From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 3 18:50:25 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E1C3116A421 for ; Sun, 3 Jun 2007 18:50:25 +0000 (UTC) (envelope-from anonymous@ns1.xpress.com.mx) Received: from ns1.xpress.com.mx (ns1.xpress.com.mx [207.44.250.120]) by mx1.freebsd.org (Postfix) with ESMTP id AFE7713C4CE for ; Sun, 3 Jun 2007 18:50:25 +0000 (UTC) (envelope-from anonymous@ns1.xpress.com.mx) Received: (qmail 19725 invoked by uid 48); 3 Jun 2007 12:06:58 -0500 Date: 3 Jun 2007 12:06:58 -0500 Message-ID: <20070603170658.19724.qmail@ns1.xpress.com.mx> To: freebsd-ipfw@freebsd.org From: Jeffery Stone MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Subject: (no subject) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jun 2007 18:50:26 -0000 Hello, I am Jeffery Stone, an Artist with LemonStreet Gallery. LemonStreet Gallery. is an art gallery in London - United Kingdom. We deal on Art and Craft originating mainly from Asia. Our productsare diverse and of the highest quality, depicting 'comfort' and'real affluence'. Being that Asia's traditional crafts are getting more attention asvery important cultural assets,we are proud of our products and so we'd like to show them to the rest of the world. Thus, we are currently expanding our market base beyond Europe, into North america, USA and Africa. WHY WE NEED YOU. No doubt,doing business across borders has never been an easy task.We are currently searching for a reliable representatives who can help us establish a medium of getting to our various customers in their regions (North America & United States). The time frame it takes to have their payment checks sent to us and processed is rather long. This has caused a setback in our sales. The representatives we sought after will serve as our payment officers/contact persons in these regions, but most especially we are on HIGH demand right now for representatives in the USA. Their sole responsibility will be to receive and process payment checks on our behalf. We believe this will go a long way in bridging the gap between us (the sellers) and our customers(the buyers). At this point,we cannot overemphasize the fact that only honest, reliable and competent person(s) is/are needed by us.We will be glad to welcome you on board if you fit in and have an interest to work for us. REMUNERATION. We have a rather generous and highly competitive remuneration package for our new team of sales representatives. We offer a 10% commission on every payment made via you to us. THERE IS NO FINANCIAL OBLIGATION AT YOUR END; all we need from you is total reliability, honesty and your committiment to work for us.There are no hassles as this is a work at home opportunity and would'nt in any way interfere with your present job or status. This offer is irrespective of your qualification or present field of work. Setting you up and registering you with our company remains our responsibility. Let us know your thoughts. If interested do send promptly by email(jeffstone01@yahoo.co.uk) the following: 1.FULL NAMES 2.CONTACT MAILING ADDRESS 3.TELEPHONE NUMBER 4.FAX NUMBER 5.OCCUPATION We look forward to working with you and will be more than pleased to give you further details. Thanks in advance. Sincerely, Jeffery Stone LemonStreet Gallery. London - UK. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 4 11:08:33 2007 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E9A0216A4AC for ; Mon, 4 Jun 2007 11:08:32 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id CCE1313C45D for ; Mon, 4 Jun 2007 11:08:32 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l54B8Wxh037539 for ; Mon, 4 Jun 2007 11:08:32 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l54B8Vvh037535 for freebsd-ipfw@FreeBSD.org; Mon, 4 Jun 2007 11:08:31 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 4 Jun 2007 11:08:31 GMT Message-Id: <200706041108.l54B8Vvh037535@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 11:08:33 