From owner-freebsd-ipfw@FreeBSD.ORG Sat Feb 12 06:39:44 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44B261065670 for ; Sat, 12 Feb 2011 06:39:44 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 23C2B8FC19 for ; Sat, 12 Feb 2011 06:39:43 +0000 (UTC) Received: from julian-mac.elischer.org (home-nat.elischer.org [67.100.89.137]) (authenticated bits=0) by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id p1C6de4i072863 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 11 Feb 2011 22:39:42 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <4D562B37.7000402@freebsd.org> Date: Fri, 11 Feb 2011 22:39:51 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Jason Mattax References: <4D55F832.7010604@storytotell.org> In-Reply-To: <4D55F832.7010604@storytotell.org> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Strange problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Feb 2011 06:39:44 -0000 On 2/11/11 7:02 PM, Jason Mattax wrote: > I'm currently running 8.1-RELEASE-p2 and attempting to set up a firewall > with natd and ipfw. I was trying a more complicated ipfw script and had > some problems. I reduced my rule set to the smallest sets I could manage > to find the exact rule that causes problems. xl0 is my world facing > interface and re0 faces my internal network. The working ruleset is > > $ipfw list > > 00050 allow ip from any to any via lo0 > 00100 divert 8668 log ip from any to any in via xl0 > 10000 divert 8668 log ip from any to any out via xl0 > 10005 allow ip from any to any > 65535 allow ip from any to any > > With this I get a log containing > > $tail ipfw.log > Feb 10 20:37:53 stilgar kernel: ipfw: 100 Divert 8668 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > Feb 10 20:37:54 stilgar kernel: ipfw: 10000 Divert 8668 TCP > 192.168.0.10:22 192.168.0.15:60569 out via xl0 > Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > Feb 10 20:37:54 stilgar kernel: ipfw: 10000 Divert 8668 TCP > 192.168.0.10:22 192.168.0.15:60569 out via xl0 > Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > Feb 10 20:37:54 stilgar kernel: ipfw: 10000 Divert 8668 TCP > 192.168.0.10:22 192.168.0.15:60569 out via xl0 > Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > > Both of the diverts are working and machines attached to the internal nic can communicate through the computer. Now because I would like to be able to drop some packets I'm going to add a skip, since eventually that will get me where I want to be. This just adds rule 00310 which skips over no rules all the time > > $ipfw list > 00050 allow ip from any to any via lo0 > 00100 divert 8668 log ip from any to any in via xl0 > 00310 skipto 9999 log ip from any to any > 10000 divert 8668 log ip from any to any out via xl0 > 10005 allow ip from any to any > 65535 allow ip from any to any > > Now the log contains > $tail ipfw.log > Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP > 192.168.0.10:22 192.168.0.15:60569 out via xl0 > Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP > 192.168.0.10:22 192.168.0.15:60569 out via xl0 > Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP > 192.168.0.15:60569 192.168.0.10:22 in via xl0 > > Rules 100 and 310 are being hit, but rule 10000 is no longer triggering. This means that my outgoing packets aren't having their source address rewritten so I don't get responses (and put unrouteable traffic on the internet.) Can anyone explain to me what I'm doing wrong here? that is rather odd.. BTW I tend to never use VIA be explicit and say recv or xmit. via may trigger in places you don't expect I also always use skipto to split my rules into comletely separate receive and transmit sections e.g. (very simplistic set).. 100 skipto 1000 ip from any to any in recv xl0 110 skipto 2000 ip from any to any out xmit xl0 # allow unfettered access for packets from the inside, 120 allow ip from any to any # # Now we handle incoming packets only 1000 drop ip from any to not $localIP 1010 divert 8668 ip from any to any # packets here have been translated.. # make explicit rules for services on this machine 1020 allow tcp from any to me 22 1030 drip ip from any to $localIP # assumign natd did its job allow translated packets out. 1040 allow ip from any to any # # Now do outgoing packets 2000 divert 8668 ip from any to any #packets are all translated now 2010 allow ip from any to any > Jason Mattax > > > > > > > >