FW: out xmit not match icmp
roman at zutom.sk
Tue Apr 27 00:10:17 PDT 2004
I'm forwarding this from freebsd-ipfw mailing list...
Thanks for any help..
From: owner-freebsd-ipfw at freebsd.org
[mailto:owner-freebsd-ipfw at freebsd.org] On Behalf Of Roman Mikus
Sent: Monday, April 19, 2004 3:31 PM
To: freebsd-ipfw at freebsd.org
Subject: out xmit not match icmp
I have freebsd 4.9-RELEASE-p3 box with ipfw and 3 interfaces installed.
One interface is external with one public ip address, second is internal
with private ip addresses and on third is assigned small subnet of
public ip addresses. I want to configure firewall which protect internal
and freebsd box but will pass traffic for third interface. I have
vx0: internal: 10.0.0.8 netmask 255.255.255.0
ed0: external: y.y.y.170 netmask 255.255.255.240
ep0: free zone: x.x.x.162 netmask 255.255.255.240
I'cand send whole firewall config but is derived from simple section in
rc.firewall and looks like this:
(x.x.x. and y.y.y. and z.z.z. substitutes my real ip addresses)
00400 pipe 1 ip from any to any out xmit ed0
00500 pipe 2 ip from any to any in recv ed0
01900 divert 8668 ip from any to any via ed0
02000 divert 8668 ip from any to any via ep0
03000 allow ip from any to x.x.x.161
03100 allow ip from any to x.x.x.163
03200 allow ip from any to x.x.x.164
03400 allow ip from any to x.x.x.166
04200 allow ip from any to x.x.x.174
04300 allow ip from x.x.x.161 to any out recv ep0 xmit ed0
04400 allow ip from x.x.x.163 to any out recv ep0 xmit ed0
04500 allow ip from x.x.x.164 to any out recv ep0 xmit ed0
04700 allow ip from x.x.x.166 to any out recv ep0 xmit ed0
05500 allow ip from x.x.x.174 to any out recv ep0 xmit ed0
65000 deny log ip from any to any
Rules between 1900 and 5500 should pass all traffic to and from free
zone, but this is true for tcp traffic (telnet) but not for icmp traffic
If I try to ping x.x.x.166 from outside box with ip z.z.z.11 rule 4700
not match, but rule 65000 match and this appears in /var/log/security:
Apr 19 15:16:54 ns /kernel: ipfw: 65000 Deny ICMP:0.0 x.x.x.166 z.z.z.11
in via ep0
This is icmp reply from host x.x.x.166 and is blocked, but should't be.
Can you tell me why this happens? How else I can pass any traffic for
and from my free zone (but still be able to shape traffic on external
interface) and to protect everything else?
Thanks a lot.
freebsd-ipfw at freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
More information about the freebsd-questions