Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 29 May 2010 00:12:53 +0300
From:      =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?= <kes-kes@yandex.ru>
To:        Casey Scott <casey@phantombsd.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: ipfw/natd in 8.1
Message-ID:  <1314131403.20100529001253@yandex.ru>
In-Reply-To: <1817830139.243.1275073808262.JavaMail.root@spitfire.phantombsd.org>
References:  <348704227.241.1275069787043.JavaMail.root@spitfire.phantombsd.org> <1817830139.243.1275073808262.JavaMail.root@spitfire.phantombsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Здравствуйте, Casey.

00300     0       0 deny ip from 192.168.0.0/16 to any in via fxp0
00301     0       0 deny ip from 172.16.0.0/12 to any in via fxp0
00302     0       0 deny ip from 10.0.0.0/8 to any in via fxp0
00303     0       0 deny ip from 127.0.0.0/8 to any in via fxp0
00304     0       0 deny ip from 0.0.0.0/8 to any in via fxp0
00305     0       0 deny ip from 169.254.0.0/16 to any in via fxp0
00306     0       0 deny ip from 192.0.2.0/24 to any in via fxp0
00307     0       0 deny ip from 204.152.64.0/23 to any in via fxp0
00308     0       0 deny ip from 224.0.0.0/3 to any in via fxp0
you can replace that all by:
deny all from any to not me in recv fxp0

in recv/in via are very different things!



CS> 00100    96    5322 divert 8668 log ip from any to any in via fxp0
CS> 00500   293   56642 divert 8668 log ip from any to any
What are you trying to do by this rules??? what you do is wrong

they do different work with conjactions with keep-state and other
rules in your firewall. Devide logic in your firewall!

What is one_pass option in you kernel?
kes# sysctl -a | grep one_pass
maybe you have 1, but must 0

CS> 00420     9    1112 allow log tcp from any to me dst-port 20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20
this rule will not pass packets to undivert I think, or will have some
effect on divert rule

CS> 00510    78   21591 allow log ip from any to any
this rule is useless!!!

CS> Out {default}[TCP]  [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
CS>            [TCP] 74.94.69.225:61447 -> 65.61.153.152:80
CS> In  {default}[TCP]  [TCP] 65.61.153.152:80 -> 74.94.69.225:61447 aliased to
CS>            [TCP] 65.61.153.152:80 -> 192.168.1.6:61447
before setup all works fine

after setup, you firewall fail. established connections does not work
CS> In  {default}[TCP]  [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 aliased to
CS>            [TCP] 65.61.153.152:80 -> 192.168.1.6:61447
CS> Out {default}[TCP]  [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
CS>            [TCP] 192.168.1.6:61447 -> 65.61.153.152:80
CS> Out {default}[TCP]  [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
CS>            [TCP] 192.168.1.6:61447 -> 65.61.153.152:80
CS> Out {default}[TCP]  [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
CS>            [TCP] 192.168.1.6:61447 -> 65.61.153.152:80

try to understand divert, then will try keep-state,setup etc.

good luck




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1314131403.20100529001253>