From owner-freebsd-questions@FreeBSD.ORG Tue Jan 3 02:46:14 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9755F16A41F for ; Tue, 3 Jan 2006 02:46:14 +0000 (GMT) (envelope-from jhfoo@nexlabs.com) Received: from tin.colossus.net (tin.colossus.net [216.121.224.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43E0943D4C for ; Tue, 3 Jan 2006 02:46:14 +0000 (GMT) (envelope-from jhfoo@nexlabs.com) Received: from nexpc (215.210-193-15.adsl.qala.com.sg [210.193.15.215]) by tin.colossus.net (8.9.3p2/8.9.3) with SMTP id SAA08119; Mon, 2 Jan 2006 18:46:11 -0800 Message-ID: <003601c61011$10c45ab0$c801a8c0@nexpc> From: "Foo Ji-Haw" To: "patrick" , References: Date: Tue, 3 Jan 2006 10:54:48 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Cc: Subject: Re: ipfw divert with exception? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 02:46:14 -0000 I've not tried it myself, but putting the exception rules before the 'divert' rule should help, since ipfw exits the rule matching upon first match. ----- Original Message ----- From: "patrick" To: Sent: Tuesday, January 03, 2006 4:56 AM Subject: ipfw divert with exception? > I have a FreeBSD 6.0 machine acting as a router for our office. We use > natd for address translation, and I have rule like so: > > ipfw add divert natd all from any to any via ${ext_if} > > To allow incoming SSH access, I have a redirect_port line setup in my > /etc/natd.conf file, and while it works just fine, I don't like that > natd has to be running in order for me to SSH into the server. > (Because, if -- hypothetically of course -- one were to *cough* > accidentally kill the natd process without realizing this, then > *ahem*, one would be locked out remotely without any means of fixing > it. And I'd like to stress that this situation is indeed, uh, > hypothetical. ;) ) > > So, I'm sure there is a way for me to create some ipfw rules above the > divert line to accept incoming SSH traffic and not having it get > diverted, but I'm at a bit of a loss as to how I can achieve this. The > current rule I have above this does not do anything to stop the > traffic from being diverted: > > ipfw add accept tcp from any to any 22 in via ${ext_if} > > Any help or insight would be greatly appreciated. > > Thanks, > > Patrick > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"