ipfw & skipto.... confused a bit...

Chris Knipe savage at savage.za.org
Thu Aug 12 19:32:43 PDT 2004 

Hi all,

I'm a tad confused with skiptos.  I want to use them, because I am
automating setup procedures of rather large firewall tables via perl /
mysql.  From the 65535 available rules, blocks have been reserved for
certain type of functions during the firewalling process.  As such, I
basically use all the available numbers.  My last automated block is from
65450 to 65500 :/

Let's have a look quickly at a small block so that I can have a example of
what I am referring to....

 #######################################################################
 #### Transparent Services                                           ###
 #######################################################################
 ${fwcmd} add 16000 allow tcp from ${LANIP} to any 25 out via tun1 skipto
16010
 ${fwcmd} add 16001 allow tcp from ${LANIP} to any 80 out via tun0 skipto
16010
 ${fwcmd} add 16002 allow tcp from ${LANIP} to any 80 out via tun1 skipto
16010
 ${fwcmd} add 16003 fwd ${LANIP},3128 tcp from any to any dst-port 80
 ${fwcmd} add 16004 fwd ${LANIP},25 tcp from any to any 25
 ${fwcmd} add 16005 deny tcp from any to any 25 out via tun0
 ${fwcmd} add 16006 deny tcp from any to any 80 out via tun0
 ${fwcmd} add 16007 deny tcp from any to any 80 out via tun1

Right.  That block, is for transparent proxy and smtp services.  Except for
the skipto's, the rules are fine and work.  My next automated block will
start at rule 16010.  What will be the correct way to write those skipto
lines?????  Basically, I want to allow tcp/25 & tcp/80 from ${LANIP} via
tun0 & tun1.  If the rule has matched the traffic, I want the traffic
passed, and the next rule processed to be 16010.  Basically, I want to tell
ipfw to allow / deny / count / queue the packets, and go to rule 16010.  And
yes, I've tried 'ipfw add skipto x count ip from any to any', and no, it
does not work... :/

This is just a example as well.  I use skipto's in the above configuration
for allow, deny, count, and queue rules (From what I can see, it will be the
deny, count, and queue rules that will be troublesome with skiptos).... So
it's quite broad, and well yeah... Any help will be appreciated.

Another question.  If I use pipes and queues to configure bandwidth usage...
What is the general way to accommodate transparent services and pipes
(basically, so that the transparent service won't bypass a queue that should
be enforced)?  Should the bandwidth be shaped before, or after the
transparent service?  The same can be asked for divert sockets (Divert
before or after queues).  If anyone care to explain, I'd appreciate it
allot.

The divert I am referring to, is also not for NAT purposes - should anyone
wonder....

--
me

More information about the freebsd-ipfw mailing list