Date: Wed, 4 Jan 2006 09:03:56 +0800 From: "Foo Ji-Haw" <jhfoo@nexlabs.com> To: "patrick" <gibblertron@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw divert with exception? Message-ID: <008801c610cb$c69b7480$0600a8c0@ishtar> References: <b043a4850601021256pd5af566ka58bc8f1d1a8c010@mail.gmail.com><003601c61011$10c45ab0$c801a8c0@nexpc> <b043a4850601031106x608cc391iad8319f1272590df@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Which is the part that does not work?
You can see the matching process by adding 'log' to the rule:
ipfw log add 70 allow tcp from 10.0.1.254 to any
Last thing to check: traffic runs both ways, so you may need to have two
rules instead of one.
----- Original Message -----
From: "patrick" <gibblertron@gmail.com>
To: "Foo Ji-Haw" <jhfoo@nexlabs.com>
Cc: <freebsd-questions@freebsd.org>
Sent: Wednesday, January 04, 2006 3:06 AM
Subject: Re: ipfw divert with exception?
> That's what I thought too, but it doesn't seem to be the case. Here's
> what I have:
>
> ipfw -f flush
> ipfw add 70 allow tcp from 10.0.1.254 to any
> ipfw add accept tcp from any to any 22 in via ${ext_if}
> ipfw add 6000 allow all from any to any via lo0
> ipfw add 6100 allow all from any to any via ${int_if}
> ipfw add 7000 divert natd all from any to any via ${ext_if}
> ipfw add 7100 check-state
> ipfw add pass all from any to any via ${ext_if}
> ipfw add pass all from any to any via ${int_if}
> ipfw add 65534 allow ip from any to any
>
> Patrick
>
> On 1/2/06, Foo Ji-Haw <jhfoo@nexlabs.com> wrote:
>> I've not tried it myself, but putting the exception rules before the
>> 'divert' rule should help, since ipfw exits the rule matching upon first
>> match.
>>
>> ----- Original Message -----
>> From: "patrick" <gibblertron@gmail.com>
>> To: <freebsd-questions@freebsd.org>
>> Sent: Tuesday, January 03, 2006 4:56 AM
>> Subject: ipfw divert with exception?
>>
>>
>> > I have a FreeBSD 6.0 machine acting as a router for our office. We use
>> > natd for address translation, and I have rule like so:
>> >
>> > ipfw add divert natd all from any to any via ${ext_if}
>> >
>> > To allow incoming SSH access, I have a redirect_port line setup in my
>> > /etc/natd.conf file, and while it works just fine, I don't like that
>> > natd has to be running in order for me to SSH into the server.
>> > (Because, if -- hypothetically of course -- one were to *cough*
>> > accidentally kill the natd process without realizing this, then
>> > *ahem*, one would be locked out remotely without any means of fixing
>> > it. And I'd like to stress that this situation is indeed, uh,
>> > hypothetical. ;) )
>> >
>> > So, I'm sure there is a way for me to create some ipfw rules above the
>> > divert line to accept incoming SSH traffic and not having it get
>> > diverted, but I'm at a bit of a loss as to how I can achieve this. The
>> > current rule I have above this does not do anything to stop the
>> > traffic from being diverted:
>> >
>> > ipfw add accept tcp from any to any 22 in via ${ext_if}
>> >
>> > Any help or insight would be greatly appreciated.
>> >
>> > Thanks,
>> >
>> > Patrick
>> > _______________________________________________
>> > freebsd-questions@freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> > To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe@freebsd.org"
>>
>>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008801c610cb$c69b7480$0600a8c0>