From owner-freebsd-questions Mon Oct 15 2:55: 1 2001 Delivered-To: freebsd-questions@freebsd.org Received: from moutvdom00.kundenserver.de (moutvdom00.kundenserver.de [195.20.224.149]) by hub.freebsd.org (Postfix) with ESMTP id EFE7337B401 for ; Mon, 15 Oct 2001 02:54:55 -0700 (PDT) Received: from [195.20.224.209] (helo=mrvdom02.schlund.de) by moutvdom00.kundenserver.de with esmtp (Exim 2.12 #2) id 15t4SM-00015i-00; Mon, 15 Oct 2001 11:54:46 +0200 Received: from 213-196-88-166.hosts.streamgate.de ([213.196.88.166] helo=mistered) by mrvdom02.schlund.de with smtp (Exim 2.12 #2) id 15t4SM-000605-00; Mon, 15 Oct 2001 11:54:46 +0200 From: "Jonas Sonntag" To: Cc: Subject: AW: IPFW question Date: Mon, 15 Oct 2001 11:45:05 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Importance: Normal In-Reply-To: <20011012205442.F6274@blossom.cjclark.org> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG thank you very much :) was a problem about understanding, i think finally i got it. thanks again. js > -----Ursprungliche Nachricht----- > Von: Crist J. Clark [mailto:cristjc@earthlink.net] > Gesendet: Samstag, 13. Oktober 2001 05:55 > An: Jonas Sonntag > Cc: freebsd-questions@FreeBSD.ORG > Betreff: Re: IPFW question > > > On Fri, Oct 12, 2001 at 10:03:07PM +0200, Jonas Sonntag wrote: > > [snip] > > > only my lan is (again) disconnectet from the net. > > here are the rules: > > > > fwcmd="/sbin/ipfw" > > $fwcmd -f flush > > > > #lan > > $fwcmd add divert natd all from any to any via rl0 > > $fwcmd add allow all from any to any via lo0 > > $fwcmd add allow all from any to any via xl0 > > > > # inet > > $fwcmd add allow all from me to any via rl0 > > $fwcmd add allow tcp from any to me established via rl0 > > Say you try to HTTP to some remote machine. Your packets will get out > fine. The response comes back. It goes through the first rule and the > destination IP (and possibly port) is rewritten to the internal > address. The packet will not match the above rule, since the > destination is a machine on your internal net and not the gateway. The > packets fall through and get dropped at the last rule. You should be > seeing this in your logs. You may wish to try to add, > > $fwcmd add allow tcp from any to established via rl0 > > Or to use dynamic rules rather than 'established.' > > > $fwcmd add allow tcp from any to me 21 setup via rl0 > > $fwcmd add allow tcp from any to me 22 setup via rl0 > > $fwcmd add allow tcp from any to me 80 setup via rl0 > > $fwcmd add allow udp from 213.196.65.2 53 to me > > $fwcmd add allow udp from 213.196.64.2 53 to me > > $fwcmd add allow icmp from any to any > > $fwcmd add deny log ip from any to any > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message