From owner-freebsd-questions@FreeBSD.ORG Wed Jan 4 01:11:16 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDFDC16A41F for ; Wed, 4 Jan 2006 01:11:15 +0000 (GMT) (envelope-from jhfoo@nexlabs.com) Received: from leda.starhub.net.sg (leda.starhub.net.sg [203.117.3.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E1B943D58 for ; Wed, 4 Jan 2006 01:11:15 +0000 (GMT) (envelope-from jhfoo@nexlabs.com) Received: from imx1.starhub.net.sg ([203.117.3.9]) by leda.starhub.net.sg with ESMTP; 04 Jan 2006 09:11:13 +0800 X-SBRS: 4.2 Received: from ishtar ([222.165.89.102]) by imx1.starhub.net.sg (8.12.10/8.12.10) with SMTP id k040vxDs014854; Wed, 4 Jan 2006 08:57:59 +0800 Message-ID: <008801c610cb$c69b7480$0600a8c0@ishtar> From: "Foo Ji-Haw" To: "patrick" References: <003601c61011$10c45ab0$c801a8c0@nexpc> Date: Wed, 4 Jan 2006 09:03:56 +0800 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: freebsd-questions@freebsd.org Subject: Re: ipfw divert with exception? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2006 01:11:16 -0000 Which is the part that does not work? You can see the matching process by adding 'log' to the rule: ipfw log add 70 allow tcp from 10.0.1.254 to any Last thing to check: traffic runs both ways, so you may need to have two rules instead of one. ----- Original Message ----- From: "patrick" To: "Foo Ji-Haw" Cc: Sent: Wednesday, January 04, 2006 3:06 AM Subject: Re: ipfw divert with exception? > That's what I thought too, but it doesn't seem to be the case. Here's > what I have: > > ipfw -f flush > ipfw add 70 allow tcp from 10.0.1.254 to any > ipfw add accept tcp from any to any 22 in via ${ext_if} > ipfw add 6000 allow all from any to any via lo0 > ipfw add 6100 allow all from any to any via ${int_if} > ipfw add 7000 divert natd all from any to any via ${ext_if} > ipfw add 7100 check-state > ipfw add pass all from any to any via ${ext_if} > ipfw add pass all from any to any via ${int_if} > ipfw add 65534 allow ip from any to any > > Patrick > > On 1/2/06, Foo Ji-Haw wrote: >> I've not tried it myself, but putting the exception rules before the >> 'divert' rule should help, since ipfw exits the rule matching upon first >> match. >> >> ----- Original Message ----- >> From: "patrick" >> To: >> Sent: Tuesday, January 03, 2006 4:56 AM >> Subject: ipfw divert with exception? >> >> >> > I have a FreeBSD 6.0 machine acting as a router for our office. We use >> > natd for address translation, and I have rule like so: >> > >> > ipfw add divert natd all from any to any via ${ext_if} >> > >> > To allow incoming SSH access, I have a redirect_port line setup in my >> > /etc/natd.conf file, and while it works just fine, I don't like that >> > natd has to be running in order for me to SSH into the server. >> > (Because, if -- hypothetically of course -- one were to *cough* >> > accidentally kill the natd process without realizing this, then >> > *ahem*, one would be locked out remotely without any means of fixing >> > it. And I'd like to stress that this situation is indeed, uh, >> > hypothetical. ;) ) >> > >> > So, I'm sure there is a way for me to create some ipfw rules above the >> > divert line to accept incoming SSH traffic and not having it get >> > diverted, but I'm at a bit of a loss as to how I can achieve this. The >> > current rule I have above this does not do anything to stop the >> > traffic from being diverted: >> > >> > ipfw add accept tcp from any to any 22 in via ${ext_if} >> > >> > Any help or insight would be greatly appreciated. >> > >> > Thanks, >> > >> > Patrick >> > _______________________________________________ >> > freebsd-questions@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> > To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" >> >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"