From owner-freebsd-questions@FreeBSD.ORG Wed Sep 8 09:18:39 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF79F10656B4 for ; Wed, 8 Sep 2010 09:18:39 +0000 (UTC) (envelope-from nvass9573@gmx.com) Received: from mailout-us.gmx.com (mailout-us.gmx.com [74.208.5.67]) by mx1.freebsd.org (Postfix) with SMTP id 713DD8FC19 for ; Wed, 8 Sep 2010 09:18:39 +0000 (UTC) Received: (qmail invoked by alias); 08 Sep 2010 09:18:37 -0000 Received: from unknown (EHLO [192.168.73.192]) [91.140.122.2] by mail.gmx.com (mp-us002) with SMTP; 08 Sep 2010 05:18:37 -0400 X-Authenticated: #46156728 X-Provags-ID: V01U2FsdGVkX1/KuNFccD/KHFhzI04J47H4varlamEt55HsgnZUE4 Vx7JYF3AVZZ9Qs Message-ID: <4C8754CD.6030003@gmx.com> Date: Wed, 08 Sep 2010 12:18:05 +0300 From: Nikos Vassiliadis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2 MIME-Version: 1.0 To: Victor Sudakov , freebsd-questions@freebsd.org References: <20100822052550.GA42346@admin.sibptus.tomsk.ru> <20100907090012.GA48608@admin.sibptus.tomsk.ru> <4C8616F0.5010401@gmx.com> <20100907110033.GA51618@admin.sibptus.tomsk.ru> <4C864145.80805@gmx.com> <20100907145223.GA55660@admin.sibptus.tomsk.ru> In-Reply-To: <20100907145223.GA55660@admin.sibptus.tomsk.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: Subject: Re: ipfw fwd and ipfw allow X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2010 09:18:39 -0000 On 9/7/2010 5:52 PM, Victor Sudakov wrote: > A packet generated locally 1) should be forwarded by a 'fwd' > rule and 2) should create a dynamic 'allow' rule for returning > traffic. Could you please suggest a ruleset for this. The fw has the 10.0.0.1 IP address. The 10.0.0.100 IP address belongs to another computer running a TCP service at 9999. The IPFW rules: > fw# ipfw list > 00100 fwd 10.0.0.100 tcp from any to 10.90.10.3 dst-port 9999 keep-state > 00200 deny ip from any to any > 65535 allow ip from any to any Trying to connect to TCP 9998 fails because of rule 200: > fw# nc -v 10.90.10.3 9998 > nc: connect to 10.90.10.3 port 9998 (tcp) failed: Permission denied While trying to connect to TCP 9999 succeeds and creates a IPFW state: > fw# nc -v 10.90.10.3 9999 > Connection to 10.90.10.3 9999 port [tcp/*] succeeded! > ^Z > Suspended > fw# ipfw -d show > 00100 61 3315 fwd 10.0.0.100 tcp from any to 10.90.10.3 dst-port 9999 keep-state > 00200 45 2644 deny ip from any to any > 65535 0 0 allow ip from any to any > ## Dynamic rules (9): > 00100 2 112 (292s) STATE tcp 10.0.0.1 27320 <-> 10.90.10.3 9999 > fw# HTH, Nikos