ipfw + MAC nothing happens?
Christian Hiris
4711 at chello.at
Sat Jan 8 13:36:28 PST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 08 January 2005 17:46, heath, Chia Hui Chen wrote:
> It's strange.
> I use two computer to test.
> One called A (00:e0:18:62:xx:xx)
> another called B.
>
> And the rulesets is same as you said.
> I try reboot and use A to connect port 443 of one site.
> IPFW output are below:
> ============================================================
The diverted packets are not layer-2 packets, so they must be able to bypass
the layer-2 rules. In our case all diverted packets match rule 30, because
none of the two layer-2 rules (10 and 20) applies.
So please add the rule below to your ruleset. If this doesn't work, I will try
to reproduce this on one of my boxes.
ipfw add 9 skipto 50 all from any to any not layer2
> 00010 4 190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx
> 00020 2273 1136464 skipto 50 ip from any to any MAC any any
> 00030 3 144 deny tcp from any to any dst-port 443
> 00050 3476 1000174 divert 8668 ip from any to any via fxp0
> 00100 420 109610 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 65000 8022 3082293 allow ip from any to any
> 65535 1 89 deny ip from any to any
> ============================================================
>
> And then I test it by using computer B.
> Output is as below:
>
> ============================================================
> 00010 4 190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx
> 00020 4246 1931785 skipto 50 ip from any to any MAC any any
> 00030 6 288 deny tcp from any to any dst-port 443
> 00050 4699 1427090 divert 8668 ip from any to any via fxp0
> 00100 658 147594 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 65000 11953 4671673 allow ip from any to any
> 65535 1 89 deny ip from any to any
> ============================================================
> It seems that rule 20 is active, but rule 30 is active, too.
> What would I do next?
> I'm sorry to bother you, but could you help me again?
> Thanx!
>
> ----- Original Message -----
> From: "Christian Hiris" <4711 at chello.at>
> To: "heath, Chia Hui Chen" <heath0504 at gmail.com>
> Sent: Sunday, January 09, 2005 12:21 AM
> Subject: Re: ipfw + MAC nothing happens?
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Saturday 08 January 2005 16:57, heath, Chia Hui Chen wrote:
> > > Thanks.
> > > I try it, but something wrong.
> >
> > I would try to put the respective rules on top:
> >
> > ipfw add 10 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx
> > ipfw add 20 skipto 50 ip from any to any MAC any any
> > ipfw add 30 deny tcp from any to any dst-port 443
> >
> > 00050 divert 8668 ip from any to any via fxp0
> > 00100 ip from any to any via lo0
> > 00200 deny ip from any to 127.0.0.0/8
> > 00300 deny ip from 127.0.0.0/8 to any
> > 65000 allow ip from any to any
> > 65535 deny ip from any to any
> >
> > If this also doesn't work, please post your ipfw output again.
> >
> > > 00050 22484 11388448 divert 8668 ip from any to any via fxp0
> > > 00100 4414 2006448 allow ip from any to any via lo0
> > > 00200 0 0 deny ip from any to 127.0.0.0/8
> > > 00300 0 0 deny ip from 127.0.0.0/8 to any
> > > 00400 52 4053 skipto 1000 ip from any to any MAC any
> > > 00:e0:18:62:xx:xx
> > > 00600 7008 3465293 skipto 65000 ip from any to any MAC any any
> > > 01000 33 1584 deny tcp from any to any dst-port 443
> > > 65000 46408 25226370 allow ip from any to any
> > > 65535 0 0 deny ip from any to any
> > >
> > > It looks like all my computer at the NAT are deny to access port 443.
> > > Can you plz tell me what's wrong?
> > > Thank you again.
> >
> > - --
> > Christian Hiris <4711 at chello.at> | OpenPGP KeyID 0x3BCA53BE
> > OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.6 (FreeBSD)
> >
> > iD8DBQFB4AiR09WjGjvKU74RAiShAJ9EnhROvbpSm61CXXxsNgLeCspPDgCdET99
> > xDxxjHfo2Y9n17w3S7p+9xY=
> > =eqfj
> > -----END PGP SIGNATURE-----
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
- --
Christian Hiris <4711 at chello.at> | OpenPGP KeyID 0x3BCA53BE
OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFB4FJY09WjGjvKU74RAkkJAJ9Sb64T/iqGBhcRHVIc/CSgXLEkSACfQcxE
5LyuPZoRoHmL8cYXvO4hf8M=
=Kp2k
-----END PGP SIGNATURE-----
More information about the freebsd-ipfw
mailing list