Re: ipfw divert with exception?
Which is the part that does not work? You can see the matching process by adding 'log' to the rule: ipfw log add 70 allow tcp from 10.0.1.254 to any Last thing to check: traffic runs both ways, so you may need to have two rules instead of one. - Original Message - From: "patrick" <[EMAIL PROTECTED]> To: "Foo Ji-Haw" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, January 04, 2006 3:06 AM Subject: Re: ipfw divert with exception? That's what I thought too, but it doesn't seem to be the case. Here's what I have: ipfw -f flush ipfw add 70 allow tcp from 10.0.1.254 to any ipfw add accept tcp from any to any 22 in via ${ext_if} ipfw add 6000 allow all from any to any via lo0 ipfw add 6100 allow all from any to any via ${int_if} ipfw add 7000 divert natd all from any to any via ${ext_if} ipfw add 7100 check-state ipfw add pass all from any to any via ${ext_if} ipfw add pass all from any to any via ${int_if} ipfw add 65534 allow ip from any to any Patrick On 1/2/06, Foo Ji-Haw <[EMAIL PROTECTED]> wrote: I've not tried it myself, but putting the exception rules before the 'divert' rule should help, since ipfw exits the rule matching upon first match. - Original Message - From: "patrick" <[EMAIL PROTECTED]> To: Sent: Tuesday, January 03, 2006 4:56 AM Subject: ipfw divert with exception? > I have a FreeBSD 6.0 machine acting as a router for our office. We use > natd for address translation, and I have rule like so: > > ipfw add divert natd all from any to any via ${ext_if} > > To allow incoming SSH access, I have a redirect_port line setup in my > /etc/natd.conf file, and while it works just fine, I don't like that > natd has to be running in order for me to SSH into the server. > (Because, if -- hypothetically of course -- one were to *cough* > accidentally kill the natd process without realizing this, then > *ahem*, one would be locked out remotely without any means of fixing > it. And I'd like to stress that this situation is indeed, uh, > hypothetical. ;) ) > > So, I'm sure there is a way for me to create some ipfw rules above the > divert line to accept incoming SSH traffic and not having it get > diverted, but I'm at a bit of a loss as to how I can achieve this. The > current rule I have above this does not do anything to stop the > traffic from being diverted: > > ipfw add accept tcp from any to any 22 in via ${ext_if} > > Any help or insight would be greatly appreciated. > > Thanks, > > Patrick > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw divert with exception?
That's what I thought too, but it doesn't seem to be the case. Here's what I have: ipfw -f flush ipfw add 70 allow tcp from 10.0.1.254 to any ipfw add accept tcp from any to any 22 in via ${ext_if} ipfw add 6000 allow all from any to any via lo0 ipfw add 6100 allow all from any to any via ${int_if} ipfw add 7000 divert natd all from any to any via ${ext_if} ipfw add 7100 check-state ipfw add pass all from any to any via ${ext_if} ipfw add pass all from any to any via ${int_if} ipfw add 65534 allow ip from any to any Patrick On 1/2/06, Foo Ji-Haw <[EMAIL PROTECTED]> wrote: > I've not tried it myself, but putting the exception rules before the > 'divert' rule should help, since ipfw exits the rule matching upon first > match. > > - Original Message - > From: "patrick" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, January 03, 2006 4:56 AM > Subject: ipfw divert with exception? > > > > I have a FreeBSD 6.0 machine acting as a router for our office. We use > > natd for address translation, and I have rule like so: > > > > ipfw add divert natd all from any to any via ${ext_if} > > > > To allow incoming SSH access, I have a redirect_port line setup in my > > /etc/natd.conf file, and while it works just fine, I don't like that > > natd has to be running in order for me to SSH into the server. > > (Because, if -- hypothetically of course -- one were to *cough* > > accidentally kill the natd process without realizing this, then > > *ahem*, one would be locked out remotely without any means of fixing > > it. And I'd like to stress that this situation is indeed, uh, > > hypothetical. ;) ) > > > > So, I'm sure there is a way for me to create some ipfw rules above the > > divert line to accept incoming SSH traffic and not having it get > > diverted, but I'm at a bit of a loss as to how I can achieve this. The > > current rule I have above this does not do anything to stop the > > traffic from being diverted: > > > > ipfw add accept tcp from any to any 22 in via ${ext_if} > > > > Any help or insight would be greatly appreciated. > > > > Thanks, > > > > Patrick > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw divert with exception?
I've not tried it myself, but putting the exception rules before the 'divert' rule should help, since ipfw exits the rule matching upon first match. - Original Message - From: "patrick" <[EMAIL PROTECTED]> To: Sent: Tuesday, January 03, 2006 4:56 AM Subject: ipfw divert with exception? > I have a FreeBSD 6.0 machine acting as a router for our office. We use > natd for address translation, and I have rule like so: > > ipfw add divert natd all from any to any via ${ext_if} > > To allow incoming SSH access, I have a redirect_port line setup in my > /etc/natd.conf file, and while it works just fine, I don't like that > natd has to be running in order for me to SSH into the server. > (Because, if -- hypothetically of course -- one were to *cough* > accidentally kill the natd process without realizing this, then > *ahem*, one would be locked out remotely without any means of fixing > it. And I'd like to stress that this situation is indeed, uh, > hypothetical. ;) ) > > So, I'm sure there is a way for me to create some ipfw rules above the > divert line to accept incoming SSH traffic and not having it get > diverted, but I'm at a bit of a loss as to how I can achieve this. The > current rule I have above this does not do anything to stop the > traffic from being diverted: > > ipfw add accept tcp from any to any 22 in via ${ext_if} > > Any help or insight would be greatly appreciated. > > Thanks, > > Patrick > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfw divert with exception?
I have a FreeBSD 6.0 machine acting as a router for our office. We use natd for address translation, and I have rule like so: ipfw add divert natd all from any to any via ${ext_if} To allow incoming SSH access, I have a redirect_port line setup in my /etc/natd.conf file, and while it works just fine, I don't like that natd has to be running in order for me to SSH into the server. (Because, if -- hypothetically of course -- one were to *cough* accidentally kill the natd process without realizing this, then *ahem*, one would be locked out remotely without any means of fixing it. And I'd like to stress that this situation is indeed, uh, hypothetical. ;) ) So, I'm sure there is a way for me to create some ipfw rules above the divert line to accept incoming SSH traffic and not having it get diverted, but I'm at a bit of a loss as to how I can achieve this. The current rule I have above this does not do anything to stop the traffic from being diverted: ipfw add accept tcp from any to any 22 in via ${ext_if} Any help or insight would be greatly appreciated. Thanks, Patrick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"