How to use IPFW to filter routing

[Thomás]

Sat, Jan 28, 2017 at 01:58:01PM +0100, Rakor:
> As far as I know a packet is once scanned by IPFW an then first hit wins. So, if I set the following a packet coming from VLAN3 for port 80 is permitted to travel all way it wants, even to VLAN2. Putting an
+other rule behind just allowing to travel out using igb2 is not checked, because the search terminated after first hit.
>       ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state

Have you tried something like this?

ipfw add deny tcp 10.10.30.0/24 to 10.10.10.0/24 setup keep-state
ipfw add deny tcp 10.10.30.0/24 to 10.10.20.0/24 setup keep-state
ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state


> If I try the follwing the packets are all rejected. I think the inspection is done before the routing, so IPFW does not know it should be forwarded using igb2.
>       ipfw add allow tcp 10.10.30.0/24 to any 80 out via igb2 setup keep-state

IPFW can do routing table lookups as needed. Something else must be
going on here. Log rules may be of help to debug and understand your
ruleset.


> So I don’t know how to filter packets that should be routed in a exact manner. Can you help me?

There are plenty of ways to filter packets in that setup, the "exact"
one depends on what you are trying to achieve.


Cheers,

- Thomás

P.S.: sorry for the duplication, I'd forgotten to CC the list.