Date: Wed, 8 Dec 1999 23:08:49 -0500 From: Ben WIlliams <williamsl@Home.Com> To: Julian Elischer <julian@whistle.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re[2]: divert rules Message-ID: <11964.991208@Home.Com> In-Reply-To: <Pine.BSF.4.10.9912081219510.23315-100000@current1.whistle.com> References: <Pine.BSF.4.10.9912081219510.23315-100000@current1.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Wednesday, December 08, 1999 Thank you Julian. So from what I'm reading here all incoming packets got diverted, then natd, then reinjected right behind the divert rule they just went through to hit the next divert rule in the sequence and this behaviour continued until it ran out of divert rules, yes? Here are my ipfw rules as they stand now. Everything but IRC from an inside box and ICQ (direct connections) seems to work right now. pn1 is my outside (public) interface with the IP address 123.123.123.123 (which is fake .. this server will be moving shortly) delta:~# ipfw l 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 192.168.1.0/24 to any in recv pn1 00400 deny ip from 123.123.123.0/24 to any in recv pn0 00600 deny ip from any to 192.168.0.0/16 via pn1 00700 deny ip from 172.16.0.0/12 to any via pn1 00800 deny ip from any to 172.16.0.0/12 via pn1 00900 deny ip from 10.0.0.0/8 to any via pn1 01000 deny ip from any to 10.0.0.0/8 via pn1 # This (1040) is the divert rule I was playing with and your # explaination makes sense now that I look at it .. 01040 divert 8668 log ip from any to any 01100 allow tcp from any to any established 01200 allow tcp from any to 123.123.123.123 25 setup 01300 allow tcp from any to 123.123.123.123 2500 setup 01400 allow tcp from any to 123.123.123.123 53 setup # I see entrys in my logs indicating that this host is (continually) # trying to connect to my identd server so I'm dropping ident requests # from here. 'bad.ip.address' is not an IRC server and I don't know what # else uses ident (?) 01425 deny tcp from bad.ip.address to 123.123.123.123 113 01425 deny udp from bad.ip.address to 123.123.123.123 113 01450 allow log tcp from any to 123.123.123.123 113 setup 01500 allow tcp from any to 123.123.123.123 80 setup 01600 allow tcp from any to 123.123.123.123 8000 setup 01700 allow tcp from any to 123.123.123.123 8080 setup 01800 allow tcp from any to 123.123.123.123 8888 setup 01900 deny log tcp from any to any in recv pn1 setup 02000 allow tcp from any to any setup 02100 allow udp from any 53 to 123.123.123.123 02200 allow udp from 123.123.123.123 to any 53 02300 allow udp from any 123 to 123.123.123.123 02400 allow udp from 123.123.123.123 to any 123 65500 allow log ip from any to any 65535 allow ip from any to any 22:59:39 root delta:~# Wednesday, December 08, 1999, 3:43:01 PM, you wrote: JE> On Wed, 8 Dec 1999, Nick Rogness wrote: >> On Wed, 8 Dec 1999, Ben WIlliams wrote: >> >> [snip] >> > However when playing with divert rules on my natd box whenever I had >> > more than one divert rule -each- rule would be triggered. The effect >> > this had was to have multiple replies sent to any request the inside >> > boxes made. Is this the expected behaviour? (Doesn't seem that way to >> > me...) The divert rules were all together if that has anything to do >> > with it. JE> You are confusing the behaviour of a single run through the ipfw code with JE> the result of combining NATD and ipfw. JE> the first run will finish when the packet is diverted. NATD then changes JE> the packet and re-injects it back into the firewall at the rule number JE> following that which diverted it. If it then hits another divert rule, JE> that will be taken as well. It is possible to make teh rules NOT do this JE> in 2 ways. NATD could be altered to inject the packet somewhere else in JE> the ruleset, or you could add 2 rules to each divert rule.. JE> 1000 divert ip from blah blah JE> 1000 skipto 2000 <-------- packets not diverted will skip to 2000 JE> 1001 accept ip from any to any <------reinjected packets come here. JE> julian -- Ben mailto:williamsl@Home.Com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11964.991208>