ipfw fwd and ipfw allow
Nikos Vassiliadis
nvass9573 at gmx.com
Wed Sep 8 09:18:39 UTC 2010
On 9/7/2010 5:52 PM, Victor Sudakov wrote:
> A packet generated locally 1) should be forwarded by a 'fwd'
> rule and 2) should create a dynamic 'allow' rule for returning
> traffic. Could you please suggest a ruleset for this.
The fw has the 10.0.0.1 IP address.
The 10.0.0.100 IP address belongs to another computer running a TCP
service at 9999.
The IPFW rules:
> fw# ipfw list
> 00100 fwd 10.0.0.100 tcp from any to 10.90.10.3 dst-port 9999 keep-state
> 00200 deny ip from any to any
> 65535 allow ip from any to any
Trying to connect to TCP 9998 fails because of rule 200:
> fw# nc -v 10.90.10.3 9998
> nc: connect to 10.90.10.3 port 9998 (tcp) failed: Permission denied
While trying to connect to TCP 9999 succeeds and creates a IPFW state:
> fw# nc -v 10.90.10.3 9999
> Connection to 10.90.10.3 9999 port [tcp/*] succeeded!
> ^Z
> Suspended
> fw# ipfw -d show
> 00100 61 3315 fwd 10.0.0.100 tcp from any to 10.90.10.3 dst-port 9999 keep-state
> 00200 45 2644 deny ip from any to any
> 65535 0 0 allow ip from any to any
> ## Dynamic rules (9):
> 00100 2 112 (292s) STATE tcp 10.0.0.1 27320 <-> 10.90.10.3 9999
> fw#
HTH, Nikos
More information about the freebsd-questions
mailing list