From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 8 21:36:28 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 308E516A4CE for ; Sat, 8 Jan 2005 21:36:28 +0000 (GMT) Received: from chello084114137224.1.15.vie.surfer.at (chello084114137224.1.15.vie.surfer.at [84.114.137.224]) by mx1.FreeBSD.org (Postfix) with SMTP id 9378C43D48 for ; Sat, 8 Jan 2005 21:36:26 +0000 (GMT) (envelope-from 4711@chello.at) Received: (qmail 38893 invoked from network); 8 Jan 2005 21:36:25 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 8 Jan 2005 21:36:25 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org Date: Sat, 8 Jan 2005 22:36:09 +0100 User-Agent: KMail/1.7 References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <200501081721.37351.4711@chello.at> <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> In-Reply-To: <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200501082236.24796.4711@chello.at> cc: "heath, Chia Hui Chen" Subject: Re: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 21:36:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 08 January 2005 17:46, heath, Chia Hui Chen wrote: > It's strange. > I use two computer to test. > One called A (00:e0:18:62:xx:xx) > another called B. > > And the rulesets is same as you said. > I try reboot and use A to connect port 443 of one site. > IPFW output are below: > ============================================================ The diverted packets are not layer-2 packets, so they must be able to bypass the layer-2 rules. In our case all diverted packets match rule 30, because none of the two layer-2 rules (10 and 20) applies. So please add the rule below to your ruleset. If this doesn't work, I will try to reproduce this on one of my boxes. ipfw add 9 skipto 50 all from any to any not layer2 > 00010 4 190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx > 00020 2273 1136464 skipto 50 ip from any to any MAC any any > 00030 3 144 deny tcp from any to any dst-port 443 > 00050 3476 1000174 divert 8668 ip from any to any via fxp0 > 00100 420 109610 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 65000 8022 3082293 allow ip from any to any > 65535 1 89 deny ip from any to any > ============================================================ > > And then I test it by using computer B. > Output is as below: > > ============================================================ > 00010 4 190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx > 00020 4246 1931785 skipto 50 ip from any to any MAC any any > 00030 6 288 deny tcp from any to any dst-port 443 > 00050 4699 1427090 divert 8668 ip from any to any via fxp0 > 00100 658 147594 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 65000 11953 4671673 allow ip from any to any > 65535 1 89 deny ip from any to any > ============================================================ > It seems that rule 20 is active, but rule 30 is active, too. > What would I do next? > I'm sorry to bother you, but could you help me again? > Thanx! > > ----- Original Message ----- > From: "Christian Hiris" <4711@chello.at> > To: "heath, Chia Hui Chen" > Sent: Sunday, January 09, 2005 12:21 AM > Subject: Re: ipfw + MAC nothing happens? > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Saturday 08 January 2005 16:57, heath, Chia Hui Chen wrote: > > > Thanks. > > > I try it, but something wrong. > > > > I would try to put the respective rules on top: > > > > ipfw add 10 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx > > ipfw add 20 skipto 50 ip from any to any MAC any any > > ipfw add 30 deny tcp from any to any dst-port 443 > > > > 00050 divert 8668 ip from any to any via fxp0 > > 00100 ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00300 deny ip from 127.0.0.0/8 to any > > 65000 allow ip from any to any > > 65535 deny ip from any to any > > > > If this also doesn't work, please post your ipfw output again. > > > > > 00050 22484 11388448 divert 8668 ip from any to any via fxp0 > > > 00100 4414 2006448 allow ip from any to any via lo0 > > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > > 00400 52 4053 skipto 1000 ip from any to any MAC any > > > 00:e0:18:62:xx:xx > > > 00600 7008 3465293 skipto 65000 ip from any to any MAC any any > > > 01000 33 1584 deny tcp from any to any dst-port 443 > > > 65000 46408 25226370 allow ip from any to any > > > 65535 0 0 deny ip from any to any > > > > > > It looks like all my computer at the NAT are deny to access port 443. > > > Can you plz tell me what's wrong? > > > Thank you again. > > > > - -- > > Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE > > OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.6 (FreeBSD) > > > > iD8DBQFB4AiR09WjGjvKU74RAiShAJ9EnhROvbpSm61CXXxsNgLeCspPDgCdET99 > > xDxxjHfo2Y9n17w3S7p+9xY= > > =eqfj > > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" - -- Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFB4FJY09WjGjvKU74RAkkJAJ9Sb64T/iqGBhcRHVIc/CSgXLEkSACfQcxE 5LyuPZoRoHmL8cYXvO4hf8M= =Kp2k -----END PGP SIGNATURE-----