ipfw pipes + firewall

Alex de Kruijff freebsd at akruijff.dds.nl
Fri Nov 28 14:45:36 PST 2003

On Fri, Nov 28, 2003 at 09:37:06PM +0800, Khairil Yusof wrote:
> I've read the man pages, and tested it out, and just want to confirm
> that what I"m doing is right and that I didn't miss anything.
> Disable one_pass so that packets after matching pipe rule will continue
> on to other rules. Without this, packets matching pipes are not not
> applied again against firewall rules.
> net.inet.ip.fw.one_pass: 0
> I then put the pipe rules before any firewall rules so that anything
> going in and out (in this case) go through the pipes first. They are
> then matched by normal firewall rules.
> 00100  83 11350 pipe 1 ip from any to any out
> 00200  93 11266 pipe 2 ip from any to any in
> 00300   0     0 check-state
> 00400   0     0 deny tcp from any to any established
> 01400 103 14855 allow tcp from any to me dst-port 22 in setup keep-state
> ... more firewall rules which are being matched
> From what I can see the pipe rules are being matched. I tested bandwidth
> controls, and they work. And I also could not access ports which I did
> have a dynamic rule for (as in 01400).

I find your 400 rule very strage. Rule 400 souldn't apply because they
are passed by 300 (this one doens't have a counter :( ).

For rule 1400 the dst-port is wronly placed. Port are (or can be) given
afther the ip without any marker. I would replace 1400 with:
allow tcp from any to me 22 in
allow tcp from me 22 to any out
No need to have dynamic rules here so place it before 300


Articles based on solutions that I use:

More information about the freebsd-questions mailing list