} add deny log ip from any to any
```

If i delete rule 

```
${FwCMD} add allow tcp from any to any 80 in via ${LanOut}
```
from internal network, traffic all the same continues to go?

My question is: how i can block access from 80 tcp port with my existing firewall rules ?
Please, help...


----------



## hamedx (Jan 13, 2010)

My offer is : install squid , open /usr/local/etc/squid/squid.conf file , locate your ACL section and add configuration directive as follows:


```
acl block_port port 80
http_access deny block_port
http_access allow all
```

and if you just want to skip a particular IP (192.168.1.5) try as follows:


```
acl block_port port 80
acl no_block_port_ip src 192.168.1.5
http_access deny block_port !no_block_port_ip
http_access allow all
```


----------

