ipfw + MAC nothing happens?

heath, Chia Hui Chen heath0504 at gmail.com
Sat Jan 8 08:46:47 PST 2005 

It's strange.
I use two computer to test.
One called A (00:e0:18:62:xx:xx)
another called B.

And the rulesets is same as you said.
I try reboot and use A to connect port 443 of one site.
IPFW output are below:
============================================================
00010    4     190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx
00020 2273 1136464 skipto 50 ip from any to any MAC any any
00030    3     144 deny tcp from any to any dst-port 443
00050 3476 1000174 divert 8668 ip from any to any via fxp0
00100  420  109610 allow ip from any to any via lo0
00200    0       0 deny ip from any to 127.0.0.0/8
00300    0       0 deny ip from 127.0.0.0/8 to any
65000 8022 3082293 allow ip from any to any
65535    1      89 deny ip from any to any
============================================================

And then I test it by using computer B.
Output is as below:

============================================================
00010     4     190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx
00020  4246 1931785 skipto 50 ip from any to any MAC any any
00030     6     288 deny tcp from any to any dst-port 443
00050  4699 1427090 divert 8668 ip from any to any via fxp0
00100   658  147594 allow ip from any to any via lo0
00200     0       0 deny ip from any to 127.0.0.0/8
00300     0       0 deny ip from 127.0.0.0/8 to any
65000 11953 4671673 allow ip from any to any
65535     1      89 deny ip from any to any
============================================================
It seems that rule 20 is active, but rule 30 is active, too.
What would I do next?
I'm sorry to bother you, but could you help me again?
Thanx!

----- Original Message ----- 
From: "Christian Hiris" <4711 at chello.at>
To: "heath, Chia Hui Chen" <heath0504 at gmail.com>
Sent: Sunday, January 09, 2005 12:21 AM
Subject: Re: ipfw + MAC nothing happens?


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Saturday 08 January 2005 16:57, heath, Chia Hui Chen wrote:
> > Thanks.
> > I try it, but something wrong.
> 
> I would try to put the respective rules on top: 
> 
>  ipfw add 10 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx
>  ipfw add 20 skipto 50 ip from any to any MAC any any
>  ipfw add 30 deny tcp from any to any dst-port 443
> 
>  00050 divert 8668 ip from any to any via fxp0
>  00100  ip from any to any via lo0
>  00200  deny ip from any to 127.0.0.0/8
>  00300  deny ip from 127.0.0.0/8 to any
>  65000  allow ip from any to any
>  65535  deny ip from any to any
> 
> If this also doesn't work, please post your ipfw output again.
> 
> 
> > 00050 22484 11388448 divert 8668 ip from any to any via fxp0
> > 00100  4414  2006448 allow ip from any to any via lo0
> > 00200     0        0 deny ip from any to 127.0.0.0/8
> > 00300     0        0 deny ip from 127.0.0.0/8 to any
> > 00400    52     4053 skipto 1000 ip from any to any MAC any
> > 00:e0:18:62:xx:xx
> > 00600  7008  3465293 skipto 65000 ip from any to any MAC any any
> > 01000    33     1584 deny tcp from any to any dst-port 443
> > 65000 46408 25226370 allow ip from any to any
> > 65535     0        0 deny ip from any to any
> >
> > It looks like all my computer at the NAT are deny to access port 443.
> > Can you plz tell me what's wrong?
> > Thank you again.
> 
> - -- 
> Christian Hiris <4711 at chello.at> | OpenPGP KeyID 0x3BCA53BE 
> OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (FreeBSD)
> 
> iD8DBQFB4AiR09WjGjvKU74RAiShAJ9EnhROvbpSm61CXXxsNgLeCspPDgCdET99
> xDxxjHfo2Y9n17w3S7p+9xY=
> =eqfj
> -----END PGP SIGNATURE-----

More information about the freebsd-ipfw mailing list