fwd'ing packet originally destined to local interface problem
Jose Hidalgo Herrera
jose at hostarica.com
Fri Sep 3 12:21:00 PDT 2004
I think you need:
ipfw add 1 check-state
ipfw add 2 skipto 10 ........
On Fri, 2004-09-03 at 13:00, George S wrote:
> I am having some trouble with a specialized IDS testing framework I am
> working on.
>
> Here is my setup:
> -FreeBSD 5.2.1-release running with firewall options configured, bridging
> off, default to accept
> -fxp0: inet 10.0.0.50 netmask 255.255.255.0
> -fxp1: inet 192.168.1.3 netmask 255.255.255.0
> -default gateway 10.0.0.1 / no static-routes set
> -ipfw ruleset as follows:
> ipfw add 1 skipto 10 tcp from 10.0.0.50 to any setup recv fxp1 keep-state
> ipfw add 5 allow ip from any to any
> ipfw add 10 fwd 10.0.0.1 tcp from 10.0.0.50 to any
> ipfw add 11 fwd 192.168.1.2 tcp from any to 10.0.0.50
> ipfw add 65536 allow ip from any to any
>
> When a custom packet (with src ip 10.0.0.50 and SYN bit) arrives at the fxp1
> interface, it is forwarded out of the fxp0 interface, as expected. When the
> response (with dst ip 10.0.0.50 and SYN+ACK) arrives on fxp0 however, rule
> #11 registers the packet by updating its counter, but the packet does not
> get written out on the fxp1 wire, as I would expect (or hope) it to!
>
> Is this a problem with the code or my ruleset or did I erroneously predict
> the resulting behaviour?
>
> Many thanks in advance for any help any guru here can provide.
>
> Kindest regards,
>
> George
>
>
>
> _______________________________
> Do you Yahoo!?
> Win 1 of 4,000 free domain names from Yahoo! Enter now.
> http://promotions.yahoo.com/goldrush
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
--
Jose Hidalgo Herrera <jose at hostarica.com>
Corp. Hosta Rica
More information about the freebsd-ipfw
mailing list