ipfw n'applique pas une regle ???? est-ce possible ?
michael
micatod at koproject.org
Sat Apr 1 21:28:03 UTC 2006
Bonjour,
Tout d'abord bonjour à tous c'est mon premier mail sur cette liste de
diffusion !
Mon problème:
J'ai un firewall sous freebsd 6 avec ipfw
J'autorise bien le port 53 en udp et tcp de n'importe ou vers n'importe
ou en sortie avec les regles 20,21,22,23 mais visiblement, il n'en tient
pas compte.
Si je me connecte à un site avec l'ip ca marche.
Si quelqu'un a une idée... ca m'aiderai beaucoup, je comprends vraiment
pas ce qui se passe...
merci
Michael.
ps1: la regle 450 bloque. Or celle ci ne devrai pas s'appliquer puisque
le paquet devrai répondre à la 20 et être redirigé vers la 800.
ps2: la regle 40 (suivante) est bien appliqué je peux naviguer sur un
site avec l'ip.
voici les logs:
Mar 25 10:24:25 ns0 kernel: ipfw: 450 Deny UDP 82.237.92.40:53
212.27.53.252:53 out via rl0
Mar 25 10:24:25 ns0 kernel: ipfw: 450 Deny UDP 82.237.92.40:53
212.27.54.252:53 out via rl0
Mar 25 10:24:25 ns0 kernel: ipfw: 450 Deny UDP 82.237.92.40:53
212.27.53.252:53 out via rl0
Mar 25 10:24:25 ns0 kernel: ipfw: 450 Deny UDP 82.237.92.40:53
212.27.54.252:53 out via rl0
voici les regles:
00005 113 21648 Sat Mar 25 10:21:30 2006 allow ip from any to any via rl1
00010 22 2548 Sat Mar 25 10:20:02 2006 allow ip from any to any via lo0
00014 151 17081 Sat Mar 25 10:21:30 2006 divert 8668 ip from any to any
in via rl0
00015 0 0 check-state
00020 0 0 skipto 800 udp from any to any dst-port 53 out via rl0 setup
keep-state
00021 0 0 skipto 800 udp from any to any dst-port 53 out via rl0 setup
keep-state
00022 0 0 skipto 800 tcp from any to any dst-port 53 out via rl0 setup
keep-state
00023 0 0 skipto 800 udp from any to any out via rl0 setup keep-state
00040 36 11755 Sat Mar 25 10:21:28 2006 skipto 800 tcp from any to any
dst-port 80 out via rl0 setup keep-state
00070 0 0 skipto 800 tcp from me to any out via rl0 setup uid root
keep-state
00080 3 108 Sat Mar 25 10:19:35 2006 skipto 800 icmp from any to any out
via rl0 keep-state
00300 0 0 deny ip from 192.168.0.0/16 to any in via rl0
00301 0 0 deny ip from 172.16.0.0/12 to any in via rl0
00302 0 0 deny ip from 10.0.0.0/8 to any in via rl0
00303 0 0 deny ip from 127.0.0.0/8 to any in via rl0
00304 0 0 deny ip from 0.0.0.0/8 to any in via rl0
00305 0 0 deny ip from 169.254.0.0/16 to any in via rl0
00306 0 0 deny ip from 192.0.2.0/24 to any in via rl0
00307 0 0 deny ip from 204.152.64.0/23 to any in via rl0
00308 0 0 deny ip from 224.0.0.0/3 to any in via rl0
00315 0 0 deny tcp from any to any dst-port 113 in via rl0
00320 0 0 deny tcp from any to any dst-port 137 in via rl0
00321 0 0 deny tcp from any to any dst-port 138 in via rl0
00322 0 0 deny tcp from any to any dst-port 139 in via rl0
00323 0 0 deny tcp from any to any dst-port 81 in via rl0
00330 0 0 deny ip from any to any frag in via rl0
00332 22 4251 Sat Mar 25 10:20:54 2006 deny tcp from any to any
established in via rl0
00400 109 5472 Sat Mar 25 10:21:30 2006 deny ip from any to any in via rl0
00450 107 6915 Sat Mar 25 10:21:26 2006 deny log ip from any to any out
via rl0
00800 20 4553 Sat Mar 25 10:21:28 2006 divert 8668 ip from any to any
out via rl0
00801 39 11863 Sat Mar 25 10:21:28 2006 allow ip from any to any
00999 0 0 deny log ip from any to any
65535 32459 2707961 Sat Mar 25 10:18:57 2006 allow ip from any to any
## Dynamic rules (3):
00040 12 2448 (298s) STATE tcp 192.168.0.12 58076 <-> 216.239.39.104 80
00040 22 9187 (298s) STATE tcp 192.168.0.12 58075 <-> 216.239.39.104 80
More information about the freebsd-questions
mailing list