ipfw -pf processing order
Abu Khaled
khaled.abu at gmail.com
Sun Jun 19 11:18:55 GMT 2005
On 6/19/05, Robert Usle <robertusn at gmail.com> wrote:
> Hi,
>
> I'm using FreeBSD 5.4 with ipfw (module) & pf (kernel compiled) firewall.
>
> pf is used for nat, pass/block, rdr, and dummynet/ipfw is used only
> for packet queueing.
>
> ext_if = vr0
> int_if = rl1
>
> ipfw rules:
> /sbin/ipfw pipe 10 config bw 256Kbit/s queue 20 mask dst-ip 0x000000ff
> /sbin/ipfw pipe 11 config bw 256Kbit/s queue 20 mask src-ip 0x000000ff
> /sbin/ipfw add 100 pipe 10 log ip from any to 10.0.9.0/24
> /sbin/ipfw add 101 pipe 11 log ip from 10.0.9.0/24 to any
>
> sysctl: net.inet.ip.fw.one_pass: 1
> (I've also tried with 'via','xmit','recv' tags)
>
> I see packets coming to my dummynet pipes/rules, but then
> pf rdr rule:
>
> rdr on $int_if proto tcp from $internal_net to any port 80 ->
> 127.0.0.1 port 3128
>
> does not work.
> When i disable ipfw firewall, it's just ok again.
>
> pf options are as follows:
> set optimization normal
> set block-policy drop
> set require-order yes
> scrub in all
>
> Is this related to firewall processing order ?
>
> Thanks,
>
> --
> Robert
My guess is that IPFW is blocking packets from your $internal_net to
localhost port 3128. Add this to your IPFW rules before any other
rules that block traffic to 127.0.0.1
# ipfw 100 allow tcp from $internal_net to 127.0.0.1 3128
# ipfw 200 allow tcp from 127.0.0.1 3128 to $internal_net
for example:
ipfw add 100 pass all from any to any via lo0
ipfw add 200 allow tcp from $internal_net to 127.0.0.1 3128
ipfw add 300 allow tcp from 127.0.0.1 3128 to $internal_net
ipfw add 400 deny all from any to 127.0.0.0/8
ipfw add 500 deny ip from 127.0.0.0/8 to any
--
Kind regards
Abu Khaled
More information about the freebsd-pf
mailing list