Date: Sun, 28 Mar 1999 16:47:53 +0300 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: Noor Dawod <noor@NetVision.net.il> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: ipfw behavior, is it normal? Message-ID: <19990328164753.A50307@relay.ucb.crimea.ua> In-Reply-To: <Pine.GSO.4.05.9903281416150.20028-100000@nvt.netvision.net.il>; from Noor Dawod on Sun, Mar 28, 1999 at 02:23:57PM %2B0200 References: <Pine.GSO.4.05.9903281416150.20028-100000@nvt.netvision.net.il>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! You've screwed your rules up ;-) Rules 400 and 500 are `allow tcp', I suppose. Send us your _real_ rules first. On Sun, Mar 28, 1999 at 02:23:57PM +0200, Noor Dawod wrote: > > Hi.. > > Like many others have done before me, this is my first message to this > mailing list and I hope not the last. I've been dealing with FreeBSD for > quite some time now, and I cannot still understand why few ipfw rules > don't work for me. I would like to share it with you and maybe get some > help on it. > > My current ipfw rules are: > > ----------------------------------------------------------------- > 00100 allow ip from any to any via lo0 > 00200 allow ip from [machine-a-ip] to [server-ip] via xl0 > 00300 allow ip from [machine-b-ip] to [server-ip] via xl0 > 00400 allow ip from any to [server-ip] 80 in via xl0 > 00500 allow ip from any to [server-ip] 21 in via xl0 > 65000 allow ip from any to any > 65535 deny ip from any to any > ----------------------------------------------------------------- > > 00200 and 00300 seem redundant because of rule 65000. But this is where > all the problem lies. If I understand right the ipfw rules, if I remove > line 65000 from the rules table, then I can still do all ip-related > actions from [machine-a] and [machine-b], which their ip numbers are > listed in 00200 and 00300. But, once I remove line 65000, I cannot do any > ip-related actions on the [server], and even WWW/FTP services are not > served as well. > > What am I missing here, and why the 65000 line MUST be there so that I > could access [server] from [machine-a] and [machine-b] ? > > I apologize if this is not the place to ask such questions, and would > like to be told where to send it instead. > > Thanks for your time and efforts. > > Noor -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990328164753.A50307>