Date: Thu, 28 Jul 2005 18:59:46 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-ipfw@FreeBSD.ORG Subject: Another bug in IPFW@ ...? Message-ID: <200507281659.j6SGxkXx059613@lurza.secnetix.de>
next in thread | raw e-mail | index | archive | help
Hi,
I have created an IPFW2 rule set on a router (no NAT).
In one of the rules I wanted to pass packets originating
from the local host (i.e. non-routed) out through a
specific interface, i.e. packets that have _not_ been
received on some interface.
The manual page ipfw(8) says that "recv any" matches
all packets received on some interface, so the logical
conclusion is that "not recv any" would match packets
originating from the host. However, this clause is
ignored completely:
# ipfw add pass ip from $A to $N out not recv any xmit xl0
00900 allow ip from $A to $N out xmit xl0
As you can see, the "not recv any" is ignored. It doesn't
show up in subsequent "ipfw list" output either.
Is this a bug in ipfw? Or is the documentation inaccurate?
How do I match packets like this that originate from the
local host, i.e. that don't have a receive interface?
(Note that the source IP might be spoofed, so only checking
the source IP is not a solution.)
Best regards
Oliver
PS: This is probably not important, but anyway:
$A is the local IP address of the xl0 interface, and $N
is the network connected to that interface, exluding $A.
For example:
$A = 101.102.103.1
$N = 101.102.103.0/27{2-30}
PPS: I read the mailing list, so please do not Cc me.
--
Oliver Fromme, secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"anyone new to programming should be kept as far from C++ as
possible; actually showing the stuff should be considered a
criminal offence" -- Jacek Generowicz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507281659.j6SGxkXx059613>