From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 3 19:21:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66D0516A4CE for ; Fri, 3 Sep 2004 19:21:00 +0000 (GMT) Received: from mx.hostarica.com (mx.hostarica.com [196.40.45.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 949B143D58 for ; Fri, 3 Sep 2004 19:20:59 +0000 (GMT) (envelope-from jose@hostarica.com) Received: from localhost (localhost.hostarica.com [127.0.0.1]) by mx.hostarica.com (Postfix) with ESMTP id 0D254FBDD; Fri, 3 Sep 2004 13:27:06 -0600 (CST) Received: from [192.168.0.69] (unknown [192.168.0.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.hostarica.com (Postfix) with ESMTP id C305FFBDC; Fri, 3 Sep 2004 13:27:04 -0600 (CST) From: Jose Hidalgo Herrera To: George S In-Reply-To: <20040903190040.58544.qmail@web40412.mail.yahoo.com> References: <20040903190040.58544.qmail@web40412.mail.yahoo.com> Organization: Corp. Hosta Rica Message-Id: <1094239257.95873.1.camel@jose.hostarica.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Fri, 03 Sep 2004 13:20:57 -0600 X-Virus-Scanned: by amavisd 0.1 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-ipfw@freebsd.org cc: jose@hostarica.com Subject: Re: fwd'ing packet originally destined to local interface problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jose@hostarica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 19:21:00 -0000 I think you need: ipfw add 1 check-state ipfw add 2 skipto 10 ........ On Fri, 2004-09-03 at 13:00, George S wrote: > I am having some trouble with a specialized IDS testing framework I am > working on. > > Here is my setup: > -FreeBSD 5.2.1-release running with firewall options configured, bridging > off, default to accept > -fxp0: inet 10.0.0.50 netmask 255.255.255.0 > -fxp1: inet 192.168.1.3 netmask 255.255.255.0 > -default gateway 10.0.0.1 / no static-routes set > -ipfw ruleset as follows: > ipfw add 1 skipto 10 tcp from 10.0.0.50 to any setup recv fxp1 keep-state > ipfw add 5 allow ip from any to any > ipfw add 10 fwd 10.0.0.1 tcp from 10.0.0.50 to any > ipfw add 11 fwd 192.168.1.2 tcp from any to 10.0.0.50 > ipfw add 65536 allow ip from any to any > > When a custom packet (with src ip 10.0.0.50 and SYN bit) arrives at the fxp1 > interface, it is forwarded out of the fxp0 interface, as expected. When the > response (with dst ip 10.0.0.50 and SYN+ACK) arrives on fxp0 however, rule > #11 registers the packet by updating its counter, but the packet does not > get written out on the fxp1 wire, as I would expect (or hope) it to! > > Is this a problem with the code or my ruleset or did I erroneously predict > the resulting behaviour? > > Many thanks in advance for any help any guru here can provide. > > Kindest regards, > > George > > > > _______________________________ > Do you Yahoo!? > Win 1 of 4,000 free domain names from Yahoo! Enter now. > http://promotions.yahoo.com/goldrush > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" -- Jose Hidalgo Herrera Corp. Hosta Rica