From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 20 19:13:28 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9E4816A4CE for ; Wed, 20 Oct 2004 19:13:28 +0000 (GMT) Received: from pearl.ibctech.ca (dev.eagle.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E531E43D2D for ; Wed, 20 Oct 2004 19:13:27 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: (qmail 92831 invoked by uid 1002); 20 Oct 2004 19:15:41 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (clamscan: 0.73. spamassassin: 2.64. Clear:RC:1(127.0.0.1):. Processed in 1.47995 secs); 20 Oct 2004 19:15:41 -0000 Received: from unknown (HELO webmail.ibctech.ca) (127.0.0.1) by localhost.ibctech.ca with SMTP; 20 Oct 2004 19:15:39 -0000 Received: from 209.167.16.15 (SquirrelMail authenticated user steve@ibctech.ca); by webmail.ibctech.ca with HTTP; Wed, 20 Oct 2004 15:15:40 -0400 (EDT) Message-ID: <4853.209.167.16.15.1098299740.squirrel@209.167.16.15> In-Reply-To: <1098298916.1973.16.camel@Mobile1.276NET> References: <1098298916.1973.16.camel@Mobile1.276NET> Date: Wed, 20 Oct 2004 15:15:40 -0400 (EDT) From: "Steve Bertrand" To: martes.wigglesworth@earthlink.net User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: ipfw-mailings Subject: Re: ipfw address-listing woes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 19:13:28 -0000 > I am having a bit of a time getting a rule to be recognized with and > address-list in it. I have two identical natd boxes for my > organization, however, I am unable to get the production machine to > recognize particular rules, as illustrated below: Have you tried to put it into a variable? Like so: trusted="{ 192.168.1.0/24 or 192.168.2.0/24 }" Then subsequently, change your rule as follows: > ***00105 0 0 allow tcp from 192.168.1.0/24,192.168.2.0/24 to any > dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state*** ... tcp from $trusted to any dst-port 21,25,80 etc This is the way I've always done it, and I've never tried it yours, so I don't have an answer to why it does not work. I've just stuck what does ;o) HTH, Steve > ^^ > 00106 0 0 allow udp from any to any dst-port 33435-33524 keep-state > 00200 473701 204681004 divert 8668 ip from any to any via sis0 > 65535 944012 409148687 allow ip from any to any > > Can anyone let me know why this is not working, because the rule is > recognized on the following test firewall: > > gate1.276EN > >> sudo ipfw show > 00098 76 7306 allow ip from any to any via lo0 > 00099 28425 3694972 divert 8668 ip from any to any via sis0 > 00100 3126 990373 queue 1 log ip from any to 192.168.1.0/24 in recv > sis0 > > 00150 0 0 allow ip from 127.0.0.1 to 127.0.0.1 > 00151 3548 290790 allow tcp from any to any dst-port 22 setup > keep-state > > 00202 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port > 67,68 setup keep-state > 00203 1032 101807 allow udp from any to any dst-port 53 via fxp0 > keep-state > > 00204 21864 2369464 deny udp from any to any dst-port 137,138,513 > > ****00205 2664 964612 allow tcp from 192.168.1.0/24 to any dst-port > 21,25,80,110,443,995 via fxp0 setup keep-state**** > ^^^ ^^^^ > 00206 0 0 allow udp from any to any dst-port 33435-33524 > keep-state > > 65535 3303 340052 allow ip from any to any > > As you can see by the asterisks, and the "^" the rule works on the > test > firewall, however, fails on the production one. I think it has to do > with my use of multiple NICS, and/or address-lists in the production > firewall. > > As always, any help is greatly appreciated. > > Respectfully. > -- > > > M.G.W. > Wiggtekmicro, Corp. > > System: > Asus M6N > Intel Dothan 1.7 > 512MB RAM > 40GB HD > 10/100/1000 NIC > Wireless b/g (not working yet) > BSD-5.2.1 > KDE-3.1.4 > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" >