Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 3 Sep 2004 13:44:37 -0700 (PDT)
From:      George S <c0sine@yahoo.com>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: fwd'ing packet originally destined to local interface problem
Message-ID:  <20040903204437.1850.qmail@web40410.mail.yahoo.com>

next in thread | raw e-mail | index | archive | help
Hi,

Thank you for the suggestion, but that didn't make any difference, which is
consistent with the docs "If no check-state rule is found, the dynamic
rule-set is checked at the first keep-state or limit rule" (in my case, rule
#1). My dynamic rule set is checked on rule #1 and that causes a skipto 10,
where the next matching rule is #11. The packet count is updated, but *i do
not see the packet coming out the fxp1 interface*.

Any other suggestions?

George

>I think you need:
>ipfw add 1 check-state
>ipfw add 2 skipto 10 ........
>
>
>On Fri, 2004-09-03 at 13:00, George S wrote:
>
>> I am having some trouble with a specialized IDS testing framework I am
>> working on.
>> 
>> Here is my setup:
>> -FreeBSD 5.2.1-release running with firewall options configured, bridging
>> off, default to accept
>> -fxp0: inet 10.0.0.50 netmask 255.255.255.0
>> -fxp1: inet 192.168.1.3 netmask 255.255.255.0
>> -default gateway 10.0.0.1 / no static-routes set
>> -ipfw ruleset as follows:
>>   ipfw add 1 skipto 10 tcp from 10.0.0.50 to any setup recv fxp1
keep-state
>>   ipfw add 5 allow ip from any to any
>>   ipfw add 10 fwd 10.0.0.1 tcp from 10.0.0.50 to any
>>   ipfw add 11 fwd 192.168.1.2 tcp from any to 10.0.0.50
>>   ipfw add 65536 allow ip from any to any
>> 
>> When a custom packet (with src ip 10.0.0.50 and SYN bit) arrives at the
fxp1
>> interface, it is forwarded out of the fxp0 interface, as expected. When
the
>> response (with dst ip 10.0.0.50 and SYN+ACK) arrives on fxp0 however,
rule
>> #11 registers the packet by updating its counter, but the packet does not
>> get written out on the fxp1 wire, as I would expect (or hope) it to!
>> 
>> Is this a problem with the code or my ruleset or did I erroneously
predict
>> the resulting behaviour?
>> 
>> Many thanks in advance for any help any guru here can provide.
>> 
>> Kindest regards,
>> 
>> George
>> 
>
>-- 
>Jose Hidalgo Herrera <jose at hostarica.com>
>Corp. Hosta Rica



		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040903204437.1850.qmail>