Date: Wed, 08 Sep 2010 12:18:05 +0300 From: Nikos Vassiliadis <nvass9573@gmx.com> To: Victor Sudakov <sudakov@sibptus.tomsk.ru>, freebsd-questions@freebsd.org Subject: Re: ipfw fwd and ipfw allow Message-ID: <4C8754CD.6030003@gmx.com> In-Reply-To: <20100907145223.GA55660@admin.sibptus.tomsk.ru> References: <20100822052550.GA42346@admin.sibptus.tomsk.ru> <20100907090012.GA48608@admin.sibptus.tomsk.ru> <4C8616F0.5010401@gmx.com> <20100907110033.GA51618@admin.sibptus.tomsk.ru> <4C864145.80805@gmx.com> <20100907145223.GA55660@admin.sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/7/2010 5:52 PM, Victor Sudakov wrote: > A packet generated locally 1) should be forwarded by a 'fwd' > rule and 2) should create a dynamic 'allow' rule for returning > traffic. Could you please suggest a ruleset for this. The fw has the 10.0.0.1 IP address. The 10.0.0.100 IP address belongs to another computer running a TCP service at 9999. The IPFW rules: > fw# ipfw list > 00100 fwd 10.0.0.100 tcp from any to 10.90.10.3 dst-port 9999 keep-state > 00200 deny ip from any to any > 65535 allow ip from any to any Trying to connect to TCP 9998 fails because of rule 200: > fw# nc -v 10.90.10.3 9998 > nc: connect to 10.90.10.3 port 9998 (tcp) failed: Permission denied While trying to connect to TCP 9999 succeeds and creates a IPFW state: > fw# nc -v 10.90.10.3 9999 > Connection to 10.90.10.3 9999 port [tcp/*] succeeded! > ^Z > Suspended > fw# ipfw -d show > 00100 61 3315 fwd 10.0.0.100 tcp from any to 10.90.10.3 dst-port 9999 keep-state > 00200 45 2644 deny ip from any to any > 65535 0 0 allow ip from any to any > ## Dynamic rules (9): > 00100 2 112 (292s) STATE tcp 10.0.0.1 27320 <-> 10.90.10.3 9999 > fw# HTH, Nikos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C8754CD.6030003>