Date: Mon, 03 Sep 2007 16:31:28 +1200 From: Russell Fulton <r.fulton@auckland.ac.nz> To: freebsd-ipfw@freebsd.org Subject: Problems with pipes... Message-ID: <46DB8E20.8070404@auckland.ac.nz>
next in thread | raw e-mail | index | archive | help
Hi I'm having problems getting pipes to work in ipfw (under free bsd). First a little background that will explain why some of the stuff in here is there. We have a wireless lan with two firewalls which fail over using carp. There are several different SSIDs which appear to the firewall as different vlans. I am working on the 'backup' firewall and we have set up a test ssid/vlan 130.216.155.0/24) which has this firewall as primary. I have to leave the carp rules in for the other vlans otherwise carp gets all confused :) and the backup fw suddenly thinks is is primary for everything (been there done that ;) I have cut the rule set down as much as I can: # already established connections continue going through add 10 check-state # allow outbond traffic to mailhost from UoA add 11 allow tcp from 130.216.89.0/24, 130.216.90.0/23 to 130.216.11.210 25, 587, 465 xmit fxp1 setup keep-state # bad ports that we want to block add 15 deny log logamount 0 udp from any to any 7,67,68,69,111,134-140,199,445,512,513,520,1993,2049,1900,5000 via fxp1 add 16 deny log logamount 0 tcp from any to any 7,11,15,25,67,68,87,111,134-140,144,199,445,511-514,1025,1993,1900,2049,2766,5000,5999-6020 via fxp1 # carp VRP add 20 allow all from 130.216.89.6/31 to 224.0.0.18 via vlan89 add 21 allow all from 130.216.90.6/31 to 224.0.0.18 via vlan90 add 22 allow all from 130.216.94.6/31 to 224.0.0.18 via vlan94 add 23 allow all from 130.216.95.6/31 to 224.0.0.18 via vlan95 add 24 allow all from 130.216.1.11 to 224.0.0.18 via fxp1 add 24 allow all from 130.216.1.12 to 224.0.0.18 via fxp1 add 30 allow all from 130.216.4.173 to 224.0.0.18 via fxp1 add 31 allow all from 130.216.4.174 to 224.0.0.18 via fxp1 add 40 allow tcp from 130.216.4.0/23, 130.216.76.0/23 to any in recv fxp1 setup keep-state # allow anything else in from the vlans add 01139 allow all from 130.216.155.0/24 to any in recv vlan155 # Allow it all out fxp1 add 01145 allow tcp from 130.216.89.0/24, 130.216.90.0/23,130.216.94.0/24,130.216.95.0/24, 130.216.155.0/24 to any out via fxp1 setup keep-state add 01147 allow all from 130.216.89.0/24, 130.216.90.0/23,130.216.94.0/24,130.216.95.0/24, 130.216.155.0/24 to any out xmit fxp1 keep-state # don't forget the loopback interface or some things might break add 01102 allow all from any to any via lo0 setup keep-state # test vlan 155 pipe 15 config mask src-ip 0x000000ff bw 128Kbit/s add 02420 pipe 15 all from 130.216.155.0/24 to any add 06000 deny log logamount 0 all from any to any ################################################# here is a ipfw -d show during a file transfer [root@wgate-1 /root]# ipfw -d show 00010 0 0 check-state 00011 0 0 allow tcp from 130.216.89.0/24,130.216.90.0/23 to 130.216.11.210 dst-port 25,587,465 xmit fxp1 setup keep-state 00015 0 0 deny log udp from any to any dst-port 7,67,68,69,111,134-140,199,445,512,513,520,1993,2049,1900,5000 via fxp1 00016 0 0 deny log tcp from any to any dst-port 7,11,15,25,67,68,87,111,134-140,144,199,445,511-514,1025,1993,1900,2049,2766,5000,5999-6020 via fxp1 00020 115 6440 allow ip from 130.216.89.6/31 to 224.0.0.18 via vlan89 00021 114 6384 allow ip from 130.216.90.6/31 to 224.0.0.18 via vlan90 00022 114 6384 allow ip from 130.216.94.6/31 to 224.0.0.18 via vlan94 00023 115 6440 allow ip from 130.216.95.6/31 to 224.0.0.18 via vlan95 00024 0 0 allow ip from 130.216.1.11 to 224.0.0.18 via fxp1 00024 115 6440 allow ip from 130.216.1.12 to 224.0.0.18 via fxp1 00030 0 0 allow ip from 130.216.4.173 to 224.0.0.18 via fxp1 00031 0 0 allow ip from 130.216.4.174 to 224.0.0.18 via fxp1 00040 358 36699 allow tcp from 130.216.4.0/23,130.216.76.0/23 to any in recv fxp1 setup keep-state 01102 0 0 allow ip from any to any via lo0 setup keep-state 01139 1 48 allow ip from 130.216.155.0/24 to any in recv vlan155 01145 11271 9865040 allow tcp from 130.216.89.0/24,130.216.90.0/23,130.216.94.0/24,130.216.95.0/24,130.216.155.0/24 to any out via fxp1 setup keep-state 01147 0 0 allow ip from 130.216.89.0/24,130.216.90.0/23,130.216.94.0/24,130.216.95.0/24,130.216.155.0/24 to any out xmit fxp1 keep-state 02420 0 0 pipe 15 ip from 130.216.155.0/24 to any 06000 201 25058 deny log ip from any to any 65535 160 74420 deny ip from any to any ## Dynamic rules (2): 01145 11270 9864992 (300s) STATE tcp 130.216.155.13 1525 <-> 161.53.24.9 80 00040 357 36635 (300s) STATE tcp 130.216.4.12 60906 <-> 130.216.1.11 22 Note that nothing is going through pipe 15 even thought it would appear to match dynamic rule 01145. What have I screwed up? Russell.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46DB8E20.8070404>