Date: Tue, 3 Jan 2006 11:06:51 -0800 From: patrick <gibblertron@gmail.com> To: Foo Ji-Haw <jhfoo@nexlabs.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw divert with exception? Message-ID: <b043a4850601031106x608cc391iad8319f1272590df@mail.gmail.com> In-Reply-To: <003601c61011$10c45ab0$c801a8c0@nexpc> References: <b043a4850601021256pd5af566ka58bc8f1d1a8c010@mail.gmail.com> <003601c61011$10c45ab0$c801a8c0@nexpc>
next in thread | previous in thread | raw e-mail | index | archive | help
That's what I thought too, but it doesn't seem to be the case. Here's
what I have:
ipfw -f flush
ipfw add 70 allow tcp from 10.0.1.254 to any
ipfw add accept tcp from any to any 22 in via ${ext_if}
ipfw add 6000 allow all from any to any via lo0
ipfw add 6100 allow all from any to any via ${int_if}
ipfw add 7000 divert natd all from any to any via ${ext_if}
ipfw add 7100 check-state
ipfw add pass all from any to any via ${ext_if}
ipfw add pass all from any to any via ${int_if}
ipfw add 65534 allow ip from any to any
Patrick
On 1/2/06, Foo Ji-Haw <jhfoo@nexlabs.com> wrote:
> I've not tried it myself, but putting the exception rules before the
> 'divert' rule should help, since ipfw exits the rule matching upon first
> match.
>
> ----- Original Message -----
> From: "patrick" <gibblertron@gmail.com>
> To: <freebsd-questions@freebsd.org>
> Sent: Tuesday, January 03, 2006 4:56 AM
> Subject: ipfw divert with exception?
>
>
> > I have a FreeBSD 6.0 machine acting as a router for our office. We use
> > natd for address translation, and I have rule like so:
> >
> > ipfw add divert natd all from any to any via ${ext_if}
> >
> > To allow incoming SSH access, I have a redirect_port line setup in my
> > /etc/natd.conf file, and while it works just fine, I don't like that
> > natd has to be running in order for me to SSH into the server.
> > (Because, if -- hypothetically of course -- one were to *cough*
> > accidentally kill the natd process without realizing this, then
> > *ahem*, one would be locked out remotely without any means of fixing
> > it. And I'd like to stress that this situation is indeed, uh,
> > hypothetical. ;) )
> >
> > So, I'm sure there is a way for me to create some ipfw rules above the
> > divert line to accept incoming SSH traffic and not having it get
> > diverted, but I'm at a bit of a loss as to how I can achieve this. The
> > current rule I have above this does not do anything to stop the
> > traffic from being diverted:
> >
> > ipfw add accept tcp from any to any 22 in via ${ext_if}
> >
> > Any help or insight would be greatly appreciated.
> >
> > Thanks,
> >
> > Patrick
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b043a4850601031106x608cc391iad8319f1272590df>