From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 20 20:53:35 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C2FE16A4CE for ; Wed, 20 Oct 2004 20:53:35 +0000 (GMT) Received: from tyberius.abccom.bc.ca (tyberius.abccom.bc.ca [204.239.167.97]) by mx1.FreeBSD.org (Postfix) with SMTP id DC0E043D45 for ; Wed, 20 Oct 2004 20:53:34 +0000 (GMT) (envelope-from jon@abccom.bc.ca) Received: (qmail 26110 invoked by uid 1000); 20 Oct 2004 20:52:53 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Oct 2004 20:52:53 -0000 Date: Wed, 20 Oct 2004 13:52:53 -0700 (PDT) From: Jon Simola To: Martes Wigglesworth In-Reply-To: <1098298916.1973.16.camel@Mobile1.276NET> Message-ID: <20041020134034.W85129-100000@tyberius.abccom.bc.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: ipfw-mailings Subject: Re: ipfw address-listing woes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Oct 2004 20:53:35 -0000 On Wed, 20 Oct 2004, Martes Wigglesworth wrote: > router1(production firewall that has to be open to everything out, right > now.) > > ***00105 0 0 allow tcp from 192.168.1.0/24,192.168.2.0/24 to any > dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state*** > ^^ > Can anyone let me know why this is not working, because the rule is > recognized on the following test firewall: > > ****00205 2664 964612 allow tcp from 192.168.1.0/24 to any dst-port > 21,25,80,110,443,995 via fxp0 setup keep-state**** > ^^^ ^^^^ > > As you can see by the asterisks, and the "^" the rule works on the test > firewall, however, fails on the production one. I think it has to do > with my use of multiple NICS, and/or address-lists in the production > firewall. I don't see an explicit check-state rule, not that it matters much. I have on a bridge: 00900 178117 19945421 deny ip from any to any src-ip 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 layer2 00900 2008542 104971207 deny ip from any to any dst-ip 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 layer2 and on a router: 40004 13681337 1702296386 fwd 204.239.167.250,3128 tcp from x.x.166.0/24,x.x.82.0/24 to any dst-port 80 in via em2 So the address lists are working fine here (across a range of 4.x and 5.x machines) I'd suspect your nat divert rules or sysctl settings are the problem, as your production firewall has the divert rule as 200 (after the line that doesn't work) and your test box has the divert at 99 (before the working line and a queue command). Perhaps a diagram of how things are laid out as well, each box appears to have multiple NICs of different types so it would help us out a lot to help you if we had a better idea of the network layout. --- Jon Simola | "In the near future - corporate networks Systems Administrator | reach out to the stars, electrons and light ABC Communications | flow throughout the universe." -- GITS