Date: Mon, 19 Apr 2004 15:31:12 +0200 From: "Roman Mikus" <roman@zutom.sk> To: <freebsd-ipfw@freebsd.org> Subject: out xmit not match icmp Message-ID: <8346D753500D004191B4F3E45178065B68EF4D@medusa.zutomxx>
next in thread | raw e-mail | index | archive | help
Hi, I have freebsd 4.9-RELEASE-p3 box with ipfw and 3 interfaces installed. One interface is external with one public ip address, second is internal with private ip addresses and on third is assigned small subnet of public ip addresses. I want to configure firewall which protect internal and freebsd box but will pass traffic for third interface. I have following interfaces: vx0: internal: 10.0.0.8 netmask 255.255.255.0 ed0: external: y.y.y.170 netmask 255.255.255.240 ep0: free zone: x.x.x.162 netmask 255.255.255.240 I'cand send whole firewall config but is derived from simple section in rc.firewall and looks like this: (x.x.x. and y.y.y. and z.z.z. substitutes my real ip addresses) ... 00400 pipe 1 ip from any to any out xmit ed0 00500 pipe 2 ip from any to any in recv ed0 ... 01900 divert 8668 ip from any to any via ed0 02000 divert 8668 ip from any to any via ep0 03000 allow ip from any to x.x.x.161 03100 allow ip from any to x.x.x.163 03200 allow ip from any to x.x.x.164 .. 03400 allow ip from any to x.x.x.166 .. 04200 allow ip from any to x.x.x.174 04300 allow ip from x.x.x.161 to any out recv ep0 xmit ed0 04400 allow ip from x.x.x.163 to any out recv ep0 xmit ed0 04500 allow ip from x.x.x.164 to any out recv ep0 xmit ed0 .. 04700 allow ip from x.x.x.166 to any out recv ep0 xmit ed0 .. 05500 allow ip from x.x.x.174 to any out recv ep0 xmit ed0 ... 65000 deny log ip from any to any Rules between 1900 and 5500 should pass all traffic to and from free zone, but this is true for tcp traffic (telnet) but not for icmp traffic (ping). If I try to ping x.x.x.166 from outside box with ip z.z.z.11 rule 4700 not match, but rule 65000 match and this appears in /var/log/security: Apr 19 15:16:54 ns /kernel: ipfw: 65000 Deny ICMP:0.0 x.x.x.166 z.z.z.11 in via ep0 This is icmp reply from host x.x.x.166 and is blocked, but should't be. Can you tell me why this happens? How else I can pass any traffic for and from my free zone (but still be able to shape traffic on external interface) and to protect everything else? Thanks a lot. Roman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8346D753500D004191B4F3E45178065B68EF4D>