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp p bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw ipfw is seems to be broken to limit number of connecti 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] Too few dummynet queue slots o kern/112561 ipfw ipfw fwd does not work with some TCP packets 23 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 5 00:21:29 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4DDE316A46D for ; Tue, 5 Jun 2007 00:21:29 +0000 (UTC) (envelope-from dayne.miller@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.186]) by mx1.freebsd.org (Postfix) with ESMTP id BE0E813C448 for ; Tue, 5 Jun 2007 00:21:28 +0000 (UTC) (envelope-from dayne.miller@gmail.com) Received: by mu-out-0910.google.com with SMTP id w9so1664552mue for ; Mon, 04 Jun 2007 17:21:27 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=sL9fAvmge2Z3D/GJ8jdUsJ9xJ6kQmNYuE/zLdXfcWRWRJSI9kQp0y865+4Lo8r6BEynIyYkjUj4krNvcc1Klu4aI15az/vAk1eXp8Ko38tkGbGTysAMfH6uDu35Mpl+B9IHC7WnXWPbfWQNSq66Gai7UGtvh+uu/39ip3f7UFT0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=FGnQ6l5Eh4E96grkmD2BFjIVvhmXULHngv1EBoHj99loLEw5ZXVtZVh8TU5MY9ZSa00pNwEa8FW7ypCuZ/jgOC3IYmj+GeJy1FEBgnr5Ei1C49LaOf5rxVWZMJLEGckf3hr21Zg1VpYq3smj6GUKW1X4TOwq34BTLF7VkEx3xD4= Received: by 10.82.112.3 with SMTP id k3mr7484821buc.1181000484360; Mon, 04 Jun 2007 16:41:24 -0700 (PDT) Received: by 10.82.140.4 with HTTP; Mon, 4 Jun 2007 16:41:24 -0700 (PDT) Message-ID: <1810bab50706041641o5f696b20r450883f40e9897f9@mail.gmail.com> Date: Mon, 4 Jun 2007 16:41:24 -0700 From: "Dayne Miller" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ipfw+dummynet bridging (VMware guests) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 00:21:29 -0000 Hello- I'm hoping someone can help. I have a configuration that I *think* is simple and should "just work", but so far I'm having no luck. It's possible this belongs on another list or forum entirely -- if it ends up being a VMware config issue -- but for now I'm operating under the assumption that I have dummynet set up incorrectly. The infrastructure for this is VMware ESX Server 3.0.1. I have the following VLANs/tags set up within the virtual switch: vlan 1010 "vm_admin" vlan 1020 "vm_server" vlan 1201 "vm_perf" (These are non-contiguous number for some unimportant legacy reasons.) My goal is to use a FreeBSD 6.2-STABLE VM as a "WAN emulator"; I want clients on VLAN 1201 to be bridged into VLAN 1020, where I've placed several virtual servers. VLAN 1010 is for administrative interfaces; I gave the FreeBSD an IP address on the virtual interface homed on that network. My /etc/rc.conf looks like this: hostname="dummy00.demo.local" ifconfig_em0="inet 172.27.222.25 netmask 255.255.255.128" cloned_interfaces="bridge0" ifconfig_bridge0="addm em1 addm em2 up" ifconfig_em1="up" ifconfig_em2="up" sshd_enable="yes" firewall_enable="yes" firewall_script="/usr/local/etc/dummy00.default" firewall_logging="yes" The 'dummy00.default' script is: #!/bin/sh ipfw -q -f flush cmd="ipfw -q add" admif="em0" clientif="em1" serverif="em2" $cmd 00005 allow all from any to any via $admif $cmd 00010 allow all from any to any via lo0 $cmd 00100 check-state $cmd 01000 pipe 1 ip from any to any bridged ipfw -q pipe 1 config $cmd 65000 allow ip from any to any setup keep-state $cmd 65100 allow log ip from any to any (I'll add characterisitics to the pipe later, I just want it to work first... And I realize this is not the most-efficient ruleset, but again, I want to get it simply passing traffic first, then I'll worry about details.) My /etc/sysctl.conf looks like this: net.inet.ip.fw.one_pass=0 net.link.bridge.ipfw=1 Finally, the relevant sections of my kernel config file are: device if_bridge options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT options IPFIREWALL_DEFAULT_TO_ACCEPT options DUMMYNET I have a very-recent version of VMware Tools running. As a non-bridging (i.e. routing) dummynet VM, this has worked well. I cloned a working VM, added the 'options