From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 8 16:46:47 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 910C616A4CE for ; Sat, 8 Jan 2005 16:46:47 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BD4E43D31 for ; Sat, 8 Jan 2005 16:46:47 +0000 (GMT) (envelope-from heath0504@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so29180wri for ; Sat, 08 Jan 2005 08:46:46 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=Yzm4bZGGMcD7BuJE17rBSzA1BusN9WSwFDUZvnyBnDQIXTkEfrcD04PhczDh23+gZ/Mzxof+0y/8RSOJ1DnL1nuXiPhisWIVjMniSs1R1yHNyHt6q607/b4EMTvDFOodk/Vs0rZ1H+5bQDUiX7REkrTNFlD6yO1V3X/ZQH2GpP4= Received: by 10.54.14.37 with SMTP id 37mr73523wrn; Sat, 08 Jan 2005 08:46:46 -0800 (PST) Received: from linuxlmx20ji5l ([61.59.129.248]) by smtp.gmail.com with ESMTP id d6sm387973wra.2005.01.08.08.46.44; Sat, 08 Jan 2005 08:46:46 -0800 (PST) Message-ID: <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> From: "heath, Chia Hui Chen" To: "Christian Hiris" <4711@chello.at> References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <200501081543.24318.4711@chello.at> <00ca01c4f59a$c32e0bc0$f8813b3d@linuxlmx20ji5l> <200501081721.37351.4711@chello.at> Date: Sun, 9 Jan 2005 00:46:53 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 16:46:47 -0000 It's strange. I use two computer to test. One called A (00:e0:18:62:xx:xx) another called B. And the rulesets is same as you said. I try reboot and use A to connect port 443 of one site. IPFW output are below: ============================================================ 00010 4 190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx 00020 2273 1136464 skipto 50 ip from any to any MAC any any 00030 3 144 deny tcp from any to any dst-port 443 00050 3476 1000174 divert 8668 ip from any to any via fxp0 00100 420 109610 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 8022 3082293 allow ip from any to any 65535 1 89 deny ip from any to any ============================================================ And then I test it by using computer B. Output is as below: ============================================================ 00010 4 190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx 00020 4246 1931785 skipto 50 ip from any to any MAC any any 00030 6 288 deny tcp from any to any dst-port 443 00050 4699 1427090 divert 8668 ip from any to any via fxp0 00100 658 147594 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 11953 4671673 allow ip from any to any 65535 1 89 deny ip from any to any ============================================================ It seems that rule 20 is active, but rule 30 is active, too. What would I do next? I'm sorry to bother you, but could you help me again? Thanx! ----- Original Message ----- From: "Christian Hiris" <4711@chello.at> To: "heath, Chia Hui Chen" Sent: Sunday, January 09, 2005 12:21 AM Subject: Re: ipfw + MAC nothing happens? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Saturday 08 January 2005 16:57, heath, Chia Hui Chen wrote: > > Thanks. > > I try it, but something wrong. > > I would try to put the respective rules on top: > > ipfw add 10 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx > ipfw add 20 skipto 50 ip from any to any MAC any any > ipfw add 30 deny tcp from any to any dst-port 443 > > 00050 divert 8668 ip from any to any via fxp0 > 00100 ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > If this also doesn't work, please post your ipfw output again. > > > > 00050 22484 11388448 divert 8668 ip from any to any via fxp0 > > 00100 4414 2006448 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 00400 52 4053 skipto 1000 ip from any to any MAC any > > 00:e0:18:62:xx:xx > > 00600 7008 3465293 skipto 65000 ip from any to any MAC any any > > 01000 33 1584 deny tcp from any to any dst-port 443 > > 65000 46408 25226370 allow ip from any to any > > 65535 0 0 deny ip from any to any > > > > It looks like all my computer at the NAT are deny to access port 443. > > Can you plz tell me what's wrong? > > Thank you again. > > - -- > Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE > OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (FreeBSD) > > iD8DBQFB4AiR09WjGjvKU74RAiShAJ9EnhROvbpSm61CXXxsNgLeCspPDgCdET99 > xDxxjHfo2Y9n17w3S7p+9xY= > =eqfj > -----END PGP SIGNATURE-----