From owner-freebsd-questions  Thu Jun  6 10:21:38 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from spin.web.net (spin.web.net [192.139.37.16])
	by hub.freebsd.org (Postfix) with ESMTP id 3C28C37B406
	for <freebsd-questions@FreeBSD.ORG>; Thu,  6 Jun 2002 10:21:17 -0700 (PDT)
Received: by spin.web.net (Postfix, from userid 1000)
	id 6FD8012E70C; Thu,  6 Jun 2002 13:21:28 -0400 (EDT)
Date: Thu, 6 Jun 2002 13:21:28 -0400
From: Rob Ellis <rob@web.ca>
To: freebsd-questions@FreeBSD.ORG
Subject: ipfw: 'out via fxp0' rules don't work
Message-ID: <20020606172128.GH18966@web.ca>
Mail-Followup-To: Rob Ellis <rob@web.ca>,
	freebsd-questions@FreeBSD.ORG
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

i have the following rules, on a box with 4 interfaces,
that are intended to allow outbound connections...

  ipfw add allow udp from any to any out xmit fxp0 keep-state 
  ipfw add allow tcp from any to any out xmit fxp0 setup keep-state 

but this doesn't work as i thought it would. for instance, 
'in via xl0' packets are still being blocked.

i also tried 

  ipfw add allow udp from any to any out recv xl0 xmit fxp0 keep-state 
  ipfw add allow tcp from any to any out recv xl0 xmit fxp0 setup keep-state 

which also didn't work. the packets i want to allow are indeed coming
in via xl0 and out via fxp0, but the error is always like:

> Jun  6 12:46:30 myname /kernel: ipfw: 22901 Deny TCP xxx.xxx.xxx.xxx:3325 yyy.yyy.yyy.yyy:80 in via xl0

a rule like

  ipfw add allow tcp from xxx.xxx.xxx.0/24 to any 80 setup keep-state

does work, but i want to firewall off the internal networks 
from each other, and i didn't want to get into any more 
skipto rules...

in short, interface-based in/out rules don't seem to work.

anyone have any ideas? i am just not understanding how the interface-based
rules are supposed to work?

the firewall box is running 4.5-RELEASE-p4.

thanks.

- rob

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message