# Problems with IPFW rules



## m1001101 (May 12, 2011)

Hi to all, I'm not new in FreeBSD administration, but absolutely new in IPFW usage. My today problem is about my new gateway (and file server) machine with three nics, em0 (to Internet) em1 (to work) em2 (to admin). 

The goal is:
* em1 must reach the gateway samba shares but not Internet and not admin networks
* em2 must reach the gateway samba shares and Internet and work networks.

Can anyone help?

Thanks! 

m1001101

P.S. sorry for bad language, and maybe for text format, I'm using links browser...


----------



## graudeejs (May 12, 2011)

ipfw(8)
and
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html


----------



## m1001101 (May 13, 2011)

Thanks, I've read these documents, and enabled gateway functions, nat and firewall type open. The problem is to block em1 to reach Internet (em0) and enable Admin (em2) to browse the entire Work (em1) network.

Can help?

Thanks


----------



## toxicd (May 13, 2011)

```
#this is how to open port em2IP is he admin's ip , em1IP is the work's ip , 445 is SMB port over tcp
pass in quick on em1 proto tcp from em2IP to em1IP port = 445 flags S keep frags keep state

#this will block the outgoing packets machine --> network
block out on em1 all
#this will block the incoming packets machine <-- network
block in log quick on em1 all
```

Regards
Tox


----------



## m1001101 (May 17, 2011)

toxicd said:
			
		

> ```
> #this is how to open port em2IP is he admin's ip , em1IP is the work's ip , 445 is SMB port over tcp
> pass in quick on em1 proto tcp from em2IP to em1IP port = 445 flags S keep frags keep state
> 
> ...



Thanks I try today...


----------



## m1001101 (Jun 8, 2011)

Unfortunately I did not...

My net configuration is:

re0 = 192.168.10.85
em0 = 192.168.3.85
em1 = 192.168.5.85

...so I have written this ruleset with help of handbook:


```
cmd="ipfw -d add"
skip="skipto 500"
int=re0
ks="keep-state"

ipfw -q -f flush

$cmd 002 allow all from any to any via msk0
$cmd 003 allow all from any to any via em1
$cmd 004 allow all from any to any via em0
$cmd 005 allow all from any to any via re1

$cmd 100 divert natd ip from any to any in via $int
$cmd 190 check-state

$cmd 200 $skip all from 192.168.5.0/24 to any out via $int $ks
$cmd 210 $skip all from 192.168.10.0/24 to any out via $int $ks

$cmd 300 allow all from any to 192.168.5.0/24 in via $int $ks
$cmd 310 allow all from any to 192.168.10.0/24 in via $int $ks

$cmd 400 deny log ip from any to any

$cmd 500 divert natd ip from any to any out via $int
$cmd 520 allow ip from any to any
```

I've tried with adding a route to the client like this

[cmd=]route add -net 192.168.3.0/24 192.168.5.85[/cmd]

but it doesn't work.

Tried to insert these rules in firewall ruleset:

```
$cmd 110 divert natd ip from 192.168.3.0/24 to 192.168.5.0/24 in via em1
$cmd 510 divert natd ip from 192.168.5.0/24 to 192.168.3.0/24 out via em0
```
but it does not work...

Someone can help?

thanks


----------

