From owner-freebsd-current Tue Jun 27 9:50:13 2000 Delivered-To: freebsd-current@freebsd.org Received: from mail.bastard.co.uk (node16292.a2000.nl [24.132.98.146]) by hub.freebsd.org (Postfix) with ESMTP id 6D10437C079 for ; Tue, 27 Jun 2000 09:50:08 -0700 (PDT) (envelope-from adrian@bastard.co.uk) Received: from adrian by mail.bastard.co.uk with local (Exim 3.14 #1) id 136yYo-000FOr-00 for freebsd-current@freebsd.org; Tue, 27 Jun 2000 18:50:06 +0200 Date: Tue, 27 Jun 2000 18:50:06 +0200 From: Adrian Chadd To: freebsd-current@freebsd.org Subject: ipfw check-state and ipfw fwd ? Message-ID: <20000627185006.D58428@zoe.bastard.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I have a tunnel setup which requires me to rewrite the next hop of packets going from the tunneled network out to the internet to go out via the tunnel (rather than going out the default route, who drops the packets (validly) because it thinks I'm trying to IP spoof.) The trouble is that I'm also trying to use a dynamic ipfw rule to only allow outgoing TCP connections from a single IP .. this doesn't seem to work well with ipfw fwd. The relevant bits: 00100 0 0 check-state 00200 0 0 allow ip from any to any via lo0 00300 0 0 deny ip from any to 203.56.168.40 in recv tun0 00400 2 88 allow tcp from 203.56.168.40 to any keep-state setup (the three going in here are totally not relevant) 00800 0 0 fwd 213.35.234.1 ip from 203.56.168.0/24 to any out xmit xl1 65000 195 15257 allow ip from any to any 65535 50 7996 allow ip from any to any ## Dynamic rules: 00400 1 44 (T 5, # 163) ty 0 tcp, 203.56.168.40 1161 <-> 203.30.44.82 80 As you can see, the dynamic rule gets created, but I'm not entirely certain its being trapped on the fwd rule, as a tcpdump of the external interface xl1 shows the packet going out rather than being forwarded to 213.35.234.1 (the tunnel interface endpoint). Any clues? Is the dynamic rulesets not meant to do this at all? Is there a way I can trick things into working? Thanks, Adrian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message