Date: Fri, 3 Sep 2004 13:44:37 -0700 (PDT) From: George S <c0sine@yahoo.com> To: freebsd-ipfw@freebsd.org Subject: Re: fwd'ing packet originally destined to local interface problem Message-ID: <20040903204437.1850.qmail@web40410.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hi, Thank you for the suggestion, but that didn't make any difference, which is consistent with the docs "If no check-state rule is found, the dynamic rule-set is checked at the first keep-state or limit rule" (in my case, rule #1). My dynamic rule set is checked on rule #1 and that causes a skipto 10, where the next matching rule is #11. The packet count is updated, but *i do not see the packet coming out the fxp1 interface*. Any other suggestions? George >I think you need: >ipfw add 1 check-state >ipfw add 2 skipto 10 ........ > > >On Fri, 2004-09-03 at 13:00, George S wrote: > >> I am having some trouble with a specialized IDS testing framework I am >> working on. >> >> Here is my setup: >> -FreeBSD 5.2.1-release running with firewall options configured, bridging >> off, default to accept >> -fxp0: inet 10.0.0.50 netmask 255.255.255.0 >> -fxp1: inet 192.168.1.3 netmask 255.255.255.0 >> -default gateway 10.0.0.1 / no static-routes set >> -ipfw ruleset as follows: >> ipfw add 1 skipto 10 tcp from 10.0.0.50 to any setup recv fxp1 keep-state >> ipfw add 5 allow ip from any to any >> ipfw add 10 fwd 10.0.0.1 tcp from 10.0.0.50 to any >> ipfw add 11 fwd 192.168.1.2 tcp from any to 10.0.0.50 >> ipfw add 65536 allow ip from any to any >> >> When a custom packet (with src ip 10.0.0.50 and SYN bit) arrives at the fxp1 >> interface, it is forwarded out of the fxp0 interface, as expected. When the >> response (with dst ip 10.0.0.50 and SYN+ACK) arrives on fxp0 however, rule >> #11 registers the packet by updating its counter, but the packet does not >> get written out on the fxp1 wire, as I would expect (or hope) it to! >> >> Is this a problem with the code or my ruleset or did I erroneously predict >> the resulting behaviour? >> >> Many thanks in advance for any help any guru here can provide. >> >> Kindest regards, >> >> George >> > >-- >Jose Hidalgo Herrera <jose at hostarica.com> >Corp. Hosta Rica __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040903204437.1850.qmail>