ipfw check-state and ipfw fwd ?

2000-06-27 Thread Adrian Chadd 


Hi,

I have a tunnel setup which requires me to rewrite the next hop of packets
going from the tunneled network out to the internet to go out via the
tunnel (rather than going out the default route, who drops the packets
(validly) because it thinks I'm trying to IP spoof.)

The trouble is that I'm also trying to use a dynamic ipfw rule to only
allow outgoing TCP connections from a single IP .. this doesn't seem
to work well with ipfw fwd.

The relevant bits:

00100   0 0 check-state
00200   0 0 allow ip from any to any via lo0
00300   0 0 deny ip from any to 203.56.168.40 in recv tun0
00400   288 allow tcp from 203.56.168.40 to any keep-state setup
(the three going in here are totally not relevant)
00800   0 0 fwd 213.35.234.1 ip from 203.56.168.0/24 to any out xmit xl1
65000 195 15257 allow ip from any to any
65535  50  7996 allow ip from any to any
## Dynamic rules:
00400 1 44 (T 5, # 163) ty 0 tcp, 203.56.168.40 1161 <-> 203.30.44.82 80

As you can see, the dynamic rule gets created, but I'm not entirely
certain its being trapped on the fwd rule, as a tcpdump of the external
interface xl1 shows the packet going out rather than being forwarded
to 213.35.234.1 (the tunnel interface endpoint).

Any clues? Is the dynamic rulesets not meant to do this at all? Is there
a way I can trick things into working?



Thanks,


Adrian



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Re: ipfw check-state and ipfw fwd ?

2000-06-27 Thread Adrian Chadd 

On Tue, Jun 27, 2000, Adrian Chadd wrote:
> 
> Hi,
> 
> I have a tunnel setup which requires me to rewrite the next hop of packets
> going from the tunneled network out to the internet to go out via the
> tunnel (rather than going out the default route, who drops the packets
> (validly) because it thinks I'm trying to IP spoof.)
> 
> The trouble is that I'm also trying to use a dynamic ipfw rule to only
> allow outgoing TCP connections from a single IP .. this doesn't seem
> to work well with ipfw fwd.
> 
> The relevant bits:
> 
> 00100   0 0 check-state
> 00200   0 0 allow ip from any to any via lo0
> 00300   0 0 deny ip from any to 203.56.168.40 in recv tun0
> 00400   288 allow tcp from 203.56.168.40 to any keep-state setup
> (the three going in here are totally not relevant)
> 00800   0 0 fwd 213.35.234.1 ip from 203.56.168.0/24 to any out xmit xl1
> 65000 195 15257 allow ip from any to any
> 65535  50  7996 allow ip from any to any
> ## Dynamic rules:
> 00400 1 44 (T 5, # 163) ty 0 tcp, 203.56.168.40 1161 <-> 203.30.44.82 80
> 
> As you can see, the dynamic rule gets created, but I'm not entirely
> certain its being trapped on the fwd rule, as a tcpdump of the external
> interface xl1 shows the packet going out rather than being forwarded
> to 213.35.234.1 (the tunnel interface endpoint).
> 
> Any clues? Is the dynamic rulesets not meant to do this at all? Is there
> a way I can trick things into working?

Before you all say it, changing 0400's allow to skipto 
made things work. Evil, but its working just fine. :)

001000  0 check-state
002000  0 allow ip from any to any via lo0
003001 44 deny ip from any to 203.56.168.40 in recv tun0
00400   14576 skipto 5000 tcp from 203.56.168.40 to any keep-state setup
050005437 fwd 213.35.234.1 ip from 203.56.168.0/24 to any out xmit xl1
65000 2163 169947 allow ip from any to any
65535   55   8503 allow ip from any to any
## Dynamic rules:
00400 13 532 (T 0, # 167) ty 0 tcp, 203.56.168.40 1165 <-> 203.30.44.82 80



Adrian



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message