Date: Wed, 21 Jul 2004 11:39:04 -0600 From: =?iso-8859-15?Q?Carlos_Alarc=F3n?= <calarcon@iracsa.com.mx> To: freebsd-isp@freebsd.org Subject: about ipfw rules on bridge boxes Message-ID: <opsbh0nevymvvzdj@toshibalap>
next in thread | raw e-mail | index | archive | help
hi, i have a freebsd box acting as a bridge on my network, two nics one of them, the external with ip, i use it as traffic shapper, this works great, i can't make yet the squid transparent proxy :(, i think that do it with a bridge it a litle strange but my question is other. Sometimes i want to display messages for my clients i made this before when i was using nat instead bridge, redirecting the ip client to my http server and i had a WEB PAGE that shows the content, this was working fine, but NAT gives me some problems so i use bridge and for me is working better, well now when i want to use this redirection again this just works when i have proxy settings on my clients navigators, when i don't have proxy settings on navigators client the redirection counter rule doesn't match, i dont know why this rule is skipped.. i adjunt my rules. i have my apache listening on port 81, i redirect all the web page request on client 172.16.1.58 and redirect it to my http running on my bridge box fwd 127.0.0.1,81 tcp from 172.16.1.58 to bash-2.05b# ipfw show 00009 0 0 fwd 127.0.0.1,81 tcp from 172.16.1.58 to any dst-port 80 00011 0 0 deny ip from any to any MAC 00:02:2d:08:fd:5c any 00200 0 0 deny ip from any to any MAC any 00:02:2d:5e:0c:e5 00300 270 9646 deny ip from any to any MAC any 00:02:2d:67:42:fa 00400 0 0 deny ip from any to any MAC any 00:02:2d:3d:39:d7 00500 0 0 deny ip from any to any MAC any 00:02:2d:09:81:3c 00600 16084 50790 deny ip from any to any MAC any 00:02:2d:67:51:e3 00900 0 0 check-state 00950 101726 44396164 pipe 2 ip from any to 172.16.1.33 01000 57611 35521514 pipe 1 ip from any to 172.16.1.0/24 01100 54714 5999093 pipe 3 ip from 172.16.1.0/24 to any 01200 640165 234909932 allow tcp from 172.16.1.33 to any setup keep-state 01300 9709 1442183 allow udp from 172.16.1.33 to any keep-state 01400 60327 29747515 allow ip from 172.16.1.33 to any 01500 2730709 1590949972 allow tcp from any to any in via xl1 setup keep-state 01600 121973 43739565 allow udp from any to any in via xl1 keep-state 01700 59348 1840715 allow ip from any to any in via xl1 01800 0 0 allow tcp from any to any dst-port 22 in via xl1 setup keep-state 01900 0 0 allow tcp from any to any dst-port 113 in via xl1 setup keep-state 02000 0 0 allow tcp from any to any dst-port 49152-65535 in via xl1 setup keep-state 02100 322819 86172666 allow udp from any to any dst-port 49152-65535 in via xl0 keep-state 02200 67 3248 allow icmp from any to any icmptypes 8 keep-state 02300 125014 13868628 allow icmp from any to any icmptypes 3 02400 3423 387572 allow icmp from any to any icmptypes 11 02500 11784223 9455880276 allow ip from any to any 65535 35 1564 deny ip from any to any thanks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?opsbh0nevymvvzdj>