Date: Tue, 27 Jun 2000 18:58:25 +0200 From: Adrian Chadd <adrian@freebsd.org> To: freebsd-current@freebsd.org Subject: Re: ipfw check-state and ipfw fwd ? Message-ID: <20000627185825.E58428@zoe.bastard.co.uk> In-Reply-To: <20000627185006.D58428@zoe.bastard.co.uk>; from adrian@freebsd.org on Tue, Jun 27, 2000 at 06:50:06PM %2B0200 References: <20000627185006.D58428@zoe.bastard.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 27, 2000, Adrian Chadd wrote: > > Hi, > > I have a tunnel setup which requires me to rewrite the next hop of packets > going from the tunneled network out to the internet to go out via the > tunnel (rather than going out the default route, who drops the packets > (validly) because it thinks I'm trying to IP spoof.) > > The trouble is that I'm also trying to use a dynamic ipfw rule to only > allow outgoing TCP connections from a single IP .. this doesn't seem > to work well with ipfw fwd. > > The relevant bits: > > 00100 0 0 check-state > 00200 0 0 allow ip from any to any via lo0 > 00300 0 0 deny ip from any to 203.56.168.40 in recv tun0 > 00400 2 88 allow tcp from 203.56.168.40 to any keep-state setup > (the three going in here are totally not relevant) > 00800 0 0 fwd 213.35.234.1 ip from 203.56.168.0/24 to any out xmit xl1 > 65000 195 15257 allow ip from any to any > 65535 50 7996 allow ip from any to any > ## Dynamic rules: > 00400 1 44 (T 5, # 163) ty 0 tcp, 203.56.168.40 1161 <-> 203.30.44.82 80 > > As you can see, the dynamic rule gets created, but I'm not entirely > certain its being trapped on the fwd rule, as a tcpdump of the external > interface xl1 shows the packet going out rather than being forwarded > to 213.35.234.1 (the tunnel interface endpoint). > > Any clues? Is the dynamic rulesets not meant to do this at all? Is there > a way I can trick things into working? Before you all say it, changing 0400's allow to skipto <fwd rulenumber> made things work. Evil, but its working just fine. :) 00100 0 0 check-state 00200 0 0 allow ip from any to any via lo0 00300 1 44 deny ip from any to 203.56.168.40 in recv tun0 00400 14 576 skipto 5000 tcp from 203.56.168.40 to any keep-state setup 05000 5 437 fwd 213.35.234.1 ip from 203.56.168.0/24 to any out xmit xl1 65000 2163 169947 allow ip from any to any 65535 55 8503 allow ip from any to any ## Dynamic rules: 00400 13 532 (T 0, # 167) ty 0 tcp, 203.56.168.40 1165 <-> 203.30.44.82 80 Adrian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000627185825.E58428>