about ipfw rules on bridge boxes
From: Carlos Alarcón (calarcon_at_iracsa.com.mx)
Date: 07/21/04
- Previous message: Andy Dills: "Re: Diskusage per User / mysql"
- Next in thread: Andrew Riabtsev: "Re: about ipfw rules on bridge boxes"
- Reply: Andrew Riabtsev: "Re: about ipfw rules on bridge boxes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: freebsd-isp@freebsd.org Date: Wed, 21 Jul 2004 11:39:04 -0600
hi, i have a freebsd box acting as a bridge on my network, two nics one of
them, the external with ip, i use it as traffic shapper, this works great,
i can't make yet the squid transparent proxy :(, i think that do it with a
bridge it a litle strange but my question is other.
Sometimes i want to display messages for my clients i made this before
when i was using nat instead bridge, redirecting the ip client to my http
server and i had a WEB PAGE that shows the content, this was working fine,
but NAT gives me some problems so i use bridge and for me is working
better, well now when i want to use this redirection again this just works
when i have proxy settings on my clients navigators, when i don't have
proxy settings on navigators client the redirection counter rule doesn't
match, i dont know why this rule is skipped.. i adjunt my rules.
i have my apache listening on port 81, i redirect all the web page
request on client 172.16.1.58 and redirect it to my http running on my
bridge box
fwd 127.0.0.1,81 tcp from 172.16.1.58 to
bash-2.05b# ipfw show
00009 0 0 fwd 127.0.0.1,81 tcp from 172.16.1.58 to any
dst-port 80
00011 0 0 deny ip from any to any MAC 00:02:2d:08:fd:5c any
00200 0 0 deny ip from any to any MAC any 00:02:2d:5e:0c:e5
00300 270 9646 deny ip from any to any MAC any 00:02:2d:67:42:fa
00400 0 0 deny ip from any to any MAC any 00:02:2d:3d:39:d7
00500 0 0 deny ip from any to any MAC any 00:02:2d:09:81:3c
00600 16084 50790 deny ip from any to any MAC any 00:02:2d:67:51:e3
00900 0 0 check-state
00950 101726 44396164 pipe 2 ip from any to 172.16.1.33
01000 57611 35521514 pipe 1 ip from any to 172.16.1.0/24
01100 54714 5999093 pipe 3 ip from 172.16.1.0/24 to any
01200 640165 234909932 allow tcp from 172.16.1.33 to any setup
keep-state
01300 9709 1442183 allow udp from 172.16.1.33 to any keep-state
01400 60327 29747515 allow ip from 172.16.1.33 to any
01500 2730709 1590949972 allow tcp from any to any in via xl1 setup
keep-state
01600 121973 43739565 allow udp from any to any in via xl1 keep-state
01700 59348 1840715 allow ip from any to any in via xl1
01800 0 0 allow tcp from any to any dst-port 22 in via xl1
setup keep-state
01900 0 0 allow tcp from any to any dst-port 113 in via
xl1 setup keep-state
02000 0 0 allow tcp from any to any dst-port 49152-65535
in via xl1 setup keep-state
02100 322819 86172666 allow udp from any to any dst-port 49152-65535
in via xl0 keep-state
02200 67 3248 allow icmp from any to any icmptypes 8 keep-state
02300 125014 13868628 allow icmp from any to any icmptypes 3
02400 3423 387572 allow icmp from any to any icmptypes 11
02500 11784223 9455880276 allow ip from any to any
65535 35 1564 deny ip from any to any
thanks
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Andy Dills: "Re: Diskusage per User / mysql"
- Next in thread: Andrew Riabtsev: "Re: about ipfw rules on bridge boxes"
- Reply: Andrew Riabtsev: "Re: about ipfw rules on bridge boxes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
