From owner-freebsd-questions@FreeBSD.ORG  Fri Oct 17 18:54:13 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8F04F10656A4
	for <freebsd-questions@freebsd.org>;
	Fri, 17 Oct 2008 18:54:13 +0000 (UTC)
	(envelope-from mail@chdevelopment.se)
Received: from av11-1-sn2.hy.skanova.net (av11-1-sn2.hy.skanova.net
	[81.228.8.183]) by mx1.freebsd.org (Postfix) with ESMTP id 4C7968FC1C
	for <freebsd-questions@freebsd.org>;
	Fri, 17 Oct 2008 18:54:13 +0000 (UTC)
	(envelope-from mail@chdevelopment.se)
Received: by av11-1-sn2.hy.skanova.net (Postfix, from userid 502)
	id C10F0380BF; Fri, 17 Oct 2008 20:54:11 +0200 (CEST)
Received: from smtp4-2-sn2.hy.skanova.net (smtp4-2-sn2.hy.skanova.net
	[81.228.8.93]) by av11-1-sn2.hy.skanova.net (Postfix) with ESMTP
	id AC07A37EC3; Fri, 17 Oct 2008 20:54:11 +0200 (CEST)
Received: from melissa.chdevelopment.se (78-70-120-199-no170.tbcn.telia.com
	[78.70.120.199])
	by smtp4-2-sn2.hy.skanova.net (Postfix) with ESMTP id 644B937E44;
	Fri, 17 Oct 2008 20:54:11 +0200 (CEST)
Message-ID: <48F8DF53.9090506@chdevelopment.se>
Date: Fri, 17 Oct 2008 20:54:11 +0200
From: Christer Hermansson <mail@chdevelopment.se>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US;
	rv:1.8.1.17) Gecko/20080928 SeaMonkey/1.1.12
MIME-Version: 1.0
To: Chen Xu <xuchen66@gmail.com>
References: <184b087c0810141105o657af770l5d0535c19fab059d@mail.gmail.com>
In-Reply-To: <184b087c0810141105o657af770l5d0535c19fab059d@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: no access to web server behind ipfw
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2008 18:54:13 -0000

Chen Xu wrote:
> $cmd 100 divert natd ip from any to any in via $pif
> $cmd 101 check-state
>
>
>   
You use "in via $pif", I'm not 100% sure but I think you should only use 
"via $pif".
> # Authorized inbound packets
> $cmd 421 allow tcp from any to 192.168.1.10 80 in via $pif setup limit
> src-addr 5
>
>
>   
I think it's bad to use statefull rules for inbound connections.

-- 

Christer Hermansson

http://www.chdevelopment.se