From owner-freebsd-isp@FreeBSD.ORG Wed Jul 21 17:40:08 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A17E16A4CE for ; Wed, 21 Jul 2004 17:40:08 +0000 (GMT) Received: from mail.webhosting.cx (mail.webhosting.cx [64.246.44.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7D1F43D4C for ; Wed, 21 Jul 2004 17:40:07 +0000 (GMT) (envelope-from calarcon@iracsa.com.mx) X-ClientAddr: 200.78.112.162 Received: from toshibalap (dsl-200-78-112-162.prod-infinitum.com.mx [200.78.112.162]) (authenticated (0 bits)) by mail.webhosting.cx (8.11.6/8.11.6) with ESMTP id i6LHdSg09141 for ; Wed, 21 Jul 2004 19:39:28 +0200 To: freebsd-isp@freebsd.org Date: Wed, 21 Jul 2004 11:39:04 -0600 From: =?iso-8859-15?Q?Carlos_Alarc=F3n?= Organization: Iracsa Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: User-Agent: Opera M2/7.50 (Win32, build 3733) Subject: about ipfw rules on bridge boxes X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jul 2004 17:40:08 -0000 hi, i have a freebsd box acting as a bridge on my network, two nics one of them, the external with ip, i use it as traffic shapper, this works great, i can't make yet the squid transparent proxy :(, i think that do it with a bridge it a litle strange but my question is other. Sometimes i want to display messages for my clients i made this before when i was using nat instead bridge, redirecting the ip client to my http server and i had a WEB PAGE that shows the content, this was working fine, but NAT gives me some problems so i use bridge and for me is working better, well now when i want to use this redirection again this just works when i have proxy settings on my clients navigators, when i don't have proxy settings on navigators client the redirection counter rule doesn't match, i dont know why this rule is skipped.. i adjunt my rules. i have my apache listening on port 81, i redirect all the web page request on client 172.16.1.58 and redirect it to my http running on my bridge box fwd 127.0.0.1,81 tcp from 172.16.1.58 to bash-2.05b# ipfw show 00009 0 0 fwd 127.0.0.1,81 tcp from 172.16.1.58 to any dst-port 80 00011 0 0 deny ip from any to any MAC 00:02:2d:08:fd:5c any 00200 0 0 deny ip from any to any MAC any 00:02:2d:5e:0c:e5 00300 270 9646 deny ip from any to any MAC any 00:02:2d:67:42:fa 00400 0 0 deny ip from any to any MAC any 00:02:2d:3d:39:d7 00500 0 0 deny ip from any to any MAC any 00:02:2d:09:81:3c 00600 16084 50790 deny ip from any to any MAC any 00:02:2d:67:51:e3 00900 0 0 check-state 00950 101726 44396164 pipe 2 ip from any to 172.16.1.33 01000 57611 35521514 pipe 1 ip from any to 172.16.1.0/24 01100 54714 5999093 pipe 3 ip from 172.16.1.0/24 to any 01200 640165 234909932 allow tcp from 172.16.1.33 to any setup keep-state 01300 9709 1442183 allow udp from 172.16.1.33 to any keep-state 01400 60327 29747515 allow ip from 172.16.1.33 to any 01500 2730709 1590949972 allow tcp from any to any in via xl1 setup keep-state 01600 121973 43739565 allow udp from any to any in via xl1 keep-state 01700 59348 1840715 allow ip from any to any in via xl1 01800 0 0 allow tcp from any to any dst-port 22 in via xl1 setup keep-state 01900 0 0 allow tcp from any to any dst-port 113 in via xl1 setup keep-state 02000 0 0 allow tcp from any to any dst-port 49152-65535 in via xl1 setup keep-state 02100 322819 86172666 allow udp from any to any dst-port 49152-65535 in via xl0 keep-state 02200 67 3248 allow icmp from any to any icmptypes 8 keep-state 02300 125014 13868628 allow icmp from any to any icmptypes 3 02400 3423 387572 allow icmp from any to any icmptypes 11 02500 11784223 9455880276 allow ip from any to any 65535 35 1564 deny ip from any to any thanks