Date: Wed, 8 Dec 1999 20:22:42 -0800 (PST) From: Julian Elischer <julian@whistle.com> To: Ben WIlliams <williamsl@Home.Com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Re[2]: divert rules Message-ID: <Pine.BSF.4.10.9912082018100.23315-100000@current1.whistle.com> In-Reply-To: <11964.991208@Home.Com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 8 Dec 1999, Ben WIlliams wrote: > Wednesday, December 08, 1999 > Thank you Julian. So from what I'm reading here all incoming > packets got diverted, then natd, then reinjected right behind the > divert rule they just went through to hit the next divert rule in the > sequence and this behaviour continued until it ran out of divert > rules, yes? yes, until the packet is either rejected or accepted. The process that opens a divert socket can specify what rule to re-inject at. The received packet comes with info as to what rule caused the diversion. If that info is fed straight back, then the filtering begins at that rule number, PLUS ONE. The info comes in in the sockaddr in a recvfrom(2) and is sent in the sockaddr in a sendto(2). (in the 'port' field). I notice you only have one divert rule.. where did it hit a second divert? > Here are my ipfw rules as they stand now. Everything but IRC from > an inside box and ICQ (direct connections) seems to work right now. > pn1 is my outside (public) interface with the IP address > 123.123.123.123 (which is fake .. this server will be moving shortly) > > delta:~# ipfw l > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 192.168.1.0/24 to any in recv pn1 > 00400 deny ip from 123.123.123.0/24 to any in recv pn0 > 00600 deny ip from any to 192.168.0.0/16 via pn1 > 00700 deny ip from 172.16.0.0/12 to any via pn1 > 00800 deny ip from any to 172.16.0.0/12 via pn1 > 00900 deny ip from 10.0.0.0/8 to any via pn1 > 01000 deny ip from any to 10.0.0.0/8 via pn1 > # This (1040) is the divert rule I was playing with and your > # explaination makes sense now that I look at it .. > 01040 divert 8668 log ip from any to any > 01100 allow tcp from any to any established > 01200 allow tcp from any to 123.123.123.123 25 setup > 01300 allow tcp from any to 123.123.123.123 2500 setup > 01400 allow tcp from any to 123.123.123.123 53 setup > # I see entrys in my logs indicating that this host is (continually) > # trying to connect to my identd server so I'm dropping ident requests > # from here. 'bad.ip.address' is not an IRC server and I don't know what > # else uses ident (?) > 01425 deny tcp from bad.ip.address to 123.123.123.123 113 > 01425 deny udp from bad.ip.address to 123.123.123.123 113 > 01450 allow log tcp from any to 123.123.123.123 113 setup > 01500 allow tcp from any to 123.123.123.123 80 setup > 01600 allow tcp from any to 123.123.123.123 8000 setup > 01700 allow tcp from any to 123.123.123.123 8080 setup > 01800 allow tcp from any to 123.123.123.123 8888 setup > 01900 deny log tcp from any to any in recv pn1 setup > 02000 allow tcp from any to any setup > 02100 allow udp from any 53 to 123.123.123.123 > 02200 allow udp from 123.123.123.123 to any 53 > 02300 allow udp from any 123 to 123.123.123.123 > 02400 allow udp from 123.123.123.123 to any 123 > 65500 allow log ip from any to any > 65535 allow ip from any to any > 22:59:39 root > delta:~# > > > Wednesday, December 08, 1999, 3:43:01 PM, you wrote: > > > > JE> On Wed, 8 Dec 1999, Nick Rogness wrote: > > >> On Wed, 8 Dec 1999, Ben WIlliams wrote: > >> > >> [snip] > >> > However when playing with divert rules on my natd box whenever I had > >> > more than one divert rule -each- rule would be triggered. The effect > >> > this had was to have multiple replies sent to any request the inside > >> > boxes made. Is this the expected behaviour? (Doesn't seem that way to > >> > me...) The divert rules were all together if that has anything to do > >> > with it. > > JE> You are confusing the behaviour of a single run through the ipfw code with > JE> the result of combining NATD and ipfw. > > JE> the first run will finish when the packet is diverted. NATD then changes > JE> the packet and re-injects it back into the firewall at the rule number > JE> following that which diverted it. If it then hits another divert rule, > JE> that will be taken as well. It is possible to make teh rules NOT do this > JE> in 2 ways. NATD could be altered to inject the packet somewhere else in > JE> the ruleset, or you could add 2 rules to each divert rule.. > > JE> 1000 divert ip from blah blah > JE> 1000 skipto 2000 <-------- packets not diverted will skip to 2000 > JE> 1001 accept ip from any to any <------reinjected packets come here. > > JE> julian > > > > -- > Ben mailto:williamsl@Home.Com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9912082018100.23315-100000>