ipfw -pf processing order

Robert Usle robertusn at gmail.com
Sun Jun 19 21:31:36 GMT 2005


On 6/19/05, Abu Khaled <khaled.abu at gmail.com> wrote:
> On 6/19/05, Robert Usle <robertusn at gmail.com> wrote:
> > Hi,
> >
> > I'm using FreeBSD 5.4 with ipfw (module) & pf (kernel compiled) firewall.
> >
> > pf is used for nat, pass/block, rdr, and dummynet/ipfw is used only
> > for packet queueing.
> >
> > ext_if = vr0
> > int_if = rl1
> >
> > ipfw rules:
> > /sbin/ipfw pipe 10 config bw 256Kbit/s queue 20 mask dst-ip 0x000000ff
> > /sbin/ipfw pipe 11 config bw 256Kbit/s queue 20 mask src-ip 0x000000ff
> > /sbin/ipfw add 100 pipe 10 log ip from any to 10.0.9.0/24
> > /sbin/ipfw add 101 pipe 11 log ip from 10.0.9.0/24 to any
> >
> > sysctl: net.inet.ip.fw.one_pass: 1
> > (I've also tried with 'via','xmit','recv' tags)
> >
> > I see packets coming to my dummynet pipes/rules, but then
> > pf rdr rule:
> >
> > rdr on $int_if proto tcp from $internal_net to any port 80 ->
> > 127.0.0.1 port 3128
> >
> > does not work.
> > When i disable ipfw firewall, it's just ok again.
> >
> > pf options are as follows:
> > set optimization normal
> > set block-policy drop
> > set require-order yes
> > scrub in all
> >
> > Is this related to firewall processing order ?
> >
> > Thanks,
> >
> > --
> > Robert
> 
> My guess is that IPFW is blocking packets from your $internal_net to
> localhost port 3128. Add this to your IPFW rules before any other
> rules that block traffic to 127.0.0.1
> 
> # ipfw 100 allow tcp from $internal_net to 127.0.0.1 3128
> # ipfw 200 allow tcp from 127.0.0.1 3128 to $internal_net
> for example:
> 
> ipfw add 100 pass all from any to any via lo0
> ipfw add 200 allow tcp from $internal_net to 127.0.0.1 3128
> ipfw add 300 allow tcp from 127.0.0.1 3128 to $internal_net
> ipfw add 400 deny all from any to 127.0.0.0/8
> ipfw add 500 deny ip from 127.0.0.0/8 to any

Thank you for your email Khaled.

I think that loading ipfw/dummynet modules is a problem itself.
The same happens even If I set 'allow ip from any to any' as a first rule.

Regards,

-- 
Robert


More information about the freebsd-pf mailing list