if_bridge' and other relevant things and recompiled the kernel as required. Now I can't seem to get packets to pass... I have this setup, if you can forgive the ASCII diagram: (client 10.133.20.119) | | [vlan 1201] | |em1 (FreeBSD 6.2-STABLE)em3--[VLAN 1010 -- 172.27.222/25] |em2 | [vlan 1020] | | (servers 10.133.20.x/24) The client is unable to connect to any server resources (nor can the servers connect to the client, of course.) I've made sure the client has all the correct IP parameters. If I change the client VM config within VMware so that the interface is on the server VLAN, with no other changes, all works correctly. On the dummynet box, a point-in-time 'ipfw show' gives: 00005 42 3360 allow ip from any to any via em0 00010 0 0 allow ip from any to any via lo0 00100 0 0 check-state 01000 159 26719 pipe 1 ip from any to any layer2 65000 0 0 allow ip from any to any setup keep-state 65100 477 80157 allow log logamount 1 ip from any to any 65535 0 0 allow ip from any to any I can get the rules at 1000 and 65100 to increment just by attempting to pass traffic from client to server or vice versa. However, since there are no deny rules, I'm unsure what's happening to the packets after they hit the bridge -- they are definitely NOT making it as far as the destination server(s). Any suggestions for troubleshooting, or configuration changes? I thought I had all of the basics taken care of, but apparently not. Thanks in advance- -Dayne From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 5 19:55:28 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A4F0A16A46B; Tue, 5 Jun 2007 19:55:28 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 80FCB13C457; Tue, 5 Jun 2007 19:55:28 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l55JtSdw070201; Tue, 5 Jun 2007 19:55:28 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l55JtSN6070197; Tue, 5 Jun 2007 19:55:28 GMT (envelope-from remko) Date: Tue, 5 Jun 2007 19:55:28 GMT From: Remko Lodder Message-Id: <200706051955.l55JtSN6070197@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/113388: [ipfw][patch] Addition actions with rules within specified set's X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 19:55:28 -0000 Synopsis: [ipfw][patch] Addition actions with rules within specified set's Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: remko Responsible-Changed-When: Tue Jun 5 19:55:14 UTC 2007 Responsible-Changed-Why: reassign to ipfw team http://www.freebsd.org/cgi/query-pr.cgi?pr=113388 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 5 21:59:54 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6DD3016A41F for ; Tue, 5 Jun 2007 21:59:54 +0000 (UTC) (envelope-from robertusn@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.226]) by mx1.freebsd.org (Postfix) with ESMTP id 1B16413C44C for ; Tue, 5 Jun 2007 21:59:53 +0000 (UTC) (envelope-from robertusn@gmail.com) Received: by wr-out-0506.google.com with SMTP id 69so1137417wra for ; Tue, 05 Jun 2007 14:59:53 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=A+DAZci6Ywuf7WXyXeVIh2LR20ic372GRWKIOCdp1kYbF3LExxco6d5Y6rfaY0nfb5pxQVou2aB2GXtMT9YBe+YLsBviNQVY+zf6tdmubzBntB7Uc5fXXyN7jpn2hZv1Ml9C54ZZ1haXdyVR0+qk7cn6lKBwPRi8Q33lzt1FOLI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=GLgYe/eMEqVUBdVmtDhEfBkxL2HYoBRzDXWumYqGyXUcPGwFPVEA8XwaSdeWsuv/ctiIa6XA9eMD30CXMufaowJXXBLKWsysyNH2Zu69jOPERvOFxGfy3Usxi+V5s0Gqrv1xliX2O3mnSVObRHMTVp33nzd5EOQTWiBEFDhC3Do= Received: by 10.100.92.17 with SMTP id p17mr3620121anb.1181079085632; Tue, 05 Jun 2007 14:31:25 -0700 (PDT) Received: by 10.100.134.17 with HTTP; Tue, 5 Jun 2007 14:31:25 -0700 (PDT) Message-ID: <3713853f0706051431u26528562u85cc237f1e41c533@mail.gmail.com> Date: Tue, 5 Jun 2007 23:31:25 +0200 From: "Robert Usle" Sender: robertusn@gmail.com To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: cc90aa39217fa8ce Subject: ipfw tcp/udp dropping - why ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 21:59:54 -0000 Hello, I'm not sure if my ruleset