Re: ipfw fwd and ipfw allow
per...@pluto.rain.com wrote: ... the 'fwd ... keep-state' statement does create a useful dynamic rule. It contradicts the ipfw(8) man page but works ... Hopefully someone who understands all this will submit a patch for the man page :) The man page says that the Dynamic rules will be checked at the first check-state, keep-state or limit occurrence, and the action performed upon a match will be the same as in the parent rule. It suggests that if the parent rule is a 'fwd' rule, the corresponding dynamic rule is also a 'fwd' rule, which would be no use (who needs a reflexive 'fwd' rule?). However, in reality a parent 'fwd' rule seems to create an 'allow' dynamic rule, which is useful but confusing. Where exactly is this place in the ipfw code? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw fwd and ipfw allow
Victor Sudakov suda...@sibptus.tomsk.ru wrote: ... the 'fwd ... keep-state' statement does create a useful dynamic rule. It contradicts the ipfw(8) man page but works ... Hopefully someone who understands all this will submit a patch for the man page :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw fwd and ipfw allow
Nikos Vassiliadis wrote: A packet generated locally 1) should be forwarded by a 'fwd' rule and 2) should create a dynamic 'allow' rule for returning traffic. Could you please suggest a ruleset for this. The fw has the 10.0.0.1 IP address. The 10.0.0.100 IP address belongs to another computer running a TCP service at . The IPFW rules: fw# ipfw list 00100 fwd 10.0.0.100 tcp from any to 10.90.10.3 dst-port keep-state 00200 deny ip from any to any 65535 allow ip from any to any It seems that the 'fwd ... keep-state' statement does create a useful dynamic rule. It contradicts the ipfw(8) man page but works. Thank you for enlightment. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw fwd and ipfw allow
On 9/7/2010 5:52 PM, Victor Sudakov wrote: A packet generated locally 1) should be forwarded by a 'fwd' rule and 2) should create a dynamic 'allow' rule for returning traffic. Could you please suggest a ruleset for this. The fw has the 10.0.0.1 IP address. The 10.0.0.100 IP address belongs to another computer running a TCP service at . The IPFW rules: fw# ipfw list 00100 fwd 10.0.0.100 tcp from any to 10.90.10.3 dst-port keep-state 00200 deny ip from any to any 65535 allow ip from any to any Trying to connect to TCP 9998 fails because of rule 200: fw# nc -v 10.90.10.3 9998 nc: connect to 10.90.10.3 port 9998 (tcp) failed: Permission denied While trying to connect to TCP succeeds and creates a IPFW state: fw# nc -v 10.90.10.3 Connection to 10.90.10.3 port [tcp/*] succeeded! ^Z Suspended fw# ipfw -d show 00100 61 3315 fwd 10.0.0.100 tcp from any to 10.90.10.3 dst-port keep-state 00200 45 2644 deny ip from any to any 65535 00 allow ip from any to any ## Dynamic rules (9): 00100 2 112 (292s) STATE tcp 10.0.0.1 27320 - 10.90.10.3 fw# HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw fwd and ipfw allow
Am I asking something unreasonable? Victor Sudakov wrote: What tricks do you use if you need to allow a packet and then fwd it (or vice versa)? The search terminates and the packet quits ipfw on fwd as well as on allow. How do I allow a packet and then policy route it? An example ruleset will be appreciated. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw fwd and ipfw allow
On 9/7/2010 12:00 PM, Victor Sudakov wrote: Am I asking something unreasonable? Not really, but if you ask, one could say that IPFW is a first match wins firewall, so a fwd or an allow action would be the terminal one. You must design your rules accordingly. There is also the skipto action which can alter the way packets flow through the rules. Could you describe in a conrete example what you're trying to achieve? HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw fwd and ipfw allow
Nikos Vassiliadis wrote: Am I asking something unreasonable? Not really, but if you ask, one could say that IPFW is a first match wins firewall, so a fwd or an allow action would be the terminal one. You must design your rules accordingly. There is also the skipto action which can alter the way packets flow through the rules. Could you describe in a conrete example what you're trying to achieve? I want forwarded packets to create a dynamic allow rule. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw fwd and ipfw allow
On 9/7/2010 2:00 PM, Victor Sudakov wrote: Nikos Vassiliadis wrote: Am I asking something unreasonable? Not really, but if you ask, one could say that IPFW is a first match wins firewall, so a fwd or an allow action would be the terminal one. You must design your rules accordingly. There is also the skipto action which can alter the way packets flow through the rules. Could you describe in a conrete example what you're trying to achieve? I want forwarded packets to create a dynamic allow rule. You can combine fwd and keep-state. Could you be more specific? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw fwd and ipfw allow
Nikos Vassiliadis wrote: Am I asking something unreasonable? Not really, but if you ask, one could say that IPFW is a first match wins firewall, so a fwd or an allow action would be the terminal one. You must design your rules accordingly. There is also the skipto action which can alter the way packets flow through the rules. Could you describe in a conrete example what you're trying to achieve? I want forwarded packets to create a dynamic allow rule. You can combine fwd and keep-state. I hope so. I just don't understand how. Could you be more specific? A packet generated locally 1) should be forwarded by a 'fwd' rule and 2) should create a dynamic 'allow' rule for returning traffic. Could you please suggest a ruleset for this. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipfw fwd and ipfw allow
Colleagues, What tricks do you use if you need to allow a packet and then fwd it (or vice versa)? The search terminates and the packet quits ipfw on fwd as well as on allow. How do I allow a packet and then policy route it? An example ruleset will be appreciated. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org