From owner-freebsd-hackers Sun Mar 28 5:49:50 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 7119E153EA for ; Sun, 28 Mar 1999 05:49:28 -0800 (PST) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.2/8.9.2/UCB) id QAA51400; Sun, 28 Mar 1999 16:47:54 +0300 (EEST) (envelope-from ru) Date: Sun, 28 Mar 1999 16:47:53 +0300 From: Ruslan Ermilov To: Noor Dawod Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: ipfw behavior, is it normal? Message-ID: <19990328164753.A50307@relay.ucb.crimea.ua> Mail-Followup-To: Noor Dawod , freebsd-hackers@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from Noor Dawod on Sun, Mar 28, 1999 at 02:23:57PM +0200 X-Operating-System: FreeBSD 3.1-STABLE i386 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi! You've screwed your rules up ;-) Rules 400 and 500 are `allow tcp', I suppose. Send us your _real_ rules first. On Sun, Mar 28, 1999 at 02:23:57PM +0200, Noor Dawod wrote: > > Hi.. > > Like many others have done before me, this is my first message to this > mailing list and I hope not the last. I've been dealing with FreeBSD for > quite some time now, and I cannot still understand why few ipfw rules > don't work for me. I would like to share it with you and maybe get some > help on it. > > My current ipfw rules are: > > ----------------------------------------------------------------- > 00100 allow ip from any to any via lo0 > 00200 allow ip from [machine-a-ip] to [server-ip] via xl0 > 00300 allow ip from [machine-b-ip] to [server-ip] via xl0 > 00400 allow ip from any to [server-ip] 80 in via xl0 > 00500 allow ip from any to [server-ip] 21 in via xl0 > 65000 allow ip from any to any > 65535 deny ip from any to any > ----------------------------------------------------------------- > > 00200 and 00300 seem redundant because of rule 65000. But this is where > all the problem lies. If I understand right the ipfw rules, if I remove > line 65000 from the rules table, then I can still do all ip-related > actions from [machine-a] and [machine-b], which their ip numbers are > listed in 00200 and 00300. But, once I remove line 65000, I cannot do any > ip-related actions on the [server], and even WWW/FTP services are not > served as well. > > What am I missing here, and why the 65000 line MUST be there so that I > could access [server] from [machine-a] and [machine-b] ? > > I apologize if this is not the place to ask such questions, and would > like to be told where to send it instead. > > Thanks for your time and efforts. > > Noor -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message