Date: Sun, 28 Mar 1999 16:00:58 +0200 (CEST) From: Remy Nonnenmacher <remy@synx.com> To: ru@ucb.crimea.ua Cc: noor@NetVision.net.il, freebsd-hackers@FreeBSD.ORG Subject: Re: ipfw behavior, is it normal? Message-ID: <199903281409.QAA22122@rt2.synx.com> In-Reply-To: <19990328164753.A50307@relay.ucb.crimea.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28 Mar, Ruslan Ermilov wrote: > Hi! > > You've screwed your rules up ;-) > Rules 400 and 500 are `allow tcp', I suppose. > Send us your _real_ rules first. > I think these *ARE* the real rules. Anyway, 'IP' matches all packets.. [check...check....] Yes. Noor, What is the FBSD version used ? Doing routing ? bridging ? Is the filtering machine the [server] ? > > On Sun, Mar 28, 1999 at 02:23:57PM +0200, Noor Dawod wrote: >> >> Hi.. >> >> Like many others have done before me, this is my first message to this >> mailing list and I hope not the last. I've been dealing with FreeBSD for >> quite some time now, and I cannot still understand why few ipfw rules >> don't work for me. I would like to share it with you and maybe get some >> help on it. >> >> My current ipfw rules are: >> >> ----------------------------------------------------------------- >> 00100 allow ip from any to any via lo0 >> 00200 allow ip from [machine-a-ip] to [server-ip] via xl0 >> 00300 allow ip from [machine-b-ip] to [server-ip] via xl0 >> 00400 allow ip from any to [server-ip] 80 in via xl0 >> 00500 allow ip from any to [server-ip] 21 in via xl0 >> 65000 allow ip from any to any >> 65535 deny ip from any to any >> ----------------------------------------------------------------- >> >> 00200 and 00300 seem redundant because of rule 65000. But this is where >> all the problem lies. If I understand right the ipfw rules, if I remove >> line 65000 from the rules table, then I can still do all ip-related >> actions from [machine-a] and [machine-b], which their ip numbers are >> listed in 00200 and 00300. But, once I remove line 65000, I cannot do any >> ip-related actions on the [server], and even WWW/FTP services are not >> served as well. >> >> What am I missing here, and why the 65000 line MUST be there so that I >> could access [server] from [machine-a] and [machine-b] ? >> >> I apologize if this is not the place to ask such questions, and would >> like to be told where to send it instead. >> >> Thanks for your time and efforts. >> >> Noor > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903281409.QAA22122>