Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 9 Oct 2000 07:34:16 -0600 (MDT)
From:      Nick Rogness <nick@rapidnet.com>
To:        achilov@granch.ru
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Where I was wrong?
Message-ID:  <Pine.BSF.4.21.0010090723090.53783-100000@rapidnet.com>
In-Reply-To: <39E166D8.8F9662AC@sentry.granch.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 9 Oct 2000, Rashid N. Achilov wrote:

> Nick Rogness wrote:
> > 
> > On Fri, 6 Oct 2000, Rashid N. Achilov wrote:
> > 
> > >
> > > ipfw add 100 fwd 10.0.0.2 ip from 10.0.2.2 to any out xmit rl0
> > 
> >         Hmmm, take out the "out via rl0".
> 
> I have given simplified network model. Really this box has 6 (six)
> network interfaces, which binded parts of internal network structure and
> Internet too. If I take out "via" and then go to internal network, I'll
> find myself at external interface :-( 

	# Allow internal net to other internal net
	ipfw add 100 allow ip from 10.0.2.0/24 to INTERNAL#1
	ipfw add 101 allow ip from 10.0.2.0/24 to INTERNAL#2
	ipfw add 102 allow ip from 10.0.2.0/24 to INTERNAL#3

	# Forward all other traffic from 10.0.2.2 out 10.0.0.2
	ipfw add 105 fwd 10.0.0.2 ip from 10.0.2.2 to any

> > >
> > > and next rule to stop all other to Internet
> > >
> > > ipfw add 200 deny log tcp from 10.0.2.0/24 to any 80
> > >
> > > And now I deny too! Why? Where I'm wrong?
> > >
> > 
> >         WHat does the deny log entry look like?
> > 
> 
> Deny TCP 10.0.0.2:XXXX YYY.YYY.YYY.YYY:80 in via ed0
> Deny TCP 10.0.0.2:XXXX YYY.YYY.YYY.YYY:80 out via rl0

	The reason it is getting denied is ipfw is not
	matching the "out via rl0" (IMO) part of your fwd command above.

	I have this exact (almost) thing running and would be glad to help
	more...but I need more details on how your internal net is laid
	out (Interfaces,IP's,etc).


Nick Rogness
- Drive defensively.  Buy a tank.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0010090723090.53783-100000>