From owner-freebsd-ipfw@freebsd.org Sun Jan 29 16:40:40 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F153ACC7916 for ; Sun, 29 Jan 2017 16:40:40 +0000 (UTC) (envelope-from thoms3rd@gmail.com) Received: from mail-qk0-x244.google.com (mail-qk0-x244.google.com [IPv6:2607:f8b0:400d:c09::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A41A69E9 for ; Sun, 29 Jan 2017 16:40:40 +0000 (UTC) (envelope-from thoms3rd@gmail.com) Received: by mail-qk0-x244.google.com with SMTP id u25so15570681qki.2 for ; Sun, 29 Jan 2017 08:40:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=wlpNrrZ7yx48qhQbc9sSIvNhY34KFDVl2mpYZQSmSY4=; b=n7YurKlcx+QfTVQY32ulqdiVccqIrDySAuR64kKj+Yprt/pjUEZKwfyeujZDFDyF5J sDBuVdEwsOS+I4dh5OYDb8PnGJ7X/P76x0HXuuPbI3CnXAaEiMX5RuQHzzTwq8vRXXr/ JdEg4ea/jTiY21GT6TOdFEdjYBMo+dlA2P3sn2e+DMys7EYfy4uD6fC7jwGAofaeGnU6 UkKbqkvmPxJR9tuS/Gblcc5wTxA3FyempjZuNHLCb/mlNEnqnnup3/99rKjqYAmTC4AP 2s3zCS3CSrnfxBLM8H8TTc7czTM5sCR4ddrkD1BYy/ZkWrYGf1qYpbiJAAKRsfXZVHFi cBcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=wlpNrrZ7yx48qhQbc9sSIvNhY34KFDVl2mpYZQSmSY4=; b=qcTFT17YbLqmJZnhOqauF2OXl3UyJNuUK9lHJZt8Mgapdg9JtVEnSqUQE9S9ITMAOQ W7CIZvvnck7Poswbc4erJtuQc7pXv3Y8WCyov+Mhprfs7ijGI942kM6PXsYcbqwVlW72 x48/L4S5VjNH4684jT/oye6s9Hp9pk4lNwJ80qEFkdcFIaJ2d+vYKFCL4zOTqYiC/O4C iHvHqkgG6bEVrJrShyfW6unYPlotwzHksAxCKXFEHRFV2weClENIbK6SeQYus4AUhilZ qBqVL3GWBUgu7IGULcQy6IxfBRXl9v5Xu7HFmkEsL0U2VguEx5aaSuBvQSH/u9/PZb+r pV0Q== X-Gm-Message-State: AIkVDXLv3zCIFn48hpqKt+Slu3Rkt3jTJ+F4eqAdxh1Uydd8FvShdav9hAC4S+XlfvN51w== X-Received: by 10.55.67.135 with SMTP id q129mr12179685qka.98.1485708039855; Sun, 29 Jan 2017 08:40:39 -0800 (PST) Received: from host (189.27.232.179.dynamic.adsl.gvt.net.br. [189.27.232.179]) by smtp.gmail.com with ESMTPSA id p70sm3129101qke.48.2017.01.29.08.40.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 29 Jan 2017 08:40:39 -0800 (PST) Date: Sun, 29 Jan 2017 14:40:35 -0200 From: =?iso-8859-1?Q?Thom=E1s?= To: Rakor Cc: freebsd-ipfw@freebsd.org Subject: Re: How to use IPFW to filter routing Message-ID: <20170129164035.GB10963@host> References: <3C00AFCB-E2EF-4F89-8FBD-181C99DAC1FF@rakor-net.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <3C00AFCB-E2EF-4F89-8FBD-181C99DAC1FF@rakor-net.de> X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jan 2017 16:40:41 -0000 Sat, Jan 28, 2017 at 01:58:01PM +0100, Rakor: > As far as I know a packet is once scanned by IPFW an then first hit wins.= So, if I set the following a packet coming from VLAN3 for port 80 is permi= tted to travel all way it wants, even to VLAN2. Putting an +other rule behind just allowing to travel out using igb2 is not checked, b= ecause the search terminated after first hit. > ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state Have you tried something like this? ipfw add deny tcp 10.10.30.0/24 to 10.10.10.0/24 setup keep-state ipfw add deny tcp 10.10.30.0/24 to 10.10.20.0/24 setup keep-state ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state > If I try the follwing the packets are all rejected. I think the inspectio= n is done before the routing, so IPFW does not know it should be forwarded = using igb2. > ipfw add allow tcp 10.10.30.0/24 to any 80 out via igb2 setup keep-= state IPFW can do routing table lookups as needed. Something else must be going on here. Log rules may be of help to debug and understand your ruleset. > So I don=E2=80=99t know how to filter packets that should be routed in a = exact manner. Can you help me? There are plenty of ways to filter packets in that setup, the "exact" one depends on what you are trying to achieve. Cheers, - Thom=C3=A1s P.S.: sorry for the duplication, I'd forgotten to CC the list.