From owner-freebsd-questions Mon Jan 14 0:12:12 2002 Delivered-To: freebsd-questions@freebsd.org Received: from avocet.prod.itd.earthlink.net (avocet.mail.pas.earthlink.net [207.217.120.50]) by hub.freebsd.org (Postfix) with ESMTP id 2AB1337B416; Mon, 14 Jan 2002 00:12:08 -0800 (PST) Received: from dialup-209.244.106.114.dial1.sanjose1.level3.net ([209.244.106.114] helo=blossom.cjclark.org) by avocet.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16Q2Dr-0002KY-00; Mon, 14 Jan 2002 00:12:03 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id g0E8Bvu25502; Mon, 14 Jan 2002 00:11:57 -0800 (PST) (envelope-from cjc) Date: Mon, 14 Jan 2002 00:11:56 -0800 From: "Crist J . Clark" To: Eric Veraart Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Filtering out problem with IPFilter Message-ID: <20020114001156.F24290@blossom.cjclark.org> References: <3C41A86E.9070909@monkey-online.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C41A86E.9070909@monkey-online.net>; from eric@monkey-online.net on Sun, Jan 13, 2002 at 04:31:58PM +0100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Jan 13, 2002 at 04:31:58PM +0100, Eric Veraart wrote: > Hello, > > I'm running a FreeBSD 4.4p2-RELEASE gateway here with IPFilter. I > noticed that packets comming in from the network can be filtered and > blocked, but once they are through I can't filter them with out rules. > For example; > I make a rule to pass in all traffic from xl0 to any > Then I say all traffic out on ep0 is allowed, but on xl1 only a small > range of addresses can go out. What I notice is that all computers on > xl0 can go to an address behind xl1. The gateway itself can't go out on > xl1. It almost seems as if gateway_enable="YES" in rc.conf lets packets > bypass the out filter. I'm not using NAT. > This is not a big problem, because I can manage everything through IN > rules, it's still strange. Your description is difficult to understand. Post your rules. But this is not really on-topic for -stable. Redirecting to -questions. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message