Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 19 Apr 2004 15:31:12 +0200
From:      "Roman Mikus" <roman@zutom.sk>
To:        <freebsd-ipfw@freebsd.org>
Subject:   out xmit not match icmp
Message-ID:  <8346D753500D004191B4F3E45178065B68EF4D@medusa.zutomxx>

next in thread | raw e-mail | index | archive | help

Hi,

I have freebsd 4.9-RELEASE-p3 box with ipfw and 3 interfaces installed.
One interface is external with one public ip address, second is internal
with private ip addresses and on third is assigned small subnet of
public ip addresses. I want to configure firewall which protect internal
and freebsd box but will pass traffic for third interface. I have
following interfaces:

	vx0: internal: 10.0.0.8 netmask 255.255.255.0
	ed0: external: y.y.y.170 netmask 255.255.255.240
	ep0: free zone: x.x.x.162 netmask 255.255.255.240

I'cand send whole firewall config but is derived from simple section in
rc.firewall and looks like this:

(x.x.x. and y.y.y. and z.z.z. substitutes my real ip addresses)

...
00400 pipe 1 ip from any to any out xmit ed0
00500 pipe 2 ip from any to any in recv ed0
...
01900 divert 8668 ip from any to any via ed0
02000 divert 8668 ip from any to any via ep0
03000 allow ip from any to x.x.x.161
03100 allow ip from any to x.x.x.163
03200 allow ip from any to x.x.x.164
..
03400 allow ip from any to x.x.x.166
..
04200 allow ip from any to x.x.x.174
04300 allow ip from x.x.x.161 to any out recv ep0 xmit ed0
04400 allow ip from x.x.x.163 to any out recv ep0 xmit ed0
04500 allow ip from x.x.x.164 to any out recv ep0 xmit ed0
..
04700 allow ip from x.x.x.166 to any out recv ep0 xmit ed0
..
05500 allow ip from x.x.x.174 to any out recv ep0 xmit ed0
...
65000 deny log ip from any to any

Rules between 1900 and 5500 should pass all traffic to and from free
zone, but this is true for tcp traffic (telnet) but not for icmp traffic
(ping).
If I try to ping x.x.x.166 from outside box with ip z.z.z.11 rule 4700
not match, but rule 65000 match and this appears in /var/log/security:

Apr 19 15:16:54 ns /kernel: ipfw: 65000 Deny ICMP:0.0 x.x.x.166 z.z.z.11
in via ep0

This is icmp reply from host x.x.x.166 and is blocked, but should't be.

Can you tell me why this happens? How else I can pass any traffic for
and from my free zone (but still be able to shape traffic on external
interface) and to protect everything else?

Thanks a lot.

Roman



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8346D753500D004191B4F3E45178065B68EF4D>