From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 3 20:44:38 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 242DB16A4CE for ; Fri, 3 Sep 2004 20:44:38 +0000 (GMT) Received: from web40410.mail.yahoo.com (web40410.mail.yahoo.com [66.218.78.107]) by mx1.FreeBSD.org (Postfix) with SMTP id 127E443D46 for ; Fri, 3 Sep 2004 20:44:38 +0000 (GMT) (envelope-from c0sine@yahoo.com) Message-ID: <20040903204437.1850.qmail@web40410.mail.yahoo.com> Received: from [67.71.253.163] by web40410.mail.yahoo.com via HTTP; Fri, 03 Sep 2004 13:44:37 PDT Date: Fri, 3 Sep 2004 13:44:37 -0700 (PDT) From: George S To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: fwd'ing packet originally destined to local interface problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 20:44:38 -0000 Hi, Thank you for the suggestion, but that didn't make any difference, which is consistent with the docs "If no check-state rule is found, the dynamic rule-set is checked at the first keep-state or limit rule" (in my case, rule #1). My dynamic rule set is checked on rule #1 and that causes a skipto 10, where the next matching rule is #11. The packet count is updated, but *i do not see the packet coming out the fxp1 interface*. Any other suggestions? George >I think you need: >ipfw add 1 check-state >ipfw add 2 skipto 10 ........ > > >On Fri, 2004-09-03 at 13:00, George S wrote: > >> I am having some trouble with a specialized IDS testing framework I am >> working on. >> >> Here is my setup: >> -FreeBSD 5.2.1-release running with firewall options configured, bridging >> off, default to accept >> -fxp0: inet 10.0.0.50 netmask 255.255.255.0 >> -fxp1: inet 192.168.1.3 netmask 255.255.255.0 >> -default gateway 10.0.0.1 / no static-routes set >> -ipfw ruleset as follows: >> ipfw add 1 skipto 10 tcp from 10.0.0.50 to any setup recv fxp1 keep-state >> ipfw add 5 allow ip from any to any >> ipfw add 10 fwd 10.0.0.1 tcp from 10.0.0.50 to any >> ipfw add 11 fwd 192.168.1.2 tcp from any to 10.0.0.50 >> ipfw add 65536 allow ip from any to any >> >> When a custom packet (with src ip 10.0.0.50 and SYN bit) arrives at the fxp1 >> interface, it is forwarded out of the fxp0 interface, as expected. When the >> response (with dst ip 10.0.0.50 and SYN+ACK) arrives on fxp0 however, rule >> #11 registers the packet by updating its counter, but the packet does not >> get written out on the fxp1 wire, as I would expect (or hope) it to! >> >> Is this a problem with the code or my ruleset or did I erroneously predict >> the resulting behaviour? >> >> Many thanks in advance for any help any guru here can provide. >> >> Kindest regards, >> >> George >> > >-- >Jose Hidalgo Herrera >Corp. Hosta Rica __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail