---

Jeg var ude for at sætte en FreeBSD kasse op ved nogen der skulle have sig
en lille firewall med noget nat etc.
Men men, af en eller anden mystisk årsag jeg ikke kan gennemskue så er der
et problem med at deres 192.168.200.0/24 net er fantahalastisk langsomt,
pop3 osv kan ikke engang komme igennem.
Lidt om setup'et :
FreeBSD 4.4 med ipfw hvor den router mellem de 3com 905C interfaces
(reglerne er længere nede..)
På LAN siden af FreeBSD maskinen er der 2 ip net, henholdsvis
192.168.20.0/24 og 192.168.200.0/24. Internettet kører perfekt på 20 nettet
men af en eller anden mystisk grund så kører det fint på det andet net,
angiveligt skulle det køre helt efter hensigten hvis man flusher alle
reglerne, så jeg står lidt meget på bar bund her :(
(Der var umiddelbart nogle static routes til der pegede noget trafik fra een
maskine over på en Cisco ISDN router til en anden afdelingen der af failede
da den router var gået i knæ den dag men det burde da vel ikke have
indflydelse på resten?!)

/Dennis


#Vi starter NATD for at faa ip igennem fra internettet
/sbin/natd -interface xl1 -redirect_port udp 192.168.20.25:5631
5631 -redirect_port tcp 192.168.20.25:5631 5631 -redirect_port tcp
192.168.20.25:5632 5632 -redirect_port udp 192.168.20.25:5632
5632 -redirect_port tcp 192.168.20.14:6669 6669 -redirect_port udp
192.168.20.14:6669 6669 -redirect_port tcp 192.168.20.12:20
20 -redirect_port tcp 192.168.20.14:21 21 -redirect_port udp
192.168.20.241:5641 5641 -redirect_port tcp 192.168.20.241:5641
5641 -redirect_port tcp 192.168.20.241:5642 5642 -redirect_port udp
192.168.20.241:5642 5642

#Saa sletter vi de regler som allerede er
/sbin/ipfw -f flush

fwcmd="/sbin/ipfw"


inet="192.168.20.0"
inet2="192.168.200.2"
imask="255.255.255.0"
iip="192.168.1.1"

#Tillad trafik fra denne maskine og nettet
$fwcmd add 100 skipto 1000 all from me to any
$fwcmd add 001 pass all from 192.168.20.22:255.255.255.0 to ${inet}:${imask}
$fwcmd add 002 pass all from ${inet}:${imask} to 192.168.20.22:255.255.255.0
$fwcmd add 003 pass all from 192.168.1.0:255.255.255.0 to 192.168.1.22
$fwcmd add 110 skipto 1000 all from 192.168.20.22 to ${inet2}:${imask}
$fwcmd add 111 skipto 1000 all from ${inet2}:${imask} to 192.168.20.22

#Hvis der er en forbindelse maa denne bruges
$fwcmd add 200 skipto 1000 tcp from any to any established

#Tillader forbindelse paa de specificerede porte

#telnet
$fwcmd add 300 skipto 1000 tcp from ${inet}:${imask} to any 23 setup
$fwcmd add 301 skipto 1000 tcp from ${inet2}:${imask} to any 23 setup

#dns
$fwcmd add 310 skipto 1000 tcp from ${inet}:${imask} to any 53 setup
$fwcmd add 311 skipto 1000 tcp from ${inet2}:${imask} to any 53 setup

$fwcmd add 320 skipto 1000 udp from any 53 to any
$fwcmd add 330 skipto 1000 udp from any to any 53

#http
$fwcmd add 340 skipto 1000 tcp from ${inet}:${imask} to any 80 setup
$fwcmd add 341 skipto 1000 tcp from ${inet2}:${imask} to any 80 setup

#smtp
$fwcmd add 350 skipto 1000 tcp from ${inet}:${imask} to any 25 setup
$fwcmd add 351 skipto 1000 tcp from ${inet2}:${imask} to any 25 setup

#pop3
$fwcmd add 352 skipto 1000 tcp from ${inet}:${imask} to any 110 setup
$fwcmd add 353 skipto 1000 tcp from ${inet2}:${imask} to any 110 setup

#ftp
$fwcmd add 354 skipto 1000 tcp from any 20 to any 30000-63000 setup
$fwcmd add 355 skipto 1000 tcp from any 20 to any 1024-4096 setup
$fwcmd add 356 skipto 1000 tcp from ${inet}:${imask} to any 20 setup
$fwcmd add 357 skipto 1000 tcp from ${inet}:${imask} to any 21 setup
$fwcmd add 358 skipto 1000 tcp from ${inet2}:${imask} to any 20 setup
$fwcmd add 359 skipto 1000 tcp from ${inet2}:${imask} to any 21 setup

#ftp indgaaende
$fwcmd add 360 skipto 1000 tcp from any 30000-63000 to 192.168.20.14 20
setup
$fwcmd add 361 skipto 1000 tcp from any 1024-4096 to 192.168.20.14 20 setup
$fwcmd add 362 skipto 1000 tcp from any 20 to 192.168.20.14 20 setup
$fwcmd add 363 skipto 1000 tcp from any 20 to 192.168.20.14 20 setup

$fwcmd add 364 skipto 1000 tcp from any 21 to 192.168.20.14 21 setup

#nttp
$fwcmd add 370 skipto 1000 tcp from ${inet}:${imask} to any 119 setup
$fwcmd add 371 skipto 1000 tcp from ${inet2}:${imask} to any 119 setup
$fwcmd add 372 skipto 1000 udp from any to any 119
$fwcmd add 373 skipto 1000 udp from any 119 to any


#https
$fwcmd add 380 skipto 1000 tcp from ${inet}:${imask} to any 443 setup
$fwcmd add 381 skipto 1000 tcp from ${inet2}:${imask} to any 443 setup
$fwcmd add 382 skipto 1000 udp from any to any 443
$fwcmd add 383 skipto 1000 udp from any 443 to any

#pcanywhere
$fwcmd add 400 skipto 1000 tcp from ${inet}:${imask} to any 5631 setup
$fwcmd add 410 skipto 1000 tcp from ${inet2}:${imask} to any 5632 setup
$fwcmd add 420 skipto 1000 udp from ${inet}:${imask} to any 5631
$fwcmd add 430 skipto 1000 udp from ${inet2}:${imask} to any 5632

$fwcmd add 440 skipto 1000 tcp from any to 192.168.20.25 5631 setup
$fwcmd add 450 skipto 1000 tcp from any to 192.168.20.25 5632 setup
$fwcmd add 460 skipto 1000 udp from any to 192.168.20.25 5631
$fwcmd add 470 skipto 1000 udp from any to 192.168.20.25 5631
$fwcmd add 480 skipto 1000 tcp from any to 192.168.20.241 5641 setup
$fwcmd add 490 skipto 1000 tcp from any to 192.168.20.241 5642 setup
$fwcmd add 500 skipto 1000 udp from any to 192.168.20.241 5641
$fwcmd add 510 skipto 1000 udp from any to 192.168.20.241 5642

#traadloes terminal
$fwcmd add 520 skipto 1000 tcp from any to 192.168.20.14 6669 setup
$fwcmd add 530 skipto 1000 udp from any to 192.168.20.14 6669

#icmp
$fwcmd add 500 skipto 1000 icmp from any to any

#Stop alt som ikke er skippet til regel 1000
$fwcmd add 900 deny all from any to any

#NAT det som er tilladt af tidligere regler.
$fwcmd add 1000 divert natd all from any to any via xl1
$fwcmd add 1100 pass all from any to any