Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 03 Sep 2007 16:31:28 +1200
From:      Russell Fulton <r.fulton@auckland.ac.nz>
To:        freebsd-ipfw@freebsd.org
Subject:   Problems with pipes...
Message-ID:  <46DB8E20.8070404@auckland.ac.nz>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi I'm having problems getting pipes to work in ipfw (under free bsd).

First a little background that will explain why some of the stuff in
here is there.  We have a wireless lan with two firewalls which fail
over using carp.  There are several different SSIDs which appear to the
firewall as different vlans.  I am working on the 'backup' firewall and
we have set up a test ssid/vlan 130.216.155.0/24) which has this
firewall as primary.  I have to leave the carp rules in for the other
vlans otherwise carp gets all confused :) and the backup fw suddenly
thinks is is primary for everything (been there done that ;)

I have cut the rule set down as much as I can:

# already established connections continue going through
add 10 check-state

# allow outbond traffic to mailhost from UoA

add 11 allow tcp from 130.216.89.0/24, 130.216.90.0/23  to
130.216.11.210 25, 587, 465 xmit fxp1  setup keep-state

# bad ports that we want to block
add 15 deny log logamount 0 udp from any to any
7,67,68,69,111,134-140,199,445,512,513,520,1993,2049,1900,5000 via fxp1
add 16 deny log logamount 0 tcp from any to any
7,11,15,25,67,68,87,111,134-140,144,199,445,511-514,1025,1993,1900,2049,2766,5000,5999-6020
via fxp1

# carp VRP

 add 20 allow all from 130.216.89.6/31 to 224.0.0.18 via vlan89
 add 21 allow all from 130.216.90.6/31 to 224.0.0.18 via vlan90
 add 22 allow all from 130.216.94.6/31 to 224.0.0.18 via vlan94
 add 23 allow all from 130.216.95.6/31 to 224.0.0.18 via vlan95
 
add 24 allow all from 130.216.1.11 to 224.0.0.18 via fxp1
add 24 allow all from 130.216.1.12 to 224.0.0.18 via fxp1

add 30 allow all from 130.216.4.173 to 224.0.0.18 via fxp1
add 31 allow all from 130.216.4.174 to 224.0.0.18 via fxp1

add 40 allow tcp from 130.216.4.0/23, 130.216.76.0/23 to any in recv
fxp1 setup keep-state

# allow anything else in from the vlans

add 01139 allow all from 130.216.155.0/24 to any in recv vlan155

# Allow it all out fxp1

add 01145 allow tcp from 130.216.89.0/24,
130.216.90.0/23,130.216.94.0/24,130.216.95.0/24, 130.216.155.0/24  to
any out via  fxp1 setup keep-state
add 01147 allow all from 130.216.89.0/24,
130.216.90.0/23,130.216.94.0/24,130.216.95.0/24, 130.216.155.0/24  to
any out xmit  fxp1 keep-state


# don't forget the loopback interface or some things might break
add 01102 allow all from any to any via lo0 setup keep-state

# test vlan 155

pipe 15 config mask src-ip 0x000000ff bw 128Kbit/s

 add 02420 pipe 15 all from 130.216.155.0/24 to any

add 06000 deny log logamount  0 all from any to any

#################################################



here is a ipfw -d show during a file transfer


[root@wgate-1 /root]# ipfw -d show
00010     0       0 check-state
00011     0       0 allow tcp from 130.216.89.0/24,130.216.90.0/23 to
130.216.11.210 dst-port 25,587,465 xmit fxp1 setup keep-state
00015     0       0 deny log udp from any to any dst-port
7,67,68,69,111,134-140,199,445,512,513,520,1993,2049,1900,5000 via fxp1
00016     0       0 deny log tcp from any to any dst-port
7,11,15,25,67,68,87,111,134-140,144,199,445,511-514,1025,1993,1900,2049,2766,5000,5999-6020
via fxp1
00020   115    6440 allow ip from 130.216.89.6/31 to 224.0.0.18 via vlan89
00021   114    6384 allow ip from 130.216.90.6/31 to 224.0.0.18 via vlan90
00022   114    6384 allow ip from 130.216.94.6/31 to 224.0.0.18 via vlan94
00023   115    6440 allow ip from 130.216.95.6/31 to 224.0.0.18 via vlan95
00024     0       0 allow ip from 130.216.1.11 to 224.0.0.18 via fxp1
00024   115    6440 allow ip from 130.216.1.12 to 224.0.0.18 via fxp1
00030     0       0 allow ip from 130.216.4.173 to 224.0.0.18 via fxp1
00031     0       0 allow ip from 130.216.4.174 to 224.0.0.18 via fxp1
00040   358   36699 allow tcp from 130.216.4.0/23,130.216.76.0/23 to any
in recv fxp1 setup keep-state
01102     0       0 allow ip from any to any via lo0 setup keep-state
01139     1      48 allow ip from 130.216.155.0/24 to any in recv vlan155
01145 11271 9865040 allow tcp from
130.216.89.0/24,130.216.90.0/23,130.216.94.0/24,130.216.95.0/24,130.216.155.0/24
to any out via fxp1 setup keep-state
01147     0       0 allow ip from
130.216.89.0/24,130.216.90.0/23,130.216.94.0/24,130.216.95.0/24,130.216.155.0/24
to any out xmit fxp1 keep-state
02420     0       0 pipe 15 ip from 130.216.155.0/24 to any
06000   201   25058 deny log ip from any to any
65535   160   74420 deny ip from any to any
## Dynamic rules (2):
01145 11270 9864992 (300s) STATE tcp 130.216.155.13 1525 <-> 161.53.24.9 80
00040   357   36635 (300s) STATE tcp 130.216.4.12 60906 <-> 130.216.1.11 22


Note that nothing is going through pipe 15 even thought it would appear
to match dynamic rule 01145.

What have I screwed up?

Russell.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?46DB8E20.8070404>