# Question with IPFW



## goshanecr (Mar 13, 2010)

Hi friends!
Today i'm decide to organize my ipfw rules. And that what i do:


*ipfw show*
50-55 rules for connect to provider pptp server 

```
00050   834   27304 allow ip from me to 10.0.0.1 via nfe0 out
00055 11729 1024957 allow ip from 10.0.0.1 to me via nfe0 in
```

200-370 - that rules denies connect to unneeded ports and allows connect to needed.

```
00100     0       0 check-state
00200     4     240 deny icmp from any to any in icmptypes 5,8,9,13,14,15,16,17
00300 11691  588087 deny tcp from any to me not dst-port 25,80,22222 in via ng0
00305     0       0 allow tcp from any to me dst-port 25,80,22222 in via ng0
00310     1      49 deny udp from any to me not dst-port 31194 in via ng0
00315     4    1639 allow udp from any to me dst-port 31194 in via ng0
00320     0       0 deny tcp from any to me not dst-port 53,80,22222 in via rl0
00325     0       0 allow tcp from any to me dst-port 53,80,22000 in via rl0
00330     0       0 deny udp from any to me not dst-port 53,123 in via rl0
00335     0       0 allow udp from any to me dst-port 53,123 in via rl0
00340     0       0 deny tcp from any to me not dst-port 53,80,22222 in via wlan0
00345     0       0 allow tcp from any to me dst-port 53,80,22222 in via wlan0
00350     0       0 deny udp from any to me not dst-port 53,123,31194 in via wlan0
00355     0       0 allow udp from any to me dst-port 53,123,31194 in via wlan0
00360     0       0 deny tcp from any to me not dst-port 53,80,22222 in via tun0
00370     0       0 deny udp from any to me not dst-port 123 in via tun0
```

In table 3 i have 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/24 and it must not come from WAN to me

```
00400     0       0 deny ip from table(3) to me in via ng0
```

I can do anything

```
00500    10     810 allow ip from me to any keep-state
```

Clients described in table 1 (192.168.1.0/24,192.168.0.0/24) forward to transparent proxy

```
00600     0       0 fwd 127.0.0.1,3128 ip from table(1) to not me dst-port 80,8080 via ng0 out
```

unsuccessful rule for nat to clients from table 2

```
00650     0       0 divert 8668 ip from table(2) to not me via ng0 out
```

All other deny and log

```
50000   139   13004 deny log logamount 100 ip from any to any
```

Please help me correct setup rules for my lan clients can go to internet with nat.


----------



## aragon (Mar 13, 2010)

goshanecr said:
			
		

> unsuccessful rule for nat to clients from table 2
> 
> ```
> 00650     0       0 divert 8668 ip from table(2) to not me via ng0 out
> ```


Have you enabled natd(8) and is it running?


----------



## goshanecr (Mar 14, 2010)

yes

```
natd_enable="YES"
natd_flags="-n ng0"
gateway_enable="YES"
```
Maybe something with sysctl variables?

```
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
net.link.ether.inet.max_age=1200
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0

kern.ipc.somaxconn=4096
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=32768
```


----------

