From owner-freebsd-questions@FreeBSD.ORG Mon Dec 1 22:14:14 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DFC51065672 for ; Mon, 1 Dec 2008 22:14:14 +0000 (UTC) (envelope-from brett@net24.co.nz) Received: from omr2.mail.isx.net.nz (omr2.mail.isx.net.nz [210.5.49.99]) by mx1.freebsd.org (Postfix) with ESMTP id D88A18FC14 for ; Mon, 1 Dec 2008 22:14:13 +0000 (UTC) (envelope-from brett@net24.co.nz) Received: from 210.55.30.56 (EHLO _127.0.0.1_) ([210.55.30.56]) by omr2.mail.isx.net.nz (MOS 3.8.3-GA FastPath) with ESMTP id AAR92971 (AUTH brett@net24.co.nz); Tue, 02 Dec 2008 11:14:12 +1300 (NZDT) Message-ID: <493461B5.1040704@net24.co.nz> Date: Tue, 02 Dec 2008 11:14:13 +1300 From: Brett Davidson Organization: Net24 Limited User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20081201120023.9E1821065688@hub.freebsd.org> <20081201233222.L34249@sola.nimnet.asn.au> In-Reply-To: <20081201233222.L34249@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Is there anything weird I should know about using ipfw on alias addresses? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2008 22:14:14 -0000 Ian Smith wrote: > On Mon, 01 Dec 2008 16:52:12 +1300 Brett Davidson wrote: > > > ifconfig shows the alias addresses correctly bound. > > Creating an ipfw rule and testing it from the command line works > > (connects out from master address, not alias) > > > > From website on alias address, the firewall blocks the packets. > > > > The weird thing is that it tags them (in the security log) as coming > > from the master address (not the alias) out the correct interface. In a > > normal world that would mean the packet would match!!!!! > > > > What's goin' on here Willis? > > Difficult to tell without seeing a) ifconfig b) netstat -rn c) at least > the relevant firewall rule/s and d) log entries that illustrate your > problem. Obscure sensitive information by all means, but otherwise > pretend we haven't the slightest clue how your system is configured :) > > cheers, Ian > > > Fair enough. ifconfig below: bce1: flags=8843 mtu 1500 options=3b inet 210.5.50.5 netmask 0xffffffe0 broadcast 210.5.50.31 inet 210.5.51.32 netmask 0xffffffff broadcast 210.5.51.32 inet 210.5.51.27 netmask 0xffffffff broadcast 210.5.51.27 inet 210.5.51.33 netmask 0xffffffff broadcast 210.5.51.33 inet 210.5.51.34 netmask 0xffffffff broadcast 210.5.51.34 inet 210.5.51.42 netmask 0xffffffff broadcast 210.5.51.42 inet 210.5.51.4 netmask 0xffffffff broadcast 210.5.51.4 ether 00:1c:c4:c0:56:94 media: Ethernet autoselect (1000baseSX ) status: active Relevant /etc/rc.conf entries : ifconfig_bce1="inet 210.5.50.5 netmask 255.255.255.224" ifconfig_bce1_alias0="inet 210.5.50.5 netmask 255.255.255.224" ifconfig_bce1_alias1="inet 210.5.51.4 netmask 255.255.255.255" ifconfig_bce1_alias2="inet 210.5.51.27 netmask 255.255.255.255" ifconfig_bce1_alias3="inet 210.5.51.32 netmask 255.255.255.255" ifconfig_bce1_alias4="inet 210.5.51.33 netmask 255.255.255.255" ifconfig_bce1_alias5="inet 210.5.51.34 netmask 255.255.255.255" ifconfig_bce1_alias6="inet 210.5.51.42 netmask 255.255.255.255" Relevant ipfw rules : ipfw -q add 02012 allow tcp from any to 208.69.123.164 80 out via bce1 setup keep-state ipfw -q add 02012 allow tcp from any to 208.69.123.164 443 out via bce1 setup keep-state Interesting entries in /var/log/security : Dec 1 16:42:25 kernel: ipfw: 9999 Deny TCP 210.5.50.5:49708 208.69.123.164:80 out via bce1 What makes this interesting is that I can connect to that port via the command line. It's the website that lives on 210.5.51.42 that is having problems. Why, if the rule is valid enough for the command line is it having problems from an aliased address? This MUST have something to do with the way ipfw is working with aliased addresses but I'm blowed if I know what is wrong. Cheers Brett.