Date: Wed, 8 Dec 1999 23:08:49 -0500 From: Ben WIlliams <williamsl@Home.Com> To: Julian Elischer <julian@whistle.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re[2]: divert rules Message-ID: <11964.991208@Home.Com> In-Reply-To: <Pine.BSF.4.10.9912081219510.23315-100000@current1.whistle.com> References: <Pine.BSF.4.10.9912081219510.23315-100000@current1.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Wednesday, December 08, 1999
Thank you Julian. So from what I'm reading here all incoming
packets got diverted, then natd, then reinjected right behind the
divert rule they just went through to hit the next divert rule in the
sequence and this behaviour continued until it ran out of divert
rules, yes?
Here are my ipfw rules as they stand now. Everything but IRC from
an inside box and ICQ (direct connections) seems to work right now.
pn1 is my outside (public) interface with the IP address
123.123.123.123 (which is fake .. this server will be moving shortly)
delta:~# ipfw l
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 192.168.1.0/24 to any in recv pn1
00400 deny ip from 123.123.123.0/24 to any in recv pn0
00600 deny ip from any to 192.168.0.0/16 via pn1
00700 deny ip from 172.16.0.0/12 to any via pn1
00800 deny ip from any to 172.16.0.0/12 via pn1
00900 deny ip from 10.0.0.0/8 to any via pn1
01000 deny ip from any to 10.0.0.0/8 via pn1
# This (1040) is the divert rule I was playing with and your
# explaination makes sense now that I look at it ..
01040 divert 8668 log ip from any to any
01100 allow tcp from any to any established
01200 allow tcp from any to 123.123.123.123 25 setup
01300 allow tcp from any to 123.123.123.123 2500 setup
01400 allow tcp from any to 123.123.123.123 53 setup
# I see entrys in my logs indicating that this host is (continually)
# trying to connect to my identd server so I'm dropping ident requests
# from here. 'bad.ip.address' is not an IRC server and I don't know what
# else uses ident (?)
01425 deny tcp from bad.ip.address to 123.123.123.123 113
01425 deny udp from bad.ip.address to 123.123.123.123 113
01450 allow log tcp from any to 123.123.123.123 113 setup
01500 allow tcp from any to 123.123.123.123 80 setup
01600 allow tcp from any to 123.123.123.123 8000 setup
01700 allow tcp from any to 123.123.123.123 8080 setup
01800 allow tcp from any to 123.123.123.123 8888 setup
01900 deny log tcp from any to any in recv pn1 setup
02000 allow tcp from any to any setup
02100 allow udp from any 53 to 123.123.123.123
02200 allow udp from 123.123.123.123 to any 53
02300 allow udp from any 123 to 123.123.123.123
02400 allow udp from 123.123.123.123 to any 123
65500 allow log ip from any to any
65535 allow ip from any to any
22:59:39 root
delta:~#
Wednesday, December 08, 1999, 3:43:01 PM, you wrote:
JE> On Wed, 8 Dec 1999, Nick Rogness wrote:
>> On Wed, 8 Dec 1999, Ben WIlliams wrote:
>>
>> [snip]
>> > However when playing with divert rules on my natd box whenever I had
>> > more than one divert rule -each- rule would be triggered. The effect
>> > this had was to have multiple replies sent to any request the inside
>> > boxes made. Is this the expected behaviour? (Doesn't seem that way to
>> > me...) The divert rules were all together if that has anything to do
>> > with it.
JE> You are confusing the behaviour of a single run through the ipfw code with
JE> the result of combining NATD and ipfw.
JE> the first run will finish when the packet is diverted. NATD then changes
JE> the packet and re-injects it back into the firewall at the rule number
JE> following that which diverted it. If it then hits another divert rule,
JE> that will be taken as well. It is possible to make teh rules NOT do this
JE> in 2 ways. NATD could be altered to inject the packet somewhere else in
JE> the ruleset, or you could add 2 rules to each divert rule..
JE> 1000 divert ip from blah blah
JE> 1000 skipto 2000 <-------- packets not diverted will skip to 2000
JE> 1001 accept ip from any to any <------reinjected packets come here.
JE> julian
--
Ben mailto:williamsl@Home.Com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11964.991208>