Is there anything weird I should know about using ipfw on alias addresses?

Mon Dec 1 14:14:14 PST 2008

Ian Smith wrote:
> On Mon, 01 Dec 2008 16:52:12 +1300 Brett Davidson <brett at net24.co.nz> wrote:
>
>  > ifconfig shows the alias addresses correctly bound.
>  > Creating an ipfw rule and testing it from the command line works 
>  > (connects out from master address, not alias)
>  > 
>  >  From website on alias address, the firewall blocks the packets.
>  >
>  > The weird thing is that it tags them (in the security log) as coming 
>  > from the master address (not the alias) out the correct interface. In a 
>  > normal world that would mean the packet would match!!!!!
>  > 
>  > What's goin' on here Willis?
>
> Difficult to tell without seeing a) ifconfig b) netstat -rn c) at least 
> the relevant firewall rule/s and d) log entries that illustrate your 
> problem.  Obscure sensitive information by all means, but otherwise 
> pretend we haven't the slightest clue how your system is configured :)
>
> cheers, Ian
>
>
>   
Fair enough.

ifconfig below:

bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       options=3b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU>
       inet 210.5.50.5 netmask 0xffffffe0 broadcast 210.5.50.31
       inet 210.5.51.32 netmask 0xffffffff broadcast 210.5.51.32
       inet 210.5.51.27 netmask 0xffffffff broadcast 210.5.51.27
       inet 210.5.51.33 netmask 0xffffffff broadcast 210.5.51.33
       inet 210.5.51.34 netmask 0xffffffff broadcast 210.5.51.34
       inet 210.5.51.42 netmask 0xffffffff broadcast 210.5.51.42
       inet 210.5.51.4 netmask 0xffffffff broadcast 210.5.51.4
       ether 00:1c:c4:c0:56:94
       media: Ethernet autoselect (1000baseSX <full-duplex>)
       status: active

Relevant /etc/rc.conf entries :
ifconfig_bce1="inet 210.5.50.5  netmask 255.255.255.224"
ifconfig_bce1_alias0="inet 210.5.50.5 netmask 255.255.255.224"
ifconfig_bce1_alias1="inet 210.5.51.4 netmask 255.255.255.255"
ifconfig_bce1_alias2="inet 210.5.51.27 netmask 255.255.255.255"
ifconfig_bce1_alias3="inet 210.5.51.32 netmask 255.255.255.255"
ifconfig_bce1_alias4="inet 210.5.51.33 netmask 255.255.255.255"
ifconfig_bce1_alias5="inet 210.5.51.34 netmask 255.255.255.255"
ifconfig_bce1_alias6="inet 210.5.51.42 netmask 255.255.255.255"

Relevant ipfw rules :
ipfw -q add 02012 allow tcp from any to 208.69.123.164 80 out via bce1 
setup keep-state
ipfw -q add 02012 allow tcp from any to 208.69.123.164 443 out via bce1 
setup keep-state

Interesting entries in /var/log/security :
Dec  1 16:42:25 <servername> kernel: ipfw: 9999 Deny TCP 
210.5.50.5:49708 208.69.123.164:80 out via bce1

What makes this interesting is that I can connect to that port via the 
command line.

It's the website that lives on 210.5.51.42 that is having problems. Why, 
if the rule is valid enough for the command line is it having problems 
from an aliased address?
This MUST have something to do with the way ipfw is working with aliased 
addresses but I'm blowed if I know what is wrong.

Cheers
Brett.