A problem with ipfw/ipfw2
Ping-Da
edwardc at seed.net.tw
Thu Jul 3 02:07:15 PDT 2003
Hi All,
I met a problem recently using ipfw for following rulesets
%ipfw show
00100 418 46912 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
01000 1 60 skipto 65000 log tcp from any to any
dst-port 80 MAC any 00:d0:59:b5:79:97
60000 8 420 fwd 192.168.1.223,8080 log tcp from any to
any dst-port 80
65000 6462 359402 allow ip from any to any
65535 7 603 deny ip from any to any
Here's my ipfw ruleset, these sets are set on a NAT box, that I redirect
any port request
to a dedicated proxy for transproxy, and that is fine.
But I want some PC with certain MAC address can be bypass with the
forward setting, so I
Add the rule #1000, but doesn=A1=A6t work, here's the log on
/var/log/security
Jul 3 15:54:49 lavender /kernel: ipfw: 1000 SkipTo 65000 TCP 192.168.1.
210:1036 195.40.122.44:80 in via de0
Jul 3 15:54:49 lavender /kernel: ipfw: 60000 Forward to
192.168.1.223:8080 TCP 192.168.1.210:1036 195.40.122.44:80 in via de0
It's seems rule #1000 has been executed, but I have no idea why rule
#60000 will be exeuted when packet
Is skipto 65000 ?
I guess that could be the cause by the difference with "IP" packet with
"TCP" packet, but I don=A1=A6t have a clue to solve this
problem, anyone give me a hint ? Thanks.
Regards,
Edward
More information about the freebsd-ipfw
mailing list