Date: Thu, 3 Jul 2003 17:07:54 +0800 From: "Ping-Da" <edwardc@seed.net.tw> To: <freebsd-ipfw@freebsd.org> Subject: A problem with ipfw/ipfw2 Message-ID: <005201c34142$971b6db0$c801a8c0@edwardc>
next in thread | raw e-mail | index | archive | help
Hi All, I met a problem recently using ipfw for following rulesets %ipfw show 00100 418 46912 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 01000 1 60 skipto 65000 log tcp from any to any dst-port 80 MAC any 00:d0:59:b5:79:97 60000 8 420 fwd 192.168.1.223,8080 log tcp from any to any dst-port 80 65000 6462 359402 allow ip from any to any 65535 7 603 deny ip from any to any Here's my ipfw ruleset, these sets are set on a NAT box, that I redirect any port request to a dedicated proxy for transproxy, and that is fine. But I want some PC with certain MAC address can be bypass with the forward setting, so I Add the rule #1000, but doesn=A1=A6t work, here's the log on /var/log/security Jul 3 15:54:49 lavender /kernel: ipfw: 1000 SkipTo 65000 TCP 192.168.1. 210:1036 195.40.122.44:80 in via de0 Jul 3 15:54:49 lavender /kernel: ipfw: 60000 Forward to 192.168.1.223:8080 TCP 192.168.1.210:1036 195.40.122.44:80 in via de0 It's seems rule #1000 has been executed, but I have no idea why rule #60000 will be exeuted when packet Is skipto 65000 ? I guess that could be the cause by the difference with "IP" packet with "TCP" packet, but I don=A1=A6t have a clue to solve this problem, anyone give me a hint ? Thanks. Regards, Edward
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005201c34142$971b6db0$c801a8c0>