alifeinhifi
Cadet
- Joined
- Jul 27, 2014
- Messages
- 2
Fair warning - I'm a noob with freenas. I'm trying to set up ipfw in a jail to block all traffic except to a VPN that has already been set up and is working properly. I've read up on ipfw, but clearly I'm doing something wrong. Was using this post as my original guide http://forums.freenas.org/index.php...-a-jail-so-it-only-connects-to-the-vpn.18669/ . Any help you could offer would be much appreciated!
these rules should be for my DNS, but starting ipfw and trying to ping anything results in hostname lookup failure. I got these IPs from my VPN.
This line should be to enable traffic on my local network, but this doesn't work either - my remote services connecting to the jail disconnect immediately
the IPs I want to allow communication with - xxx.xxx.xxx.xxx is filled in with values from my openvpn.conf. I have no idea if this is working or not yet, as I havent gotten past the first two problems
and finally, deny everything else
I assume I'm correct in using 192.168.1.0/24 - my subnet mask is 255.255.255.0 (which my research tells me is why i use the '0/24' and ip range is 192.168.1.2 to 192.168.1.254.
What totally obvious thing am I missing? Thanks!
these rules should be for my DNS, but starting ipfw and trying to ping anything results in hostname lookup failure. I got these IPs from my VPN.
Code:
add 01000 allow log udp from 192.168.1.0/24 to 184.75.220.106 dst-port 53 keep-state add 01002 allow log udp from 192.168.1.0/24 to 89.248.172.121 dst-port 53 keep-state
This line should be to enable traffic on my local network, but this doesn't work either - my remote services connecting to the jail disconnect immediately
Code:
add 01004 allow ip from 192.168.1.0/24 to 196.168.1.0/24 keep-state
the IPs I want to allow communication with - xxx.xxx.xxx.xxx is filled in with values from my openvpn.conf. I have no idea if this is working or not yet, as I havent gotten past the first two problems
Code:
add 02000 allow ip from 192.168.1.0/24 to xxx.xxx.xxx.xxx keep-state add 02004 allow ip from 192.168.1.0/24 to xxx.xxx.xxx.xxx keep-state add 02008 allow ip from 192.168.1.0/24 to xxx.xxx.xxx.xxx keep-state add 02012 allow ip from 192.168.1.0/24 to xxx.xxx.xxx.xxx keep-state
and finally, deny everything else
Code:
add 65534 deny ip from any to any
I assume I'm correct in using 192.168.1.0/24 - my subnet mask is 255.255.255.0 (which my research tells me is why i use the '0/24' and ip range is 192.168.1.2 to 192.168.1.254.
What totally obvious thing am I missing? Thanks!