Is there anything weird I should know about using ipfw on alias
brett at net24.co.nz
Mon Dec 1 14:14:14 PST 2008
Ian Smith wrote:
> On Mon, 01 Dec 2008 16:52:12 +1300 Brett Davidson <brett at net24.co.nz> wrote:
> > ifconfig shows the alias addresses correctly bound.
> > Creating an ipfw rule and testing it from the command line works
> > (connects out from master address, not alias)
> > From website on alias address, the firewall blocks the packets.
> > The weird thing is that it tags them (in the security log) as coming
> > from the master address (not the alias) out the correct interface. In a
> > normal world that would mean the packet would match!!!!!
> > What's goin' on here Willis?
> Difficult to tell without seeing a) ifconfig b) netstat -rn c) at least
> the relevant firewall rule/s and d) log entries that illustrate your
> problem. Obscure sensitive information by all means, but otherwise
> pretend we haven't the slightest clue how your system is configured :)
> cheers, Ian
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 220.127.116.11 netmask 0xffffffe0 broadcast 18.104.22.168
inet 22.214.171.124 netmask 0xffffffff broadcast 126.96.36.199
inet 188.8.131.52 netmask 0xffffffff broadcast 184.108.40.206
inet 220.127.116.11 netmask 0xffffffff broadcast 18.104.22.168
inet 22.214.171.124 netmask 0xffffffff broadcast 126.96.36.199
inet 188.8.131.52 netmask 0xffffffff broadcast 184.108.40.206
inet 220.127.116.11 netmask 0xffffffff broadcast 18.104.22.168
media: Ethernet autoselect (1000baseSX <full-duplex>)
Relevant /etc/rc.conf entries :
ifconfig_bce1="inet 22.214.171.124 netmask 255.255.255.224"
ifconfig_bce1_alias0="inet 126.96.36.199 netmask 255.255.255.224"
ifconfig_bce1_alias1="inet 188.8.131.52 netmask 255.255.255.255"
ifconfig_bce1_alias2="inet 184.108.40.206 netmask 255.255.255.255"
ifconfig_bce1_alias3="inet 220.127.116.11 netmask 255.255.255.255"
ifconfig_bce1_alias4="inet 18.104.22.168 netmask 255.255.255.255"
ifconfig_bce1_alias5="inet 22.214.171.124 netmask 255.255.255.255"
ifconfig_bce1_alias6="inet 126.96.36.199 netmask 255.255.255.255"
Relevant ipfw rules :
ipfw -q add 02012 allow tcp from any to 188.8.131.52 80 out via bce1
ipfw -q add 02012 allow tcp from any to 184.108.40.206 443 out via bce1
Interesting entries in /var/log/security :
Dec 1 16:42:25 <servername> kernel: ipfw: 9999 Deny TCP
220.127.116.11:49708 18.104.22.168:80 out via bce1
What makes this interesting is that I can connect to that port via the
It's the website that lives on 22.214.171.124 that is having problems. Why,
if the rule is valid enough for the command line is it having problems
from an aliased address?
This MUST have something to do with the way ipfw is working with aliased
addresses but I'm blowed if I know what is wrong.
More information about the freebsd-questions