Date: Sat, 28 Jan 2017 13:58:01 +0100 From: Rakor <freebsd@rakor-net.de> To: freebsd-ipfw@FreeBSD.org Subject: How to use IPFW to filter routing Message-ID: <3C00AFCB-E2EF-4F89-8FBD-181C99DAC1FF@rakor-net.de>
next in thread | raw e-mail | index | archive | help
Hi there,
I have a router from my ISP giving me a connection to the internet ans =
SIP. Behind I have a FreeBSD-Box which should route and seperate my =
VLANS.
The setup is like this:
+------------+ +------------+ =
+------------+ VLAN1 10.10.10.0/24
| ISP-Router | 192.168.2.0/24 | BSD-Router | Trunk | =
L2-SWITCH |-----------
Internet---| |------------------| |----------| =
VLANS | VLAN2 10.10.20.0/24
| | igb2 | IPFW | igb0 | =
|-----------
+------------+ +------------+ =
+------------+ VLAN3 10.10.30.0/24
=
-----------
I can route my VLANs to the Internet and I can route traffic from one =
VLAN to another VLAN, all without using IPFW. But I don't know how to =
setup my IPFW. Lets say VLAN1 is allowed to communicate with VLAN2 and =
with the internet. VLAN3 is allowed to communicate only with the =
internet.
As far as I know a packet is once scanned by IPFW an then first hit =
wins. So, if I set the following a packet coming from VLAN3 for port 80 =
is permitted to travel all way it wants, even to VLAN2. Putting an other =
rule behind just allowing to travel out using igb2 is not checked, =
because the search terminated after first hit.
ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state
If I try the follwing the packets are all rejected. I think the =
inspection is done before the routing, so IPFW does not know it should =
be forwarded using igb2.
ipfw add allow tcp 10.10.30.0/24 to any 80 out via igb2 setup =
keep-state
So I don=E2=80=99t know how to filter packets that should be routed in a =
exact manner. Can you help me?
Thanks
Rakor=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C00AFCB-E2EF-4F89-8FBD-181C99DAC1FF>