# IPFW with NAT hangs



## jasonhirsh (Apr 22, 2010)

I have tried enabling IPFW with NAT support on a Freebsd 7.0(RC) Server... when I reboot I am locked out and the help desk has to turnoff the firewall

here is my config and thoughts

rc.conf


```
defaultrouter="xx.xxx.184.1"
hostname=""
ifconfig_rl0="inet xx.xxx.xx.124  netmask 255.255.252.0"
ifconfig_rl0_alias0="inet yy.yyy.yy.yy netmask 255.0.0.0"
linux_enable="YES"
sshd_enable="YES"
webmin_enable="YES"
mysql_enable="YES"
apache22_enable="YES"
named_enable="YES"
clamsmtpd_enable="YES"
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
clamav_milter_enable="YES"
#darwin_streaming_server_enable="YES"
#darwin_streaming_server_flags=""
#streamingadminserver_enable="YES"
#streamingadminserver_flags=""
amavis_milter_enable="YES"
amavisd_enable="YES"
clamav_clamd_enable="YES"
clamav_milter_enable="YES"
dovecot_enable="YES"
proftpd_enable="YES"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_if="tun"
postgrey_enable="YES"
netatalk_enable="YES"
afpd_enable="YES"
mdnsresponder_enable="YES"
mdnsresponder_flags="-f /usr/local/etc/mDNSResponder.conf"
gateway_enable="YES"
firewall_enable="YES"
#firewall_type="open"
firewall_script="/usr/local/etc/ipfw.rules"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"
```

natd.conf

```
interface rl0
use_sockets yes
same_ports yes
```


/usr/local/etc/openvpn/ipfw.rules


```
IPF="ipfw -q add
ipfw -q -f flush
ipfw nat 1 config if tun0


#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 55 allow all from any to any via tun0
$IPF 60 allow tcp from any to any established
$IPF 61 allow tcp from any to me dst-port 1194 setup
$IPF 62 allow udp from any to me dst-port 1194
$IPF 63 allow udp from me to any
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out

$IPF 162 allow tcp from any to any 2500 in
$IPF 164 allow tcp from any to any 2500 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out

$IPF 211 allow tcp from any to any 143 in
$IPF 212 allow tcp from any to any 143 out


$IPF 213 allow tcp from any to any 443 in
$IPF 214 allow tcp from any to any 443 out
$IPF 215 allow tcp from any to any 554 in
$IPF 216 allow udp from any to any 554 out

$IPF 220 allow tcp from any to any 993 in
$IPF 221 allow tcp from any to any 993 out

$IPF 222 allow tcp from any to any 995 in
$IPF 223 allow tcp from any to any 995 out


$IPF 230 allow udp from any to any 1194 in
$IPF 231 allow tcp from any to any 1194 in
$IPF 232 allow tcp from any to any 1194 out
$IPF 233 allow udp from any to any 1194 out
$IPF 300 allow tcp from any to any 9000 in
$IPF 310 allow tcp from any to any 9000 out

$IPF 400 allow tcp from any to any 8080 in
$IPF 401 allow tcp from any to any 8080 out

# deny and log everything
$IPF 500 deny log all from any to any
```


any thoughts??


----------



## SirDice (Apr 22, 2010)

Rule 40 denies everything.


----------



## jasonhirsh (Apr 22, 2010)

*thanks*

ooos


----------



## jasonhirsh (Apr 22, 2010)

OK I delete rule 40  and rebooted and I was still denied

current ipfw.rules


```
IPF="ipfw -q add
ipfw -q -f flush
ipfw nat 1 config if tun0


#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any

# statefull
$IPF 50 check-state
$IPF 55 allow all from any to any via tun0
$IPF 60 allow tcp from any to any established
$IPF 61 allow tcp from any to me dst-port 1194 setup
$IPF 62 allow udp from any to me dst-port 1194
$IPF 63 allow udp from me to any
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out

$IPF 162 allow tcp from any to any 2500 in
$IPF 164 allow tcp from any to any 2500 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out

$IPF 211 allow tcp from any to any 143 in
$IPF 212 allow tcp from any to any 143 out


$IPF 213 allow tcp from any to any 443 in
$IPF 214 allow tcp from any to any 443 out
$IPF 215 allow tcp from any to any 554 in
$IPF 216 allow udp from any to any 554 out

$IPF 220 allow tcp from any to any 993 in
$IPF 221 allow tcp from any to any 993 out

$IPF 222 allow tcp from any to any 995 in
$IPF 223 allow tcp from any to any 995 out


$IPF 230 allow udp from any to any 1194 in
$IPF 231 allow tcp from any to any 1194 in
$IPF 232 allow tcp from any to any 1194 out
$IPF 233 allow udp from any to any 1194 out
$IPF 300 allow tcp from any to any 9000 in
$IPF 310 allow tcp from any to any 9000 out

$IPF 400 allow tcp from any to any 8080 in
$IPF 401 allow tcp from any to any 8080 out

# deny and log everything
$IPF 500 deny log all from any to any
```


RC.conf remains same..


----------



## phoenix (Apr 22, 2010)

You have no actual NAT rules, that send traffic to/from the NAT config.

You also don't specify interfaces in any of your rules.  Doing so will make things a lot cleaner/easier to read.  And it forces you to write rules for everything (1 rule for packet coming in on an interface, 1 rule for sending the packet to the nat config, 1 rule for sending the altered packet out an interface).


----------



## DutchDaemon (Apr 22, 2010)

@jasonhirsh, use [code] tags in the future.


----------



## jasonhirsh (Apr 23, 2010)

*IPFW Still Hangs System*

I appreciate the responses and I will strive to meet the format requirements

I am aware I have no NAT rules..  primarily since that IPFW rules were hanging the system every time rebooted the system.   Since I lease the server at a server center this cost me several hundred dollars to debug

In the end the only way for me to get the system back up was to NOT use the custom rules expressed above and use the open configuration in /etc/firewall.rc 

I appreciate the advise on composing the NAT rules if I ever get that far


----------



## varda (Apr 24, 2010)

```
ipfw add pass all from any to any 20-22,25,53,80,143,443,554,993,995,1194,2500,8080,9000
ipfw nat 1 config if IF_NAME
ipfw add nat 1 all from any to any via IF_NAME
```


----------



## jasonhirsh (Apr 25, 2010)

*Revelation*

I appreciate the help with the NAT rules...

since I am using this server just as a gateway do I want a static NAT??


after staring at the code... I found what was hanging the system

in my ipfw.rules

I had 


```
IPF="ipfw -q add
```

that should be 


```
IPF="ipfw -q add"
```

the correct command never got invoked


----------



## jasonhirsh (Jan 10, 2011)

*Gave Up [SOLVED?]*

Ended up with new server with 8.0   gave up on NAT


----------

