Strange problem

Jason Mattax jmattax at storytotell.org
Sat Feb 12 03:02:12 UTC 2011


I'm currently running 8.1-RELEASE-p2 and attempting to set up a firewall
with natd and ipfw. I was trying a more complicated ipfw script and had
some problems. I reduced my rule set to the smallest sets I could manage
to find the exact rule that causes problems. xl0 is my world facing
interface and re0 faces my internal network. The working ruleset is

$ipfw list

00050 allow ip from any to any via lo0
00100 divert 8668 log ip from any to any in via xl0
10000 divert 8668 log ip from any to any out via xl0
10005 allow ip from any to any
65535 allow ip from any to any

With this I get a log containing

$tail ipfw.log
Feb 10 20:37:53 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 10000 Divert 8668 TCP
192.168.0.10:22 192.168.0.15:60569 out via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 10000 Divert 8668 TCP
192.168.0.10:22 192.168.0.15:60569 out via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 10000 Divert 8668 TCP
192.168.0.10:22 192.168.0.15:60569 out via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0

Both of the diverts are working and machines attached to the internal nic can communicate through the computer. Now because I would like to be able to drop some packets I'm going to add a skip, since eventually that will get me where I want to be. This just adds rule 00310 which skips over no rules all the time

$ipfw list
00050 allow ip from any to any via lo0
00100 divert 8668 log ip from any to any in via xl0
00310 skipto 9999 log ip from any to any
10000 divert 8668 log ip from any to any out via xl0
10005 allow ip from any to any
65535 allow ip from any to any

Now the log contains
$tail ipfw.log
Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
192.168.0.10:22 192.168.0.15:60569 out via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
192.168.0.10:22 192.168.0.15:60569 out via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0

Rules 100 and 310 are being hit, but rule 10000 is no longer triggering. This means that my outgoing packets aren't having their source address rewritten so I don't get responses (and put unrouteable traffic on the internet.) Can anyone explain to me what I'm doing wrong here?

Jason Mattax








-- 
Jason Mattax
575-418-1791
jmattax at storytotell.org



More information about the freebsd-ipfw mailing list