From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 20 19:02:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 115A516A4CF for ; Wed, 20 Oct 2004 19:02:13 +0000 (GMT) Received: from asmtp-a063f29.pas.sa.earthlink.net (asmtp-a063f29.pas.sa.earthlink.net [207.217.120.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9C6E43D46 for ; Wed, 20 Oct 2004 19:02:12 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [213.209.169.198] (helo=[192.168.1.50]) (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CKLip-00038g-Db for freebsd-ipfw@freebsd.org; Wed, 20 Oct 2004 12:02:12 -0700 From: Martes Wigglesworth To: ipfw-mailings Organization: Wiggtekmicro Corporation Message-Id: <1098298916.1973.16.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Wed, 20 Oct 2004 22:01:57 +0300 X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48cb424147649e8ce49d211849a0ca69bae925a8e63659b694350badd9bab72f9c X-Originating-IP: 213.209.169.198 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ipfw address-listing woes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 19:02:13 -0000 I am having a bit of a time getting a rule to be recognized with and address-list in it. I have two identical natd boxes for my organization, however, I am unable to get the production machine to recognize particular rules, as illustrated below: router1(production firewall that has to be open to everything out, right now.) > sudo ipfw show 00097 8 672 deny log icmp from any to any icmptypes 8 in recv sis0 00098 80 6722 allow ip from any to any via lo0 00099 0 0 allow ip from 127.0.0.1 to 127.0.0.1 00100 23 20 allow tcp from any to any dst-port 22 setup keep-state 00101 0 0 deny log ip from any to any in recv sis0 setup 00102 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port 67,68 setup keep-state 00103 0 0 allow udp from any to any dst-port 53 via xl0,rl0 keep-state 00104 54481 5930639 deny udp from any to any dst-port 137,138,513 ***00105 0 0 allow tcp from 192.168.1.0/24,192.168.2.0/24 to any dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state*** ^^ 00106 0 0 allow udp from any to any dst-port 33435-33524 keep-state 00200 473701 204681004 divert 8668 ip from any to any via sis0 65535 944012 409148687 allow ip from any to any Can anyone let me know why this is not working, because the rule is recognized on the following test firewall: gate1.276EN > sudo ipfw show 00098 76 7306 allow ip from any to any via lo0 00099 28425 3694972 divert 8668 ip from any to any via sis0 00100 3126 990373 queue 1 log ip from any to 192.168.1.0/24 in recv sis0 00150 0 0 allow ip from 127.0.0.1 to 127.0.0.1 00151 3548 290790 allow tcp from any to any dst-port 22 setup keep-state 00202 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port 67,68 setup keep-state 00203 1032 101807 allow udp from any to any dst-port 53 via fxp0 keep-state 00204 21864 2369464 deny udp from any to any dst-port 137,138,513 ****00205 2664 964612 allow tcp from 192.168.1.0/24 to any dst-port 21,25,80,110,443,995 via fxp0 setup keep-state**** ^^^ ^^^^ 00206 0 0 allow udp from any to any dst-port 33435-33524 keep-state 65535 3303 340052 allow ip from any to any As you can see by the asterisks, and the "^" the rule works on the test firewall, however, fails on the production one. I think it has to do with my use of multiple NICS, and/or address-lists in the production firewall. As always, any help is greatly appreciated. Respectfully. -- M.G.W. Wiggtekmicro, Corp. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 KDE-3.1.4