I have a tunnel setup which requires me to rewrite the next hop of packets
going from the tunneled network out to the internet to go out via the
tunnel (rather than going out the default route, who drops the packets
(validly) because it thinks I'm trying to IP spoof.)

The trouble is that I'm also trying to use a dynamic ipfw rule to only
allow outgoing TCP connections from a single IP .. this doesn't seem
to work well with ipfw fwd.

The relevant bits:

00100   0     0 check-state
00200   0     0 allow ip from any to any via lo0
00300   0     0 deny ip from any to in recv tun0
00400   2    88 allow tcp from to any keep-state setup
(the three going in here are totally not relevant)
00800   0     0 fwd ip from to any out xmit xl1
65000 195 15257 allow ip from any to any
65535  50  7996 allow ip from any to any
## Dynamic rules:
00400 1 44 (T 5, # 163) ty 0 tcp, 1161 <-> 80

As you can see, the dynamic rule gets created, but I'm not entirely
certain its being trapped on the fwd rule, as a tcpdump of the external
interface xl1 shows the packet going out rather than being forwarded
to (the tunnel interface endpoint).

Any clues? Is the dynamic rulesets not meant to do this at all? Is there
a way I can trick things into working?



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to