fwd'ing packet originally destined to local interface problem
George S
c0sine at yahoo.com
Fri Sep 3 13:44:38 PDT 2004
Hi,
Thank you for the suggestion, but that didn't make any difference, which is
consistent with the docs "If no check-state rule is found, the dynamic
rule-set is checked at the first keep-state or limit rule" (in my case, rule
#1). My dynamic rule set is checked on rule #1 and that causes a skipto 10,
where the next matching rule is #11. The packet count is updated, but *i do
not see the packet coming out the fxp1 interface*.
Any other suggestions?
George
>I think you need:
>ipfw add 1 check-state
>ipfw add 2 skipto 10 ........
>
>
>On Fri, 2004-09-03 at 13:00, George S wrote:
>
>> I am having some trouble with a specialized IDS testing framework I am
>> working on.
>>
>> Here is my setup:
>> -FreeBSD 5.2.1-release running with firewall options configured, bridging
>> off, default to accept
>> -fxp0: inet 10.0.0.50 netmask 255.255.255.0
>> -fxp1: inet 192.168.1.3 netmask 255.255.255.0
>> -default gateway 10.0.0.1 / no static-routes set
>> -ipfw ruleset as follows:
>> ipfw add 1 skipto 10 tcp from 10.0.0.50 to any setup recv fxp1
keep-state
>> ipfw add 5 allow ip from any to any
>> ipfw add 10 fwd 10.0.0.1 tcp from 10.0.0.50 to any
>> ipfw add 11 fwd 192.168.1.2 tcp from any to 10.0.0.50
>> ipfw add 65536 allow ip from any to any
>>
>> When a custom packet (with src ip 10.0.0.50 and SYN bit) arrives at the
fxp1
>> interface, it is forwarded out of the fxp0 interface, as expected. When
the
>> response (with dst ip 10.0.0.50 and SYN+ACK) arrives on fxp0 however,
rule
>> #11 registers the packet by updating its counter, but the packet does not
>> get written out on the fxp1 wire, as I would expect (or hope) it to!
>>
>> Is this a problem with the code or my ruleset or did I erroneously
predict
>> the resulting behaviour?
>>
>> Many thanks in advance for any help any guru here can provide.
>>
>> Kindest regards,
>>
>> George
>>
>
>--
>Jose Hidalgo Herrera <jose at hostarica.com>
>Corp. Hosta Rica
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail
More information about the freebsd-ipfw
mailing list