From owner-freebsd-questions@FreeBSD.ORG Tue Jan 3 19:06:52 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88B6616A41F for ; Tue, 3 Jan 2006 19:06:52 +0000 (GMT) (envelope-from gibblertron@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDEDA43D4C for ; Tue, 3 Jan 2006 19:06:51 +0000 (GMT) (envelope-from gibblertron@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so2167195wra for ; Tue, 03 Jan 2006 11:06:51 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TVLQP2rvKTCyWvRErdTKKI13deNd83SOESybwL0prZTnl3wGUkzidApSVoLb8d/Cvo+7HZTQmB2umrhIFYECVCBMEEnGM5cq/PUoGzHbMMTpktdL/5F9UH3dZKgb86Tgv/QYZM8UNX/J5BSSJ8D0yVoAB1aEXjbyYz2XeFKGImk= Received: by 10.64.203.5 with SMTP id a5mr572390qbg; Tue, 03 Jan 2006 11:06:51 -0800 (PST) Received: by 10.65.206.8 with HTTP; Tue, 3 Jan 2006 11:06:51 -0800 (PST) Message-ID: Date: Tue, 3 Jan 2006 11:06:51 -0800 From: patrick To: Foo Ji-Haw In-Reply-To: <003601c61011$10c45ab0$c801a8c0@nexpc> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <003601c61011$10c45ab0$c801a8c0@nexpc> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw divert with exception? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 19:06:52 -0000 That's what I thought too, but it doesn't seem to be the case. Here's what I have: ipfw -f flush ipfw add 70 allow tcp from 10.0.1.254 to any ipfw add accept tcp from any to any 22 in via ${ext_if} ipfw add 6000 allow all from any to any via lo0 ipfw add 6100 allow all from any to any via ${int_if} ipfw add 7000 divert natd all from any to any via ${ext_if} ipfw add 7100 check-state ipfw add pass all from any to any via ${ext_if} ipfw add pass all from any to any via ${int_if} ipfw add 65534 allow ip from any to any Patrick On 1/2/06, Foo Ji-Haw wrote: > I've not tried it myself, but putting the exception rules before the > 'divert' rule should help, since ipfw exits the rule matching upon first > match. > > ----- Original Message ----- > From: "patrick" > To: > Sent: Tuesday, January 03, 2006 4:56 AM > Subject: ipfw divert with exception? > > > > I have a FreeBSD 6.0 machine acting as a router for our office. We use > > natd for address translation, and I have rule like so: > > > > ipfw add divert natd all from any to any via ${ext_if} > > > > To allow incoming SSH access, I have a redirect_port line setup in my > > /etc/natd.conf file, and while it works just fine, I don't like that > > natd has to be running in order for me to SSH into the server. > > (Because, if -- hypothetically of course -- one were to *cough* > > accidentally kill the natd process without realizing this, then > > *ahem*, one would be locked out remotely without any means of fixing > > it. And I'd like to stress that this situation is indeed, uh, > > hypothetical. ;) ) > > > > So, I'm sure there is a way for me to create some ipfw rules above the > > divert line to accept incoming SSH traffic and not having it get > > diverted, but I'm at a bit of a loss as to how I can achieve this. The > > current rule I have above this does not do anything to stop the > > traffic from being diverted: > > > > ipfw add accept tcp from any to any 22 in via ${ext_if} > > > > Any help or insight would be greatly appreciated. > > > > Thanks, > > > > Patrick > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > >