Date: Sun, 9 Jan 2005 00:46:53 +0800 From: "heath, Chia Hui Chen" <heath0504@gmail.com> To: "Christian Hiris" <4711@chello.at> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + MAC nothing happens? Message-ID: <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <200501081543.24318.4711@chello.at> <00ca01c4f59a$c32e0bc0$f8813b3d@linuxlmx20ji5l> <200501081721.37351.4711@chello.at>
next in thread | previous in thread | raw e-mail | index | archive | help
It's strange. I use two computer to test. One called A (00:e0:18:62:xx:xx) another called B. And the rulesets is same as you said. I try reboot and use A to connect port 443 of one site. IPFW output are below: ============================================================ 00010 4 190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx 00020 2273 1136464 skipto 50 ip from any to any MAC any any 00030 3 144 deny tcp from any to any dst-port 443 00050 3476 1000174 divert 8668 ip from any to any via fxp0 00100 420 109610 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 8022 3082293 allow ip from any to any 65535 1 89 deny ip from any to any ============================================================ And then I test it by using computer B. Output is as below: ============================================================ 00010 4 190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx 00020 4246 1931785 skipto 50 ip from any to any MAC any any 00030 6 288 deny tcp from any to any dst-port 443 00050 4699 1427090 divert 8668 ip from any to any via fxp0 00100 658 147594 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 11953 4671673 allow ip from any to any 65535 1 89 deny ip from any to any ============================================================ It seems that rule 20 is active, but rule 30 is active, too. What would I do next? I'm sorry to bother you, but could you help me again? Thanx! ----- Original Message ----- From: "Christian Hiris" <4711@chello.at> To: "heath, Chia Hui Chen" <heath0504@gmail.com> Sent: Sunday, January 09, 2005 12:21 AM Subject: Re: ipfw + MAC nothing happens? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Saturday 08 January 2005 16:57, heath, Chia Hui Chen wrote: > > Thanks. > > I try it, but something wrong. > > I would try to put the respective rules on top: > > ipfw add 10 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx > ipfw add 20 skipto 50 ip from any to any MAC any any > ipfw add 30 deny tcp from any to any dst-port 443 > > 00050 divert 8668 ip from any to any via fxp0 > 00100 ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > If this also doesn't work, please post your ipfw output again. > > > > 00050 22484 11388448 divert 8668 ip from any to any via fxp0 > > 00100 4414 2006448 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 00400 52 4053 skipto 1000 ip from any to any MAC any > > 00:e0:18:62:xx:xx > > 00600 7008 3465293 skipto 65000 ip from any to any MAC any any > > 01000 33 1584 deny tcp from any to any dst-port 443 > > 65000 46408 25226370 allow ip from any to any > > 65535 0 0 deny ip from any to any > > > > It looks like all my computer at the NAT are deny to access port 443. > > Can you plz tell me what's wrong? > > Thank you again. > > - -- > Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE > OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (FreeBSD) > > iD8DBQFB4AiR09WjGjvKU74RAiShAJ9EnhROvbpSm61CXXxsNgLeCspPDgCdET99 > xDxxjHfo2Y9n17w3S7p+9xY= > =eqfj > -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?010b01c4f5a1$aaa730c0$f8813b3d>