ipfw address-listing woes
Martes Wigglesworth
martes.wigglesworth at earthlink.net
Wed Oct 20 12:02:13 PDT 2004
I am having a bit of a time getting a rule to be recognized with and
address-list in it. I have two identical natd boxes for my
organization, however, I am unable to get the production machine to
recognize particular rules, as illustrated below:
router1(production firewall that has to be open to everything out, right
now.)
> sudo ipfw show
00097 8 672 deny log icmp from any to any icmptypes 8 in recv sis0
00098 80 6722 allow ip from any to any via lo0
00099 0 0 allow ip from 127.0.0.1 to 127.0.0.1
00100 23 20 allow tcp from any to any dst-port 22 setup keep-state
00101 0 0 deny log ip from any to any in recv sis0 setup
00102 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port 67,68
setup keep-state
00103 0 0 allow udp from any to any dst-port 53 via xl0,rl0 keep-state
00104 54481 5930639 deny udp from any to any dst-port 137,138,513
***00105 0 0 allow tcp from 192.168.1.0/24,192.168.2.0/24 to any
dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state***
^^
00106 0 0 allow udp from any to any dst-port 33435-33524 keep-state
00200 473701 204681004 divert 8668 ip from any to any via sis0
65535 944012 409148687 allow ip from any to any
Can anyone let me know why this is not working, because the rule is
recognized on the following test firewall:
gate1.276EN
> sudo ipfw show
00098 76 7306 allow ip from any to any via lo0
00099 28425 3694972 divert 8668 ip from any to any via sis0
00100 3126 990373 queue 1 log ip from any to 192.168.1.0/24 in recv
sis0
00150 0 0 allow ip from 127.0.0.1 to 127.0.0.1
00151 3548 290790 allow tcp from any to any dst-port 22 setup
keep-state
00202 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port
67,68 setup keep-state
00203 1032 101807 allow udp from any to any dst-port 53 via fxp0
keep-state
00204 21864 2369464 deny udp from any to any dst-port 137,138,513
****00205 2664 964612 allow tcp from 192.168.1.0/24 to any dst-port
21,25,80,110,443,995 via fxp0 setup keep-state****
^^^ ^^^^
00206 0 0 allow udp from any to any dst-port 33435-33524
keep-state
65535 3303 340052 allow ip from any to any
As you can see by the asterisks, and the "^" the rule works on the test
firewall, however, fails on the production one. I think it has to do
with my use of multiple NICS, and/or address-lists in the production
firewall.
As always, any help is greatly appreciated.
Respectfully.
--
M.G.W.
Wiggtekmicro, Corp.
System:
Asus M6N
Intel Dothan 1.7
512MB RAM
40GB HD
10/100/1000 NIC
Wireless b/g (not working yet)
BSD-5.2.1
KDE-3.1.4
More information about the freebsd-ipfw
mailing list