Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 20 Oct 2004 13:52:53 -0700 (PDT)
From:      Jon Simola <jon@abccom.bc.ca>
To:        Martes Wigglesworth <martes.wigglesworth@earthlink.net>
Cc:        ipfw-mailings <freebsd-ipfw@freebsd.org>
Subject:   Re: ipfw address-listing woes
Message-ID:  <20041020134034.W85129-100000@tyberius.abccom.bc.ca>
In-Reply-To: <1098298916.1973.16.camel@Mobile1.276NET>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 20 Oct 2004, Martes Wigglesworth wrote:

> router1(production firewall that has to be open to everything out, right
> now.)
>
> ***00105 0 0 allow tcp from 192.168.1.0/24,192.168.2.0/24 to any
> dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state***
>                  ^^
> Can anyone let me know why this is not working, because the rule is
> recognized on the following test firewall:
>
> ****00205  2664  964612 allow tcp from 192.168.1.0/24 to any dst-port
> 21,25,80,110,443,995 via fxp0 setup keep-state****
>                    ^^^  ^^^^
>
> As you can see by the asterisks, and the "^" the rule works on the test
> firewall, however, fails on the production one.  I think it has to do
> with my use of multiple NICS, and/or address-lists in the production
> firewall.

I don't see an explicit check-state rule, not that it matters much.

I have on a bridge:
00900     178117     19945421 deny ip from any to any src-ip 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 layer2
00900    2008542    104971207 deny ip from any to any dst-ip 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 layer2

and on a router:
40004   13681337   1702296386 fwd 204.239.167.250,3128 tcp from x.x.166.0/24,x.x.82.0/24 to any dst-port 80 in via em2

So the address lists are working fine here (across a range of 4.x and 5.x
machines)

I'd suspect your nat divert rules or sysctl settings are the problem, as
your production firewall has the divert rule as 200 (after the line that
doesn't work) and your test box has the divert at 99 (before the working
line and a queue command). Perhaps a diagram of how things are laid out as
well, each box appears to have multiple NICs of different types so it
would help us out a lot to help you if we had a better idea of the network
layout.

---
Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks
    Systems Administrator     |  reach out to the stars, electrons and light
     ABC  Communications      |  flow throughout the universe." -- GITS

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041020134034.W85129-100000>