about ipfw rules on bridge boxes
Carlos Alarcón
calarcon at iracsa.com.mx
Wed Jul 21 10:40:08 PDT 2004
hi, i have a freebsd box acting as a bridge on my network, two nics one of
them, the external with ip, i use it as traffic shapper, this works great,
i can't make yet the squid transparent proxy :(, i think that do it with a
bridge it a litle strange but my question is other.
Sometimes i want to display messages for my clients i made this before
when i was using nat instead bridge, redirecting the ip client to my http
server and i had a WEB PAGE that shows the content, this was working fine,
but NAT gives me some problems so i use bridge and for me is working
better, well now when i want to use this redirection again this just works
when i have proxy settings on my clients navigators, when i don't have
proxy settings on navigators client the redirection counter rule doesn't
match, i dont know why this rule is skipped.. i adjunt my rules.
i have my apache listening on port 81, i redirect all the web page
request on client 172.16.1.58 and redirect it to my http running on my
bridge box
fwd 127.0.0.1,81 tcp from 172.16.1.58 to
bash-2.05b# ipfw show
00009 0 0 fwd 127.0.0.1,81 tcp from 172.16.1.58 to any
dst-port 80
00011 0 0 deny ip from any to any MAC 00:02:2d:08:fd:5c any
00200 0 0 deny ip from any to any MAC any 00:02:2d:5e:0c:e5
00300 270 9646 deny ip from any to any MAC any 00:02:2d:67:42:fa
00400 0 0 deny ip from any to any MAC any 00:02:2d:3d:39:d7
00500 0 0 deny ip from any to any MAC any 00:02:2d:09:81:3c
00600 16084 50790 deny ip from any to any MAC any 00:02:2d:67:51:e3
00900 0 0 check-state
00950 101726 44396164 pipe 2 ip from any to 172.16.1.33
01000 57611 35521514 pipe 1 ip from any to 172.16.1.0/24
01100 54714 5999093 pipe 3 ip from 172.16.1.0/24 to any
01200 640165 234909932 allow tcp from 172.16.1.33 to any setup
keep-state
01300 9709 1442183 allow udp from 172.16.1.33 to any keep-state
01400 60327 29747515 allow ip from 172.16.1.33 to any
01500 2730709 1590949972 allow tcp from any to any in via xl1 setup
keep-state
01600 121973 43739565 allow udp from any to any in via xl1 keep-state
01700 59348 1840715 allow ip from any to any in via xl1
01800 0 0 allow tcp from any to any dst-port 22 in via xl1
setup keep-state
01900 0 0 allow tcp from any to any dst-port 113 in via
xl1 setup keep-state
02000 0 0 allow tcp from any to any dst-port 49152-65535
in via xl1 setup keep-state
02100 322819 86172666 allow udp from any to any dst-port 49152-65535
in via xl0 keep-state
02200 67 3248 allow icmp from any to any icmptypes 8 keep-state
02300 125014 13868628 allow icmp from any to any icmptypes 3
02400 3423 387572 allow icmp from any to any icmptypes 11
02500 11784223 9455880276 allow ip from any to any
65535 35 1564 deny ip from any to any
thanks
More information about the freebsd-isp
mailing list