Date: Mon, 15 Oct 2001 11:45:05 +0200 From: "Jonas Sonntag" <js@jonsonn.de> To: <cjclark@alum.mit.edu> Cc: <freebsd-questions@FreeBSD.ORG> Subject: AW: IPFW question Message-ID: <KIEEILJCLAIJNFGECHJOKEHLCCAA.js@jonsonn.de> In-Reply-To: <20011012205442.F6274@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
thank you very much :) was a problem about understanding, i think finally i got it. thanks again. js > -----Ursprungliche Nachricht----- > Von: Crist J. Clark [mailto:cristjc@earthlink.net] > Gesendet: Samstag, 13. Oktober 2001 05:55 > An: Jonas Sonntag > Cc: freebsd-questions@FreeBSD.ORG > Betreff: Re: IPFW question > > > On Fri, Oct 12, 2001 at 10:03:07PM +0200, Jonas Sonntag wrote: > > [snip] > > > only my lan is (again) disconnectet from the net. > > here are the rules: > > > > fwcmd="/sbin/ipfw" > > $fwcmd -f flush > > > > #lan > > $fwcmd add divert natd all from any to any via rl0 > > $fwcmd add allow all from any to any via lo0 > > $fwcmd add allow all from any to any via xl0 > > > > # inet > > $fwcmd add allow all from me to any via rl0 > > $fwcmd add allow tcp from any to me established via rl0 > > Say you try to HTTP to some remote machine. Your packets will get out > fine. The response comes back. It goes through the first rule and the > destination IP (and possibly port) is rewritten to the internal > address. The packet will not match the above rule, since the > destination is a machine on your internal net and not the gateway. The > packets fall through and get dropped at the last rule. You should be > seeing this in your logs. You may wish to try to add, > > $fwcmd add allow tcp from any to <internal_net> established via rl0 > > Or to use dynamic rules rather than 'established.' > > > $fwcmd add allow tcp from any to me 21 setup via rl0 > > $fwcmd add allow tcp from any to me 22 setup via rl0 > > $fwcmd add allow tcp from any to me 80 setup via rl0 > > $fwcmd add allow udp from 213.196.65.2 53 to me > > $fwcmd add allow udp from 213.196.64.2 53 to me > > $fwcmd add allow icmp from any to any > > $fwcmd add deny log ip from any to any > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?KIEEILJCLAIJNFGECHJOKEHLCCAA.js>