Re: ipfw pipes + firewall
From: Alex de Kruijff (freebsd_at_akruijff.dds.nl)
Date: 11/28/03
- Previous message: Stephen Hilton: "Re: usb digital camera"
- In reply to: Khairil Yusof: "ipfw pipes + firewall"
- Next in thread: Khairil Yusof: "Re: ipfw pipes + firewall"
- Reply: Khairil Yusof: "Re: ipfw pipes + firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 28 Nov 2003 23:45:36 +0100 To: Khairil Yusof <kaeru@pd.jaring.my>
On Fri, Nov 28, 2003 at 09:37:06PM +0800, Khairil Yusof wrote:
> I've read the man pages, and tested it out, and just want to confirm
> that what I"m doing is right and that I didn't miss anything.
>
> Disable one_pass so that packets after matching pipe rule will continue
> on to other rules. Without this, packets matching pipes are not not
> applied again against firewall rules.
>
> net.inet.ip.fw.one_pass: 0
>
> I then put the pipe rules before any firewall rules so that anything
> going in and out (in this case) go through the pipes first. They are
> then matched by normal firewall rules.
>
> 00100 83 11350 pipe 1 ip from any to any out
> 00200 93 11266 pipe 2 ip from any to any in
> 00300 0 0 check-state
> 00400 0 0 deny tcp from any to any established
> 01400 103 14855 allow tcp from any to me dst-port 22 in setup keep-state
> ... more firewall rules which are being matched
>
> From what I can see the pipe rules are being matched. I tested bandwidth
> controls, and they work. And I also could not access ports which I did
> have a dynamic rule for (as in 01400).
I find your 400 rule very strage. Rule 400 souldn't apply because they
are passed by 300 (this one doens't have a counter :( ).
For rule 1400 the dst-port is wronly placed. Port are (or can be) given
afther the ip without any marker. I would replace 1400 with:
allow tcp from any to me 22 in
allow tcp from me 22 to any out
No need to have dynamic rules here so place it before 300
-- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Stephen Hilton: "Re: usb digital camera"
- In reply to: Khairil Yusof: "ipfw pipes + firewall"
- Next in thread: Khairil Yusof: "Re: ipfw pipes + firewall"
- Reply: Khairil Yusof: "Re: ipfw pipes + firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
