From owner-freebsd-questions@FreeBSD.ORG Thu Apr 10 04:19:46 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A60F937B401 for ; Thu, 10 Apr 2003 04:19:46 -0700 (PDT) Received: from blacklamb.mykitchentable.net (170-215-86-254.br1.elk.ca.frontiernet.net [170.215.86.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0736043FDF for ; Thu, 10 Apr 2003 04:19:45 -0700 (PDT) (envelope-from drew@mykitchentable.net) Received: from bigdaddy (bigdaddy [192.168.1.3]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 34C48EE627 for ; Thu, 10 Apr 2003 04:19:45 -0700 (PDT) Message-ID: <000901c2ff53$16f30930$0301a8c0@bigdaddy> From: "Drew Tomlinson" To: "FreeBSD Questions" Date: Thu, 10 Apr 2003 04:19:45 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: IPFW Rule Not As Expected X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2003 11:19:46 -0000 I have a rule that's not working as I expect. Here's an ASCII drawing of my network: ISP | | Public DHCP address | 3Com ADSL Modem/Router (Router performs NAT) | (192.168.10.1) | | | (ed1 192.168.10.2) FBSD Gateway | (ed0 192.168.1.2) | | Internal LAN I intend to allow all outgoing traffic on ed1 (192.168.10.2) and create a dynamic rule to allow the return traffic with the following rule: ipfw add allow ip from 192.168.10.2 to any keep-state However the dynamic rule for the return traffic isn't getting created. It is my suspicion that my outgoing traffic is matching a prior rule but I just don't see it. I've included the output of 'ipfw list' to show all of my rules. Can anyone point out my error? Thanks, Drew blacksheep# ipfw list 00100 allow ip from any to any via lo0 00200 deny log ip from any to 127.0.0.0/8 00300 deny log ip from 192.168.1.0/24 to any in via ed1 00400 deny log ip from not 192.168.1.0/24 to any in via ed0 00500 reset log tcp from any to any dst-port 113 00600 allow tcp from any to 192.168.1.4 dst-port 21,22,25,80 00700 allow tcp from 192.168.1.4 21,22,25,80 to any 00800 allow tcp from any to 192.168.10.2 dst-port 22 00900 allow tcp from 192.168.10.2 22 to any 01000 allow tcp from any to 192.168.1.4 dst-port 49152-65535 01100 check-state 01200 allow icmp from any to any 01300 allow ip from 192.168.1.0/24 to any via ed0 keep-state 01400 allow ip from 192.168.10.2 to any keep-state 65000 deny log ip from any to any