about ipfw rules on bridge boxes

Carlos Alarcón calarcon at iracsa.com.mx
Wed Jul 21 10:40:08 PDT 2004 

hi, i have a freebsd box acting as a bridge on my network, two nics one of  
them, the external with ip, i use it as traffic shapper, this works great,  
i can't make yet the squid transparent proxy :(, i think that do it with a  
bridge it a litle strange but my question is other.
Sometimes i want to display messages for my clients i made this before  
when i was using nat instead bridge, redirecting the ip client to my http  
server and i had a WEB PAGE that shows the content, this was working fine,  
but NAT gives me some problems so i use bridge and for me is working  
better, well now when i want to use this redirection again this just works  
when i have proxy settings on my clients navigators, when i don't have  
proxy settings on navigators client the redirection counter rule doesn't  
match, i dont know why this rule is skipped.. i adjunt my rules.
i have my apache listening on port 81, i  redirect all the web page  
request on client 172.16.1.58 and redirect it to my http running on my  
bridge box
fwd 127.0.0.1,81 tcp from 172.16.1.58 to

bash-2.05b# ipfw show
00009        0          0 fwd 127.0.0.1,81 tcp from 172.16.1.58 to any  
dst-port 80
00011        0          0 deny ip from any to any MAC 00:02:2d:08:fd:5c any
00200        0          0 deny ip from any to any MAC any 00:02:2d:5e:0c:e5
00300      270       9646 deny ip from any to any MAC any 00:02:2d:67:42:fa
00400        0          0 deny ip from any to any MAC any 00:02:2d:3d:39:d7
00500        0          0 deny ip from any to any MAC any 00:02:2d:09:81:3c
00600    16084      50790 deny ip from any to any MAC any 00:02:2d:67:51:e3
00900        0          0 check-state
00950   101726   44396164 pipe 2 ip from any to 172.16.1.33
01000    57611   35521514 pipe 1 ip from any to 172.16.1.0/24
01100    54714    5999093 pipe 3 ip from 172.16.1.0/24 to any
01200   640165  234909932 allow tcp from 172.16.1.33 to any setup  
keep-state
01300     9709    1442183 allow udp from 172.16.1.33 to any keep-state
01400    60327   29747515 allow ip from 172.16.1.33 to any
01500  2730709 1590949972 allow tcp from any to any in via xl1 setup  
keep-state
01600   121973   43739565 allow udp from any to any in via xl1 keep-state
01700    59348    1840715 allow ip from any to any in via xl1
01800        0          0 allow tcp from any to any dst-port 22 in via xl1  
setup keep-state
01900        0          0 allow tcp from any to any dst-port 113 in via  
xl1 setup keep-state
02000        0          0 allow tcp from any to any dst-port 49152-65535  
in via xl1 setup keep-state
02100   322819   86172666 allow udp from any to any dst-port 49152-65535  
in via xl0 keep-state
02200       67       3248 allow icmp from any to any icmptypes 8 keep-state
02300   125014   13868628 allow icmp from any to any icmptypes 3
02400     3423     387572 allow icmp from any to any icmptypes 11
02500 11784223 9455880276 allow ip from any to any
65535       35       1564 deny ip from any to any

thanks

More information about the freebsd-isp mailing list