Date: Wed, 20 Dec 2017 15:48:02 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: wishmaster <artemrts@ukr.net>, freebsd-net@freebsd.org Subject: Re: ng_patch and swap_pager_getswapspace error Message-ID: <5A3A23C2.2030707@grosbein.net> In-Reply-To: <1513694407.556184943.ya3sdvt4@frv52.fwdcdn.com> References: <1513663683.700534911.voagagit@frv52.fwdcdn.com> <5A391519.8040707@grosbein.net> <1513694407.556184943.ya3sdvt4@frv52.fwdcdn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19.12.2017 21:46, wishmaster wrote: >>> /sbin/ipfw add 15002 netgraph 100 ip from me to not me recv "*" >> >> Why do you have incoming ip packets sourced from your IP? > > It's ok. I use per-interface ACL. > > # out > ipfw -fq table tbl_OUT_IF flush > ... > ipfw table tbl_OUT_IF add tun1 15000 # > ... > > > $cmd 100 skipto tablearg log all from any to any in recv "table(tbl_IN_IF)" > $cmd 110 skipto tablearg log all from any to any out xmit "table(tbl_OUT_IF)" > > > ### OUT ext_if tun0 > $cmd 15000 nat 1 log all from not me to not me recv "*" # LAN traffic > # !!! 15002 here > $cmd 15020 allow log all from me to not me recv "*" # LAN traffic It is not OK. It does not make any sense: "from me ... recv" is NOT any kind of normal LAN traffic. This expression describes spoofed traffic.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A3A23C2.2030707>