Re: no access to web server behind ipfw
Hi Christer, I followed the example from the handbook. Yes, it is OK to divert in and out separately. skipto is used to point to the divert out rule number when it is outbound. I run into problem only when with natd to redirect from gateway to local machine. tcpdump shows that packets of both directions are actually go through fine, but only head is there, body was ripped off. I am looking into OpenBSD's PF right now. It is such a simple goal to reach but seems not so easy. -Chen * Christer Hermansson <[EMAIL PROTECTED]> [081017 14:54]: > Chen Xu wrote: > > $cmd 100 divert natd ip from any to any in via $pif > > $cmd 101 check-state > > > > > > > You use "in via $pif", I'm not 100% sure but I think you should only use > "via $pif". > > # Authorized inbound packets > > $cmd 421 allow tcp from any to 192.168.1.10 80 in via $pif setup limit > > src-addr 5 > > > > > > > I think it's bad to use statefull rules for inbound connections. > > -- > > Christer Hermansson > > http://www.chdevelopment.se > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
no access to web server behind ipfw
Dear All, I think I need help from the group. The situation is kind of simple, but I can not get it work for me. I wanted to access to a web server behind of firewall/gateway 191.168.1.1 (firewall/gateway/natd) 192.168.1.10 (internal web server) 191.168.1.1 has these info. = FreeBSD 5.3-RELEASE-p26 Kernel complied with following lines: optionsIPFIREWALL optionsIPFIREWALL_VERBOSE optionsIPFIREWALL_VERBOSE_LIMIT=5 optionsIPDIVERT rc.conf has those lines: - # Add stuff for firewall - ipfw firewall_enable="YES" firewall_type="OPEN" firewall_script="/etc/ipfw.rules" firewall_logging="YES" gateway_enable="YES" # Enable natd. natd_enable="YES" natd_interface="fxp0" #natd_flags="-dynamic -m" # preserve port numbers if possible natd_flags="-f /etc/natd.conf" # preserve port numbers if possible /etc/natd.conf port 8668 interface fxp0 redirect_port tcp 192.168.1.10:80 80 /etc/ipfw.rules #!/bin/sh ipfw -q -f flush cmd="ipfw -q add" skip="skipto 500" pif=fxp0 ks="keep-state" good_tcpo="22" ipfw -q -f flush $cmd 002 allow all from any to any via em0 # exclude LAN traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 120 $skip udp from any to x.x.x.11 53 out via $pif $ks $cmd 121 $skip udp from any to x.x.x.12 53 out via $pif $ks ## --> block only one PC running windows (192.168.1.2) $cmd 123 deny tcp from 192.168.1.2 to any 80 out via $pif $cmd 124 $skip tcp from any to any 80 out via $pif setup $ks # $cmd 129 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 130 $skip icmp from any to any out via $pif $ks $cmd 135 $skip udp from any to any 123 out via $pif $ks # root can do cvsup etc. like a GOD $cmd 140 allow tcp from me to any out via $pif $ks uid root # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Authorized inbound packets $cmd 421 allow tcp from any to 192.168.1.10 80 in via $pif setup limit src-addr 5 $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif $cmd 510 allow ip from any to any end of rules ## apparently rule 421 is not enough to access the webserver 192.168.1.10 at port 80. I need help here. Thanks, Chen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
fftw static library
Dear all, I installed fftw from port, that was fine. However, I could not see the libsfftw.so or libsrfftw.so anywhere. In SuSE, at least, there are two packages fftw and fftw-dev. Those header files and static link library files are installed from the second package. How can I get them for my FreeBSD box? Thanks, Chen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
[no subject]
asd ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 5.3-stable -- all CPU usage show 0%
I played with disable the acpi. And only after I deinstall the apache2, my top shows normal output. I don't have a clue why. Regards, Chen On Sat, 30 Oct 2004 20:05:24 +1300, Gareth Redman <[EMAIL PROTECTED]> \ > > I don't think it is normal, as even the idle state is at 0.00%. I > would make sure that base is in sync with the kernel, as documented in > <http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html>. > > -- > Gareth Redman > -- Chen Xu [EMAIL PROTECTED] [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
5.3-stable -- all CPU usage show 0%
-LOCKED] ad0: 5729MB [12416/15/63] at ata0-master UDMA33 acd0: CDROM at ata1-master UDMA33 Mounting root from ufs:/dev/ad0s1a -- Chen Xu [EMAIL PROTECTED] [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
