From owner-freebsd-questions@FreeBSD.ORG Fri May 28 21:13:46 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15C5A106564A for ; Fri, 28 May 2010 21:13:46 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from forward3.mail.yandex.net (forward3.mail.yandex.net [77.88.46.8]) by mx1.freebsd.org (Postfix) with ESMTP id 9A75B8FC14 for ; Fri, 28 May 2010 21:13:45 +0000 (UTC) Received: from smtp4.mail.yandex.net (smtp4.mail.yandex.net [77.88.46.104]) by forward3.mail.yandex.net (Yandex) with ESMTP id B277156D80F9; Sat, 29 May 2010 01:12:49 +0400 (MSD) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1275081169; bh=TMXh5Mx8/Qf2+sagBruKg1DWTLmrCpDV8D808CUY9p8=; h=Date:From:Reply-To:Message-ID:To:CC:Subject:In-Reply-To: References:MIME-Version:Content-Type:Content-Transfer-Encoding; b=YJf6hpXAridBFZ2eT3nWoWs2os2BnGGDl63jc9kIkNXXOJW0xPU+9Ere060rqp+5e Mmqo5wnOgIll+rrJWzQmSBmTq+zMm9wrMUG2BNfw4dHT546qplmKUqBZLB5DnerXQF Z2e8+znWPcqCuR+OXChR16vJFH7NmHOE6x/Rvrg4= Received: from HOMEUSER (unknown [77.93.38.34]) by smtp4.mail.yandex.net (Yandex) with ESMTPA id 5DC2012806B; Sat, 29 May 2010 01:12:49 +0400 (MSD) X-Nat-Received: from [192.168.9.44]:1391 [ident-empty] by SPAM FILTER: with TPROXY id 1275081184.15579 abuse-to kes-kes@yandex.ru Date: Sat, 29 May 2010 00:12:53 +0300 From: =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?= X-Mailer: The Bat! (v4.0.24) Professional Organization: =?utf-8?B?0KfQnyDQmtC+0L3RjNC60L7QsiwgRnJlZUxpbmU=?= X-Priority: 3 (Normal) Message-ID: <1314131403.20100529001253@yandex.ru> To: Casey Scott In-Reply-To: <1817830139.243.1275073808262.JavaMail.root@spitfire.phantombsd.org> References: <348704227.241.1275069787043.JavaMail.root@spitfire.phantombsd.org> <1817830139.243.1275073808262.JavaMail.root@spitfire.phantombsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Yandex-TimeMark: 1275081169 X-Yandex-Spam: 1 X-Yandex-Front: smtp4.mail.yandex.net Cc: freebsd-questions@freebsd.org Subject: Re: ipfw/natd in 8.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?utf-8?B?0JrQvtC90YzQutC+0LIg0JXQstCz0LXQvdC40Lk=?= List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 May 2010 21:13:46 -0000 Здравствуйте, Casey. 00300 0 0 deny ip from 192.168.0.0/16 to any in via fxp0 00301 0 0 deny ip from 172.16.0.0/12 to any in via fxp0 00302 0 0 deny ip from 10.0.0.0/8 to any in via fxp0 00303 0 0 deny ip from 127.0.0.0/8 to any in via fxp0 00304 0 0 deny ip from 0.0.0.0/8 to any in via fxp0 00305 0 0 deny ip from 169.254.0.0/16 to any in via fxp0 00306 0 0 deny ip from 192.0.2.0/24 to any in via fxp0 00307 0 0 deny ip from 204.152.64.0/23 to any in via fxp0 00308 0 0 deny ip from 224.0.0.0/3 to any in via fxp0 you can replace that all by: deny all from any to not me in recv fxp0 in recv/in via are very different things! CS> 00100 96 5322 divert 8668 log ip from any to any in via fxp0 CS> 00500 293 56642 divert 8668 log ip from any to any What are you trying to do by this rules??? what you do is wrong they do different work with conjactions with keep-state and other rules in your firewall. Devide logic in your firewall! What is one_pass option in you kernel? kes# sysctl -a | grep one_pass maybe you have 1, but must 0 CS> 00420 9 1112 allow log tcp from any to me dst-port 20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20 this rule will not pass packets to undivert I think, or will have some effect on divert rule CS> 00510 78 21591 allow log ip from any to any this rule is useless!!! CS> Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to CS> [TCP] 74.94.69.225:61447 -> 65.61.153.152:80 CS> In {default}[TCP] [TCP] 65.61.153.152:80 -> 74.94.69.225:61447 aliased to CS> [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 before setup all works fine after setup, you firewall fail. established connections does not work CS> In {default}[TCP] [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 aliased to CS> [TCP] 65.61.153.152:80 -> 192.168.1.6:61447 CS> Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to CS> [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 CS> Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to CS> [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 CS> Out {default}[TCP] [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 aliased to CS> [TCP] 192.168.1.6:61447 -> 65.61.153.152:80 try to understand divert, then will try keep-state,setup etc. good luck