From owner-freebsd-current Tue Jun 27 9:58:35 2000 Delivered-To: freebsd-current@freebsd.org Received: from mail.bastard.co.uk (node16292.a2000.nl [24.132.98.146]) by hub.freebsd.org (Postfix) with ESMTP id F352037C0CA for ; Tue, 27 Jun 2000 09:58:28 -0700 (PDT) (envelope-from adrian@bastard.co.uk) Received: from adrian by mail.bastard.co.uk with local (Exim 3.14 #1) id 136ygr-000FQC-00 for freebsd-current@freebsd.org; Tue, 27 Jun 2000 18:58:25 +0200 Date: Tue, 27 Jun 2000 18:58:25 +0200 From: Adrian Chadd To: freebsd-current@freebsd.org Subject: Re: ipfw check-state and ipfw fwd ? Message-ID: <20000627185825.E58428@zoe.bastard.co.uk> References: <20000627185006.D58428@zoe.bastard.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000627185006.D58428@zoe.bastard.co.uk>; from adrian@freebsd.org on Tue, Jun 27, 2000 at 06:50:06PM +0200 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Jun 27, 2000, Adrian Chadd wrote: > > Hi, > > I have a tunnel setup which requires me to rewrite the next hop of packets > going from the tunneled network out to the internet to go out via the > tunnel (rather than going out the default route, who drops the packets > (validly) because it thinks I'm trying to IP spoof.) > > The trouble is that I'm also trying to use a dynamic ipfw rule to only > allow outgoing TCP connections from a single IP .. this doesn't seem > to work well with ipfw fwd. > > The relevant bits: > > 00100 0 0 check-state > 00200 0 0 allow ip from any to any via lo0 > 00300 0 0 deny ip from any to 203.56.168.40 in recv tun0 > 00400 2 88 allow tcp from 203.56.168.40 to any keep-state setup > (the three going in here are totally not relevant) > 00800 0 0 fwd 213.35.234.1 ip from 203.56.168.0/24 to any out xmit xl1 > 65000 195 15257 allow ip from any to any > 65535 50 7996 allow ip from any to any > ## Dynamic rules: > 00400 1 44 (T 5, # 163) ty 0 tcp, 203.56.168.40 1161 <-> 203.30.44.82 80 > > As you can see, the dynamic rule gets created, but I'm not entirely > certain its being trapped on the fwd rule, as a tcpdump of the external > interface xl1 shows the packet going out rather than being forwarded > to 213.35.234.1 (the tunnel interface endpoint). > > Any clues? Is the dynamic rulesets not meant to do this at all? Is there > a way I can trick things into working? Before you all say it, changing 0400's allow to skipto made things work. Evil, but its working just fine. :) 00100 0 0 check-state 00200 0 0 allow ip from any to any via lo0 00300 1 44 deny ip from any to 203.56.168.40 in recv tun0 00400 14 576 skipto 5000 tcp from 203.56.168.40 to any keep-state setup 05000 5 437 fwd 213.35.234.1 ip from 203.56.168.0/24 to any out xmit xl1 65000 2163 169947 allow ip from any to any 65535 55 8503 allow ip from any to any ## Dynamic rules: 00400 13 532 (T 0, # 167) ty 0 tcp, 203.56.168.40 1165 <-> 203.30.44.82 80 Adrian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message