Date: Sat, 29 May 2010 00:12:53 +0300 From: =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?= <kes-kes@yandex.ru> To: Casey Scott <casey@phantombsd.org> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw/natd in 8.1 Message-ID: <1314131403.20100529001253@yandex.ru> In-Reply-To: <1817830139.243.1275073808262.JavaMail.root@spitfire.phantombsd.org> References: <348704227.241.1275069787043.JavaMail.root@spitfire.phantombsd.org> <1817830139.243.1275073808262.JavaMail.root@spitfire.phantombsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Здравствуйте, Casey. 00300 0 0 deny ip from 192.168.0.0/16 to any in via fxp0 00301 0 0 deny ip from 172.16.0.0/12 to any in via fxp0 00302 0 0 deny ip from 10.0.0.0/8 to any in via fxp0 00303 0 0 deny ip from 127.0.0.0/8 to any in via fxp0 00304 0 0 deny ip from 0.0.0.0/8 to any in via fxp0 00305 0 0 deny ip from 169.254.0.0/16 to any in via fxp0 00306 0 0 deny ip from 192.0.2.0/24 to any in via fxp0 00307 0 0 deny ip from 204.152.64.0/23 to any in via fxp0 00308 0 0 deny ip from 224.0.0.0/3 to any in via fxp0 you can replace that all by: deny all from any to not me in recv fxp0 in recv/in via are very different things! CS> 00100 96 5322 divert 8668 log ip from any to any in via fxp0 CS> 00500 293 56642 divert 8668 log ip from any to any What are you trying to do by this rules??? what you do is wrong they do different work with conjactions with keep-state and other rules in your firewall. Devide logic in your firewall! What is one_pass option in you kernel? kes# sysctl -a | grep one_pass maybe you have 1, but must 0 CS> 00420 9 1112 allow log tcp from any to me dst-port 20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20 this rule will not pass packets to undivert I think, or will have some effect on divert rule CS> 00510 78 21591 allow log ip from any to any this rule is useless!!! CS> Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to CS> [TCP] 74.94.69.225:61447 -> 65.61.153.152:80 CS> In {default}[TCP] [TCP] 65.61.153.152:80 -> 74.94.69.225:61447 aliased to CS> [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 before setup all works fine after setup, you firewall fail. established connections does not work CS> In {default}[TCP] [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 aliased to CS> [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 CS> Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to CS> [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 CS> Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to CS> [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 CS> Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to CS> [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 try to understand divert, then will try keep-state,setup etc. good luck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1314131403.20100529001253>