From owner-freebsd-questions@FreeBSD.ORG  Fri May 28 21:13:46 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 15C5A106564A
	for <freebsd-questions@freebsd.org>;
	Fri, 28 May 2010 21:13:46 +0000 (UTC)
	(envelope-from kes-kes@yandex.ru)
Received: from forward3.mail.yandex.net (forward3.mail.yandex.net [77.88.46.8])
	by mx1.freebsd.org (Postfix) with ESMTP id 9A75B8FC14
	for <freebsd-questions@freebsd.org>;
	Fri, 28 May 2010 21:13:45 +0000 (UTC)
Received: from smtp4.mail.yandex.net (smtp4.mail.yandex.net [77.88.46.104])
	by forward3.mail.yandex.net (Yandex) with ESMTP id B277156D80F9;
	Sat, 29 May 2010 01:12:49 +0400 (MSD)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
	t=1275081169; bh=TMXh5Mx8/Qf2+sagBruKg1DWTLmrCpDV8D808CUY9p8=;
	h=Date:From:Reply-To:Message-ID:To:CC:Subject:In-Reply-To:
	References:MIME-Version:Content-Type:Content-Transfer-Encoding;
	b=YJf6hpXAridBFZ2eT3nWoWs2os2BnGGDl63jc9kIkNXXOJW0xPU+9Ere060rqp+5e
	Mmqo5wnOgIll+rrJWzQmSBmTq+zMm9wrMUG2BNfw4dHT546qplmKUqBZLB5DnerXQF
	Z2e8+znWPcqCuR+OXChR16vJFH7NmHOE6x/Rvrg4=
Received: from HOMEUSER (unknown [77.93.38.34])
	by smtp4.mail.yandex.net (Yandex) with ESMTPA id 5DC2012806B;
	Sat, 29 May 2010 01:12:49 +0400 (MSD)
X-Nat-Received: from [192.168.9.44]:1391 [ident-empty]
	by SPAM FILTER: with TPROXY id 1275081184.15579
	abuse-to kes-kes@yandex.ru
Date: Sat, 29 May 2010 00:12:53 +0300
From: =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?= <kes-kes@yandex.ru>
X-Mailer: The Bat! (v4.0.24) Professional
Organization: =?utf-8?B?0KfQnyDQmtC+0L3RjNC60L7QsiwgRnJlZUxpbmU=?=
X-Priority: 3 (Normal)
Message-ID: <1314131403.20100529001253@yandex.ru>
To: Casey Scott <casey@phantombsd.org>
In-Reply-To: <1817830139.243.1275073808262.JavaMail.root@spitfire.phantombsd.org>
References: <348704227.241.1275069787043.JavaMail.root@spitfire.phantombsd.org>
	<1817830139.243.1275073808262.JavaMail.root@spitfire.phantombsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Yandex-TimeMark: 1275081169
X-Yandex-Spam: 1
X-Yandex-Front: smtp4.mail.yandex.net
Cc: freebsd-questions@freebsd.org
Subject: Re: ipfw/natd in 8.1
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?=
	<kes-kes@yandex.ru>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 May 2010 21:13:46 -0000

Здравствуйте, Casey.

00300     0       0 deny ip from 192.168.0.0/16 to any in via fxp0
00301     0       0 deny ip from 172.16.0.0/12 to any in via fxp0
00302     0       0 deny ip from 10.0.0.0/8 to any in via fxp0
00303     0       0 deny ip from 127.0.0.0/8 to any in via fxp0
00304     0       0 deny ip from 0.0.0.0/8 to any in via fxp0
00305     0       0 deny ip from 169.254.0.0/16 to any in via fxp0
00306     0       0 deny ip from 192.0.2.0/24 to any in via fxp0
00307     0       0 deny ip from 204.152.64.0/23 to any in via fxp0
00308     0       0 deny ip from 224.0.0.0/3 to any in via fxp0
you can replace that all by:
deny all from any to not me in recv fxp0

in recv/in via are very different things!



CS> 00100    96    5322 divert 8668 log ip from any to any in via fxp0
CS> 00500   293   56642 divert 8668 log ip from any to any
What are you trying to do by this rules??? what you do is wrong

they do different work with conjactions with keep-state and other
rules in your firewall. Devide logic in your firewall!

What is one_pass option in you kernel?
kes# sysctl -a | grep one_pass
maybe you have 1, but must 0

CS> 00420     9    1112 allow log tcp from any to me dst-port 20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20
this rule will not pass packets to undivert I think, or will have some
effect on divert rule

CS> 00510    78   21591 allow log ip from any to any
this rule is useless!!!

CS> Out {default}[TCP]  [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
CS>            [TCP] 74.94.69.225:61447 -> 65.61.153.152:80
CS> In  {default}[TCP]  [TCP] 65.61.153.152:80 -> 74.94.69.225:61447 aliased to
CS>            [TCP] 65.61.153.152:80 -> 192.168.1.6:61447
before setup all works fine

after setup, you firewall fail. established connections does not work
CS> In  {default}[TCP]  [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 aliased to
CS>            [TCP] 65.61.153.152:80 -> 192.168.1.6:61447
CS> Out {default}[TCP]  [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
CS>            [TCP] 192.168.1.6:61447 -> 65.61.153.152:80
CS> Out {default}[TCP]  [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
CS>            [TCP] 192.168.1.6:61447 -> 65.61.153.152:80
CS> Out {default}[TCP]  [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to
CS>            [TCP] 192.168.1.6:61447 -> 65.61.153.152:80

try to understand divert, then will try keep-state,setup etc.

good luck