# IPFW firewall and maybe ng0 problem



## cutter (Feb 25, 2012)

I need help with IPFW. I have a server freebsd FreeBSD 7.4 at home with BIND, Samba and Email services and 3 other workstations. The problem appeared when I moved from PPP to PPPoE and started using mpd5. I can't reach any web sites only from the server even not pinging the outside world, the local network remained without problem. My ipfw rules are as follows (only the relevant lines given):

```
!/bin/sh
ipfw="/sbin/ipfw"
ournet="192.168.1.0/24"                         # Our internal network
#       em0 - local network NIC 192.168.1.1
#       em1 - NIC 10.0.0.1 connecting to externel ADSL modem 10.0.0.138
#       ng0 - interface created by mpd5
#
$ipfw -f flush
#

$ipfw add deny tcp from $ournet to any 25 via any       # Prevent sending spam from periphery
$ipfw add allow all from me to any                      # Permit everithing outgoing from the server
$ipfw add divert natd all from any to any via ng0       # Divert internet connection to virtual servers
$ipfw add allow all from any to me via lo0              # Allow connection from localhost
$ipfw add allow all from any to me via em1              # Allow connection from modem NIC
$ipfw add allow all from any to me via em0              # Allow connection to server from local network


# Allow already established connections
$ipfw add allow all from any to any established         # Keep the existing connections

$ipfw add allow icmp from any to any icmptypes 0,3,4,8,11       # Allow pinging my server
$ipfw add allow all from $ournet to any via any         # Permit everything outgoing from the periphery
$ipfw add allow ip from any to any 53                   # Open port for  Domain information and resolution

$ipfw add drop all from any to me

The relevant portion from the rc.conf

firewall_enable="YES"
firewall_type="SIMPLE"
firewall_script="/root/fw-rules"
firewall_quiet="NO"
firewall_flags=""
```
The kernel is compiled with all the necessary options. When pinging any outside domain name from the server, it just gets stuck, but pinging it with its IP number gets a response. When I comment the last line all the server services are wide open to the rest of the world, as checked with nmap from an external server, and of course the problem disappears. Any help and suggestions with the firewall is welcomed and will be appreciated. Thank you in advance.
Cutter


----------



## cutter (Feb 27, 2012)

I found the problem. The fact that pinging a domain name didn't respond, but IP number did, directed me to look for the bind port 53. So I added the following line:
`# ipfw add allow all from any 53 to any via any`

and all the problems disappeared.

Thanks for bothering you.


----------



## Ajira (Feb 27, 2012)

You say you have two network interfaces: 

em0, which is connected your internal network.
em1, which is connected to your internet connection (via the modem).
Why in Bob's name are you using a netgraph interface for your network address translation ?The way I see it, the correct way to get your local network to communicate with the internet is to use em1 as your natd interface; In which case your firewall rule would be:
[CMD=""]ipfw divert natd ip from any to any in via em1[/CMD]

Also, there's no sense in diverting traffic to the natd daemon if it's not running. So in your /etc/rc.conf, you should add:


```
natd_enable="YES"
natd_interface="em1"
```

And then start the daemon with:
[CMD=""]/etc/rc.d/natd start[/CMD]

That should help you get started. And always remember to KISS :f (Keep It Safe & Simple )


----------



## cutter (Feb 28, 2012)

Thanks Ajira for your help.

What you suggest was tried several years ago with tun adapter and the only way it worked is the way it is now. Anyway, I tried it again for for Nth time today, with several variations and it doesn't work. Of course, NAT stuff is configured accordingly (I didn't show it previously). The only way I've succeeded is that way:


```
ipfw divert natd ip from any to any via ng0
```

Thanks again.
Cutter


----------



## RusDyr (Feb 28, 2012)

```
$ipfw add allow all from any to any established         # Keep the existing connections
```
This rule seems to be totally useless since you doesn't have any dynamic rules (no keep-state/check-state/setup/limit modifiers).


```
$ipfw add drop all from any to me
```
If you haven't got other interfaces than em0 and em1, it's also useless - you have done "allowed from any to me" via interfaces before.

P.S. Just for information - you can use "//" syntax for adding comment directly after rule, so that they will be viewed on `# ipfw show` output.


----------



## cutter (Feb 28, 2012)

You are absolutely right. The working version does issue check-state. As far as the later directive - I do have another adapter --> ng0. Without this last line the server is open to the outside - checked and rechecked with nmap. So I need it.

Thank you.


----------



## RusDyr (Feb 29, 2012)

Glad to hear it.

P.S. There is "Thanks" button on message.


----------

