Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 13 Mar 2006 17:43:44 +0600
From:      Vladimir Grigor <xvga@mail.ru>
To:        freebsd-ipfw@freebsd.org
Subject:   ipfw2(stateful)+divert; why divert rule is ignored?
Message-ID:  <1014435727.20060313174344@mail.ru>
In-Reply-To: <1438179712.20060310114356@mail.ru>
References:  <1438179712.20060310114356@mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 

   FreeBSD 5.4

   Specifically, I can't figure out why rule 3800 is ignored...
   :confused:

   If you have idea - just give clue abt it.... Thanks...

   Regular NAT is working properly, but I can't configure NAPT to
   services on server in LAN....

   Interface to LAN is also untrusted -that's why so many details in
   config...

   tun0 - interface to Internet

   vr1 - interface to LAN

   212.42.xxx.xxx - my external IP

   some relevant firewall rules [#ipfw -de sh]

   [CODE]

   03800    0            0 divert 6893 log logamount 100 tcp from
   192.168.0.1 80 to any out via tun0

   04000    0      0 check-state

   04400    0      0 allow log logamount 100 tcp from 212.42.xxx.xxx 80
   to any out via tun0

   04700   25   1554 divert 6893 log logamount 100 tcp from any to
   212.42.xxx.xxx dst-port 80 in via tun0

   05000  150   6816 allow log logamount 100 tcp from any to 192.168.0.1
   dst-port 80 in via tun0 setup keep-state

   ## Dynamic rules (14):

   05000   17    768 (0s) STATE tcp 212.112.117.70 1212 <-> 192.168.0.1
   80

   ...[/CODE]

   /var/log/security

   [CODE]...

   Mar  9 14:40:23 free kernel: ipfw: 4700 Divert 6893 TCP
   212.112.117.70:1212 212.42.xxx.xxx:80 in via tun0

   Mar  9 14:40:23 free kernel: ipfw: 5000 Accept TCP 212.112.117.70:1212
   192.168.0.1:80 in via tun0

   Mar  9 14:40:23 free kernel: ipfw: 5000 Accept TCP 212.112.117.70:1212
   192.168.0.1:80 out via vr1

   Mar  9 14:40:23 free kernel: ipfw: 5000 Accept TCP 192.168.0.1:80
   212.112.117.70:1212 in via vr1

   #^this is O'k - packet is ready to be caught by rule 3800 but that
   rule is ignored and pachet processed by dymamic rule  :confused:

   Mar  9 14:40:23 free kernel: ipfw: 5000 Accept TCP 192.168.0.1:80
   212.112.117.70:1212 out via tun0

   ...[/CODE]

   natd is started by

   [CODE]natd -log_denied -s -m -p 6893 -dynamic -n tun0 -redirect_port
   tcp 192.168.0.1:80 80 -log_ipfw_denied -l[/CODE]


   --

   Best regards,

    Vladimir

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1014435727.20060313174344>