Date: Sun, 19 Jun 2005 14:18:54 +0300 From: Abu Khaled <khaled.abu@gmail.com> To: Robert Usle <robertusn@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: ipfw -pf processing order Message-ID: <a64c109e05061904187b981d53@mail.gmail.com> In-Reply-To: <3713853f05061904017a4a7e3f@mail.gmail.com> References: <3713853f05061904017a4a7e3f@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/19/05, Robert Usle <robertusn@gmail.com> wrote: > Hi, >=20 > I'm using FreeBSD 5.4 with ipfw (module) & pf (kernel compiled) firewall. >=20 > pf is used for nat, pass/block, rdr, and dummynet/ipfw is used only > for packet queueing. >=20 > ext_if =3D vr0 > int_if =3D rl1 >=20 > ipfw rules: > /sbin/ipfw pipe 10 config bw 256Kbit/s queue 20 mask dst-ip 0x000000ff > /sbin/ipfw pipe 11 config bw 256Kbit/s queue 20 mask src-ip 0x000000ff > /sbin/ipfw add 100 pipe 10 log ip from any to 10.0.9.0/24 > /sbin/ipfw add 101 pipe 11 log ip from 10.0.9.0/24 to any >=20 > sysctl: net.inet.ip.fw.one_pass: 1 > (I've also tried with 'via','xmit','recv' tags) >=20 > I see packets coming to my dummynet pipes/rules, but then > pf rdr rule: >=20 > rdr on $int_if proto tcp from $internal_net to any port 80 -> > 127.0.0.1 port 3128 >=20 > does not work. > When i disable ipfw firewall, it's just ok again. >=20 > pf options are as follows: > set optimization normal > set block-policy drop > set require-order yes > scrub in all >=20 > Is this related to firewall processing order ? >=20 > Thanks, >=20 > -- > Robert My guess is that IPFW is blocking packets from your $internal_net to localhost port 3128. Add this to your IPFW rules before any other rules that block traffic to 127.0.0.1 # ipfw 100 allow tcp from $internal_net to 127.0.0.1 3128 # ipfw 200 allow tcp from 127.0.0.1 3128 to $internal_net for example: ipfw add 100 pass all from any to any via lo0 ipfw add 200 allow tcp from $internal_net to 127.0.0.1 3128 ipfw add 300 allow tcp from 127.0.0.1 3128 to $internal_net ipfw add 400 deny all from any to 127.0.0.0/8 ipfw add 500 deny ip from 127.0.0.0/8 to any --=20 Kind regards Abu Khaled
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a64c109e05061904187b981d53>