Date: Sun, 19 Jun 2005 23:31:35 +0200 From: Robert Usle <robertusn@gmail.com> To: Abu Khaled <khaled.abu@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: ipfw -pf processing order Message-ID: <3713853f0506191431125da26d@mail.gmail.com> In-Reply-To: <a64c109e05061904187b981d53@mail.gmail.com> References: <3713853f05061904017a4a7e3f@mail.gmail.com> <a64c109e05061904187b981d53@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/19/05, Abu Khaled <khaled.abu@gmail.com> wrote: > On 6/19/05, Robert Usle <robertusn@gmail.com> wrote: > > Hi, > > > > I'm using FreeBSD 5.4 with ipfw (module) & pf (kernel compiled) firewal= l. > > > > pf is used for nat, pass/block, rdr, and dummynet/ipfw is used only > > for packet queueing. > > > > ext_if =3D vr0 > > int_if =3D rl1 > > > > ipfw rules: > > /sbin/ipfw pipe 10 config bw 256Kbit/s queue 20 mask dst-ip 0x000000ff > > /sbin/ipfw pipe 11 config bw 256Kbit/s queue 20 mask src-ip 0x000000ff > > /sbin/ipfw add 100 pipe 10 log ip from any to 10.0.9.0/24 > > /sbin/ipfw add 101 pipe 11 log ip from 10.0.9.0/24 to any > > > > sysctl: net.inet.ip.fw.one_pass: 1 > > (I've also tried with 'via','xmit','recv' tags) > > > > I see packets coming to my dummynet pipes/rules, but then > > pf rdr rule: > > > > rdr on $int_if proto tcp from $internal_net to any port 80 -> > > 127.0.0.1 port 3128 > > > > does not work. > > When i disable ipfw firewall, it's just ok again. > > > > pf options are as follows: > > set optimization normal > > set block-policy drop > > set require-order yes > > scrub in all > > > > Is this related to firewall processing order ? > > > > Thanks, > > > > -- > > Robert >=20 > My guess is that IPFW is blocking packets from your $internal_net to > localhost port 3128. Add this to your IPFW rules before any other > rules that block traffic to 127.0.0.1 >=20 > # ipfw 100 allow tcp from $internal_net to 127.0.0.1 3128 > # ipfw 200 allow tcp from 127.0.0.1 3128 to $internal_net > for example: >=20 > ipfw add 100 pass all from any to any via lo0 > ipfw add 200 allow tcp from $internal_net to 127.0.0.1 3128 > ipfw add 300 allow tcp from 127.0.0.1 3128 to $internal_net > ipfw add 400 deny all from any to 127.0.0.0/8 > ipfw add 500 deny ip from 127.0.0.0/8 to any Thank you for your email Khaled. I think that loading ipfw/dummynet modules is a problem itself. The same happens even If I set 'allow ip from any to any' as a first rule. Regards, --=20 Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3713853f0506191431125da26d>