From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 19 06:31:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BB6E16A4CE for ; Mon, 19 Apr 2004 06:31:15 -0700 (PDT) Received: from two.zutom.sk (two.zutom.sk [62.176.170.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D14743D2D for ; Mon, 19 Apr 2004 06:31:14 -0700 (PDT) (envelope-from roman@zutom.sk) Received: from zutom.sk (medusa.zutomxx [10.0.0.10]) by two.zutom.sk (8.12.9p2/8.12.9) with ESMTP id i3JDVCrw099953 for ; Mon, 19 Apr 2004 15:31:13 +0200 (CEST) (envelope-from roman@zutom.sk) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Date: Mon, 19 Apr 2004 15:31:12 +0200 Message-ID: <8346D753500D004191B4F3E45178065B68EF4D@medusa.zutomxx> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: out xmit not match icmp Thread-Index: AcQmEpSyXZqGtGpzSsO8CkiE17LM4g== From: "Roman Mikus" To: Subject: out xmit not match icmp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2004 13:31:15 -0000 Hi, I have freebsd 4.9-RELEASE-p3 box with ipfw and 3 interfaces installed. One interface is external with one public ip address, second is internal with private ip addresses and on third is assigned small subnet of public ip addresses. I want to configure firewall which protect internal and freebsd box but will pass traffic for third interface. I have following interfaces: vx0: internal: 10.0.0.8 netmask 255.255.255.0 ed0: external: y.y.y.170 netmask 255.255.255.240 ep0: free zone: x.x.x.162 netmask 255.255.255.240 I'cand send whole firewall config but is derived from simple section in rc.firewall and looks like this: (x.x.x. and y.y.y. and z.z.z. substitutes my real ip addresses) ... 00400 pipe 1 ip from any to any out xmit ed0 00500 pipe 2 ip from any to any in recv ed0 ... 01900 divert 8668 ip from any to any via ed0 02000 divert 8668 ip from any to any via ep0 03000 allow ip from any to x.x.x.161 03100 allow ip from any to x.x.x.163 03200 allow ip from any to x.x.x.164 .. 03400 allow ip from any to x.x.x.166 .. 04200 allow ip from any to x.x.x.174 04300 allow ip from x.x.x.161 to any out recv ep0 xmit ed0 04400 allow ip from x.x.x.163 to any out recv ep0 xmit ed0 04500 allow ip from x.x.x.164 to any out recv ep0 xmit ed0 .. 04700 allow ip from x.x.x.166 to any out recv ep0 xmit ed0 .. 05500 allow ip from x.x.x.174 to any out recv ep0 xmit ed0 ... 65000 deny log ip from any to any Rules between 1900 and 5500 should pass all traffic to and from free zone, but this is true for tcp traffic (telnet) but not for icmp traffic (ping). If I try to ping x.x.x.166 from outside box with ip z.z.z.11 rule 4700 not match, but rule 65000 match and this appears in /var/log/security: Apr 19 15:16:54 ns /kernel: ipfw: 65000 Deny ICMP:0.0 x.x.x.166 z.z.z.11 in via ep0 This is icmp reply from host x.x.x.166 and is blocked, but should't be. Can you tell me why this happens? How else I can pass any traffic for and from my free zone (but still be able to shape traffic on external interface) and to protect everything else? Thanks a lot. Roman