Site Navigation

Date:      Fri, 12 Oct 2001 20:54:42 -0700
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        Jonas Sonntag <js@jonsonn.de>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: IPFW question
Message-ID:  <20011012205442.F6274@blossom.cjclark.org>
In-Reply-To: <KIEEILJCLAIJNFGECHJOAEEICCAA.js@jonsonn.de>; from js@jonsonn.de on Fri, Oct 12, 2001 at 10:03:07PM %2B0200
References:  <20011009034032.K350@blossom.cjclark.org> <KIEEILJCLAIJNFGECHJOAEEICCAA.js@jonsonn.de>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Fri, Oct 12, 2001 at 10:03:07PM +0200, Jonas Sonntag wrote:

[snip]

> only my lan is (again) disconnectet from the net.
> here are the rules:
> 
> fwcmd="/sbin/ipfw"
> $fwcmd -f flush
> 
> #lan
> $fwcmd add divert natd all from any to any via rl0
> $fwcmd add allow all from any to any via lo0
> $fwcmd add allow all from any to any via xl0
> 
> # inet
> $fwcmd add allow all from me to any via rl0
> $fwcmd add allow tcp from any to me established via rl0

Say you try to HTTP to some remote machine. Your packets will get out
fine. The response comes back. It goes through the first rule and the
destination IP (and possibly port) is rewritten to the internal
address. The packet will not match the above rule, since the
destination is a machine on your internal net and not the gateway. The
packets fall through and get dropped at the last rule. You should be
seeing this in your logs. You may wish to try to add,

  $fwcmd add allow tcp from any to <internal_net> established via rl0

Or to use dynamic rules rather than 'established.'

> $fwcmd add allow tcp from any to me 21 setup via rl0
> $fwcmd add allow tcp from any to me 22 setup via rl0
> $fwcmd add allow tcp from any to me 80 setup via rl0
> $fwcmd add allow udp from 213.196.65.2 53 to me
> $fwcmd add allow udp from 213.196.64.2 53 to me
> $fwcmd add allow icmp from any to any
> $fwcmd add deny log ip from any to any
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011012205442.F6274>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact