Date: Wed, 20 Oct 2004 15:15:40 -0400 (EDT) From: "Steve Bertrand" <iaccounts@ibctech.ca> To: martes.wigglesworth@earthlink.net Cc: ipfw-mailings <freebsd-ipfw@freebsd.org> Subject: Re: ipfw address-listing woes Message-ID: <4853.209.167.16.15.1098299740.squirrel@209.167.16.15> In-Reply-To: <1098298916.1973.16.camel@Mobile1.276NET> References: <1098298916.1973.16.camel@Mobile1.276NET>
next in thread | previous in thread | raw e-mail | index | archive | help
> I am having a bit of a time getting a rule to be recognized with and
> address-list in it. I have two identical natd boxes for my
> organization, however, I am unable to get the production machine to
> recognize particular rules, as illustrated below:
Have you tried to put it into a variable? Like so:
trusted="{ 192.168.1.0/24 or 192.168.2.0/24 }"
Then subsequently, change your rule as follows:
> ***00105 0 0 allow tcp from 192.168.1.0/24,192.168.2.0/24 to any
> dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state***
... tcp from $trusted to any dst-port 21,25,80 etc
This is the way I've always done it, and I've never tried it yours, so
I don't have an answer to why it does not work. I've just stuck what
does ;o)
HTH,
Steve
> ^^
> 00106 0 0 allow udp from any to any dst-port 33435-33524 keep-state
> 00200 473701 204681004 divert 8668 ip from any to any via sis0
> 65535 944012 409148687 allow ip from any to any
>
> Can anyone let me know why this is not working, because the rule is
> recognized on the following test firewall:
>
> gate1.276EN
>
>> sudo ipfw show
> 00098 76 7306 allow ip from any to any via lo0
> 00099 28425 3694972 divert 8668 ip from any to any via sis0
> 00100 3126 990373 queue 1 log ip from any to 192.168.1.0/24 in recv
> sis0
>
> 00150 0 0 allow ip from 127.0.0.1 to 127.0.0.1
> 00151 3548 290790 allow tcp from any to any dst-port 22 setup
> keep-state
>
> 00202 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port
> 67,68 setup keep-state
> 00203 1032 101807 allow udp from any to any dst-port 53 via fxp0
> keep-state
>
> 00204 21864 2369464 deny udp from any to any dst-port 137,138,513
>
> ****00205 2664 964612 allow tcp from 192.168.1.0/24 to any dst-port
> 21,25,80,110,443,995 via fxp0 setup keep-state****
> ^^^ ^^^^
> 00206 0 0 allow udp from any to any dst-port 33435-33524
> keep-state
>
> 65535 3303 340052 allow ip from any to any
>
> As you can see by the asterisks, and the "^" the rule works on the
> test
> firewall, however, fails on the production one. I think it has to do
> with my use of multiple NICS, and/or address-lists in the production
> firewall.
>
> As always, any help is greatly appreciated.
>
> Respectfully.
> --
>
>
> M.G.W.
> Wiggtekmicro, Corp.
>
> System:
> Asus M6N
> Intel Dothan 1.7
> 512MB RAM
> 40GB HD
> 10/100/1000 NIC
> Wireless b/g (not working yet)
> BSD-5.2.1
> KDE-3.1.4
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to
> "freebsd-ipfw-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4853.209.167.16.15.1098299740.squirrel>