From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 2 03:25:19 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 73EA91065672 for ; Tue, 2 Dec 2008 03:25:19 +0000 (UTC) (envelope-from brett@net24.co.nz) Received: from omr.mail.isx.net.nz (omr.mail.isx.net.nz [210.5.49.98]) by mx1.freebsd.org (Postfix) with ESMTP id 1DED78FC1E for ; Tue, 2 Dec 2008 03:25:18 +0000 (UTC) (envelope-from brett@net24.co.nz) Received: from 210.55.30.56 (EHLO _127.0.0.1_) ([210.55.30.56]) by omr.mail.isx.net.nz (MOS 3.8.3-GA FastPath queued) with ESMTP id AGQ32080 (AUTH brett@net24.co.nz); Tue, 02 Dec 2008 16:14:12 +1300 (NZDT) Message-ID: <4934A806.2060809@net24.co.nz> Date: Tue, 02 Dec 2008 16:14:14 +1300 From: Brett Davidson Organization: Net24 Limited User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20081201120023.9E1821065688@hub.freebsd.org> <20081201233222.L34249@sola.nimnet.asn.au> <493461B5.1040704@net24.co.nz> In-Reply-To: <493461B5.1040704@net24.co.nz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Is there anything weird I should know about using ipfw on alias addresses? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 03:25:19 -0000 Relevant ifconfig entry shows the alias addresses correctly bound. bce1: flags=8843 mtu 1500 options=3b inet 210.5.50.5 netmask 0xffffffe0 broadcast 210.5.50.31 inet 210.5.51.32 netmask 0xffffffff broadcast 210.5.51.32 inet 210.5.51.27 netmask 0xffffffff broadcast 210.5.51.27 inet 210.5.51.33 netmask 0xffffffff broadcast 210.5.51.33 inet 210.5.51.34 netmask 0xffffffff broadcast 210.5.51.34 inet 210.5.51.42 netmask 0xffffffff broadcast 210.5.51.42 inet 210.5.51.4 netmask 0xffffffff broadcast 210.5.51.4 ether 00:1c:c4:c0:56:94 media: Ethernet autoselect (1000baseSX ) status: active Relevant /etc/rc.conf entries : ifconfig_bce1="inet 210.5.50.5 netmask 255.255.255.224" ifconfig_bce1_alias0="inet 210.5.50.5 netmask 255.255.255.224" ifconfig_bce1_alias1="inet 210.5.51.4 netmask 255.255.255.255" ifconfig_bce1_alias2="inet 210.5.51.27 netmask 255.255.255.255" ifconfig_bce1_alias3="inet 210.5.51.32 netmask 255.255.255.255" ifconfig_bce1_alias4="inet 210.5.51.33 netmask 255.255.255.255" ifconfig_bce1_alias5="inet 210.5.51.34 netmask 255.255.255.255" ifconfig_bce1_alias6="inet 210.5.51.42 netmask 255.255.255.255" Creating an ipfw rule and testing it from the command line works (connects out from master address, not alias) ipfw -q add 02012 allow tcp from any to 208.69.123.164 80 out via bce1 setup keep-state >From website on alias address, the firewall blocks the packets. Interesting entries in /var/log/security : Dec 1 16:42:25 kernel: ipfw: 9999 Deny TCP 210.5.50.5:49708 208.69.123.164:80 out via bce1 In a normal world the packet would match!!!!! What's goin' on here Willis? >From what I can see, this MUST have something to do with the way ipfw is working with aliased addresses but I'm blowed if I know what is wrong. Cheers, Brett.