is correct, but I've noticed a strange ruleset behavior. OS: FreeBSD 4.11-STABLE #7: Here's my ruleset. desc: table 5 ip+bw for download table 6 ip+bw for upload ($ip,$bw) table 1 (ip, hosts allowed to use internet) NAT via IPNAT + patch for ipnat/ipfw order ------------- ## sysctls sysctl -w net.inet.ip.fw.one_pass=0 sysctl -w net.inet.ip.fw.dyn_max=10000 # Flush rules ############## ${fwcmd} -fq flush ${fwcmd} -f pipe flush ${fwcmd} -f queue flush ${fwcmd} zero ${fwcmd} table 1 flush ${fwcmd} table 5 flush ${fwcmd} table 6 flush myip="x.x.x.x" int_if1="rl0" int_if2="rl1" ext_if1="xl0" trusted="x.x.x.y,z.z.z.z" up_conn_limit=20 down_conn_limit=20 goodtcptoports="22,21,25,80,110,443,3389,3306,8074,995,993,567" ## trusted hosts ${fwcmd} add 20 allow ip from $trusted to me ${fwcmd} add 20 allow ip from me to $trusted # me -> outside PASS ${fwcmd} add 30 allow tcp from me to any out setup keep-state ${fwcmd} add 30 allow udp from me to any out keep-state ${fwcmd} add 100 set 1 allow ip from any to any via lo0 ${fwcmd} add 110 set 1 deny ip from any to 127.0.0.0/8 ${fwcmd} add 120 set 1 deny ip from 127.0.0.0/8 to any # netbios BLOCK ${fwcmd} add 130 deny ip from any to any 137-139 # icmp ${fwcmd} add 140 allow icmp from any to any ${fwcmd} add 150 allow ip from any to any via $int_if1 ${fwcmd} add 150 allow ip from any to any via $int_if2 # SNORT p2p (table 1 = hosts allowed for internet usage) ${fwcmd} add 160 divert 8000 ip from table\(1\) to any ${fwcmd} add 161 divert 8000 ip from any to table\(1\) # these are pipes with mask src-addr 0xffffffff ipfw table($ip,$bw) ${fwcmd} add 10001 pipe 11 ip from any to table\(5,2048\) in recv $ext_if1 ${fwcmd} add 10002 pipe 13 ip from any to table\(5,256\) in recv $ext_if1 ${fwcmd} add 10003 pipe 15 ip from any to table\(5,512\) in recv $ext_if1 ${fwcmd} add 10004 pipe 18 ip from any to table\(5,128\) in recv $ext_if1 ${fwcmd} add 10005 pipe 19 ip from any to table\(5,1024\) in recv $ext_if1 ${fwcmd} add 10006 pipe 12 ip from table\(6,2048\) to any out xmit $ext_if1 ${fwcmd} add 10007 pipe 14 ip from table\(6,256\) to any out xmit $ext_if1 ${fwcmd} add 10008 pipe 16 ip from table\(6,512\) to any out xmit $ext_if1 ${fwcmd} add 10009 pipe 17 ip from table\(6,128\) to any out xmit $ext_if1 ${fwcmd} add 10010 pipe 20 ip from table\(6,1024\) to any out xmit $ext_if1 ${fwcmd} add 45000 check-state ${fwcmd} add 45100 allow tcp from table\(1\) to any not $goodtcptoports out xmit $ext_if1 setup limit src-addr $up_conn_limit ${fwcmd} add 45200 allow udp from table\(1\) to any out xmit $ext_if1 limit src-addr $up_conn_limit ${fwcmd} add 45300 allow tcp from table\(1\) to any out xmit $ext_if1 setup keep-state ${fwcmd} add 45400 allow udp from table\(1\) to any out xmit xl0 keep-state # outside -> me PASS ${fwcmd} add 64000 allow tcp from any to me 80,443,22 setup keep-state # outside -> LAN hosts PASS ${fwcmd} add 64100 allow tcp from any to 10.0.5.36 3389 setup keep-state ${fwcmd} add 65000 deny log logamount 10000000 ip from any to any -------- ENDRULES -------------- Thought I see http working I notice in ipfw logs in rule 65000: Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3182 38.99.77.44:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3180 38.99.77.44:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.62:2259 62.129.240.58:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3204 85.25.133.18:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3171 209.172.60.89:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3079 207.44.164.103:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3080 207.44.164.103:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.0.91:1353 213.180.131.42:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3203 85.25.133.18:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3202 85.25.133.18:80 out via xl0 .... Shouldn't this be handled by: ${fwcmd} add 45300 allow tcp from table\(1\) to any out xmit $ext_if1 setup keep-state ? Thanks, -- Robert