Date: Sun, 29 Jan 2017 14:40:35 -0200 From: =?iso-8859-1?Q?Thom=E1s?= <thoms3rd@gmail.com> To: Rakor <freebsd@rakor-net.de> Cc: freebsd-ipfw@freebsd.org Subject: Re: How to use IPFW to filter routing Message-ID: <20170129164035.GB10963@host> In-Reply-To: <3C00AFCB-E2EF-4F89-8FBD-181C99DAC1FF@rakor-net.de> References: <3C00AFCB-E2EF-4F89-8FBD-181C99DAC1FF@rakor-net.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Sat, Jan 28, 2017 at 01:58:01PM +0100, Rakor: > As far as I know a packet is once scanned by IPFW an then first hit wins.= So, if I set the following a packet coming from VLAN3 for port 80 is permi= tted to travel all way it wants, even to VLAN2. Putting an +other rule behind just allowing to travel out using igb2 is not checked, b= ecause the search terminated after first hit. > ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state Have you tried something like this? ipfw add deny tcp 10.10.30.0/24 to 10.10.10.0/24 setup keep-state ipfw add deny tcp 10.10.30.0/24 to 10.10.20.0/24 setup keep-state ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state > If I try the follwing the packets are all rejected. I think the inspectio= n is done before the routing, so IPFW does not know it should be forwarded = using igb2. > ipfw add allow tcp 10.10.30.0/24 to any 80 out via igb2 setup keep-= state IPFW can do routing table lookups as needed. Something else must be going on here. Log rules may be of help to debug and understand your ruleset. > So I don=E2=80=99t know how to filter packets that should be routed in a = exact manner. Can you help me? There are plenty of ways to filter packets in that setup, the "exact" one depends on what you are trying to achieve. Cheers, - Thom=C3=A1s P.S.: sorry for the duplication, I'd forgotten to CC the list.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170129164035.GB10963>