Sat, Jan 28, 2017 at 01:58:01PM +0100, Rakor: > As far as I know a packet is once scanned by IPFW an then first hit wins. So, > if I set the following a packet coming from VLAN3 for port 80 is permitted to > travel all way it wants, even to VLAN2. Putting an +other rule behind just allowing to travel out using igb2 is not checked, because the search terminated after first hit. > ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state
Have you tried something like this? ipfw add deny tcp 10.10.30.0/24 to 10.10.10.0/24 setup keep-state ipfw add deny tcp 10.10.30.0/24 to 10.10.20.0/24 setup keep-state ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state > If I try the follwing the packets are all rejected. I think the inspection is > done before the routing, so IPFW does not know it should be forwarded using > igb2. > ipfw add allow tcp 10.10.30.0/24 to any 80 out via igb2 setup keep-state IPFW can do routing table lookups as needed. Something else must be going on here. Log rules may be of help to debug and understand your ruleset. > So I don’t know how to filter packets that should be routed in a exact > manner. Can you help me? There are plenty of ways to filter packets in that setup, the "exact" one depends on what you are trying to achieve. Cheers, - Thomás P.S.: sorry for the duplication, I'd forgotten to CC the list. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[email protected]"
