From owner-freebsd-hackers Sun Mar 28 6: 3:22 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from rt2.synx.com (tech.boostworks.com [194.167.81.239]) by hub.freebsd.org (Postfix) with ESMTP id 6C42D156A7 for ; Sun, 28 Mar 1999 06:02:44 -0800 (PST) (envelope-from root@synx.com) Received: from synx.com (rn.synx.com [192.1.1.241]) by rt2.synx.com (8.9.1/8.9.1) with ESMTP id QAA22122; Sun, 28 Mar 1999 16:09:20 +0200 (CEST) Message-Id: <199903281409.QAA22122@rt2.synx.com> Date: Sun, 28 Mar 1999 16:00:58 +0200 (CEST) From: Remy Nonnenmacher Reply-To: remy@synx.com Subject: Re: ipfw behavior, is it normal? To: ru@ucb.crimea.ua Cc: noor@NetVision.net.il, freebsd-hackers@FreeBSD.ORG In-Reply-To: <19990328164753.A50307@relay.ucb.crimea.ua> MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 28 Mar, Ruslan Ermilov wrote: > Hi! > > You've screwed your rules up ;-) > Rules 400 and 500 are `allow tcp', I suppose. > Send us your _real_ rules first. > I think these *ARE* the real rules. Anyway, 'IP' matches all packets.. [check...check....] Yes. Noor, What is the FBSD version used ? Doing routing ? bridging ? Is the filtering machine the [server] ? > > On Sun, Mar 28, 1999 at 02:23:57PM +0200, Noor Dawod wrote: >> >> Hi.. >> >> Like many others have done before me, this is my first message to this >> mailing list and I hope not the last. I've been dealing with FreeBSD for >> quite some time now, and I cannot still understand why few ipfw rules >> don't work for me. I would like to share it with you and maybe get some >> help on it. >> >> My current ipfw rules are: >> >> ----------------------------------------------------------------- >> 00100 allow ip from any to any via lo0 >> 00200 allow ip from [machine-a-ip] to [server-ip] via xl0 >> 00300 allow ip from [machine-b-ip] to [server-ip] via xl0 >> 00400 allow ip from any to [server-ip] 80 in via xl0 >> 00500 allow ip from any to [server-ip] 21 in via xl0 >> 65000 allow ip from any to any >> 65535 deny ip from any to any >> ----------------------------------------------------------------- >> >> 00200 and 00300 seem redundant because of rule 65000. But this is where >> all the problem lies. If I understand right the ipfw rules, if I remove >> line 65000 from the rules table, then I can still do all ip-related >> actions from [machine-a] and [machine-b], which their ip numbers are >> listed in 00200 and 00300. But, once I remove line 65000, I cannot do any >> ip-related actions on the [server], and even WWW/FTP services are not >> served as well. >> >> What am I missing here, and why the 65000 line MUST be there so that I >> could access [server] from [machine-a] and [machine-b] ? >> >> I apologize if this is not the place to ask such questions, and would >> like to be told where to send it instead. >> >> Thanks for your time and efforts. >> >> Noor > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message