From owner-freebsd-ipfw  Mon Oct  9  6:34:31 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from rapidnet.com (rapidnet.com [205.164.216.1])
	by hub.freebsd.org (Postfix) with ESMTP id 270C337B502
	for <freebsd-ipfw@freebsd.org>; Mon,  9 Oct 2000 06:34:28 -0700 (PDT)
Received: from localhost (nick@localhost)
	by rapidnet.com (8.9.3/8.9.3) with ESMTP id HAA59767;
	Mon, 9 Oct 2000 07:34:16 -0600 (MDT)
Date: Mon, 9 Oct 2000 07:34:16 -0600 (MDT)
From: Nick Rogness <nick@rapidnet.com>
To: achilov@granch.ru
Cc: freebsd-ipfw@freebsd.org
Subject: Re: Where I was wrong?
In-Reply-To: <39E166D8.8F9662AC@sentry.granch.ru>
Message-ID: <Pine.BSF.4.21.0010090723090.53783-100000@rapidnet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, 9 Oct 2000, Rashid N. Achilov wrote:

> Nick Rogness wrote:
> > 
> > On Fri, 6 Oct 2000, Rashid N. Achilov wrote:
> > 
> > >
> > > ipfw add 100 fwd 10.0.0.2 ip from 10.0.2.2 to any out xmit rl0
> > 
> >         Hmmm, take out the "out via rl0".
> 
> I have given simplified network model. Really this box has 6 (six)
> network interfaces, which binded parts of internal network structure and
> Internet too. If I take out "via" and then go to internal network, I'll
> find myself at external interface :-( 

	# Allow internal net to other internal net
	ipfw add 100 allow ip from 10.0.2.0/24 to INTERNAL#1
	ipfw add 101 allow ip from 10.0.2.0/24 to INTERNAL#2
	ipfw add 102 allow ip from 10.0.2.0/24 to INTERNAL#3

	# Forward all other traffic from 10.0.2.2 out 10.0.0.2
	ipfw add 105 fwd 10.0.0.2 ip from 10.0.2.2 to any

> > >
> > > and next rule to stop all other to Internet
> > >
> > > ipfw add 200 deny log tcp from 10.0.2.0/24 to any 80
> > >
> > > And now I deny too! Why? Where I'm wrong?
> > >
> > 
> >         WHat does the deny log entry look like?
> > 
> 
> Deny TCP 10.0.0.2:XXXX YYY.YYY.YYY.YYY:80 in via ed0
> Deny TCP 10.0.0.2:XXXX YYY.YYY.YYY.YYY:80 out via rl0

	The reason it is getting denied is ipfw is not
	matching the "out via rl0" (IMO) part of your fwd command above.

	I have this exact (almost) thing running and would be glad to help
	more...but I need more details on how your internal net is laid
	out (Interfaces,IP's,etc).


Nick Rogness
- Drive defensively.  Buy a tank.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message