Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 3 Sep 2004 12:00:40 -0700 (PDT)
From:      George S <c0sine@yahoo.com>
To:        freebsd-ipfw@freebsd.org
Subject:   fwd'ing packet originally destined to local interface problem
Message-ID:  <20040903190040.58544.qmail@web40412.mail.yahoo.com>

next in thread | raw e-mail | index | archive | help
I am having some trouble with a specialized IDS testing framework I am
working on.

Here is my setup:
-FreeBSD 5.2.1-release running with firewall options configured, bridging
off, default to accept
-fxp0: inet 10.0.0.50 netmask 255.255.255.0
-fxp1: inet 192.168.1.3 netmask 255.255.255.0
-default gateway 10.0.0.1 / no static-routes set
-ipfw ruleset as follows:
  ipfw add 1 skipto 10 tcp from 10.0.0.50 to any setup recv fxp1 keep-state
  ipfw add 5 allow ip from any to any
  ipfw add 10 fwd 10.0.0.1 tcp from 10.0.0.50 to any
  ipfw add 11 fwd 192.168.1.2 tcp from any to 10.0.0.50
  ipfw add 65536 allow ip from any to any

When a custom packet (with src ip 10.0.0.50 and SYN bit) arrives at the fxp1
interface, it is forwarded out of the fxp0 interface, as expected. When the
response (with dst ip 10.0.0.50 and SYN+ACK) arrives on fxp0 however, rule
#11 registers the packet by updating its counter, but the packet does not
get written out on the fxp1 wire, as I would expect (or hope) it to!

Is this a problem with the code or my ruleset or did I erroneously predict
the resulting behaviour?

Many thanks in advance for any help any guru here can provide.

Kindest regards,

George


		
_______________________________
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.
http://promotions.yahoo.com/goldrush



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040903190040.58544.qmail>