ipfw address-listing woes

Steve Bertrand iaccounts at ibctech.ca
Wed Oct 20 12:13:28 PDT 2004 

> I am having a bit of a time getting a rule to be recognized with and
> address-list in it.  I have two identical natd boxes for my
> organization, however, I am unable to get the production machine to
> recognize particular rules, as illustrated below:

Have you tried to put it into a variable? Like so:

trusted="{ 192.168.1.0/24 or 192.168.2.0/24 }"

Then subsequently, change your rule as follows:

> ***00105 0 0 allow tcp from 192.168.1.0/24,192.168.2.0/24 to any
> dst-port 21,25,80,110,443,995 via xl0,rl0 setup keep-state***

... tcp from $trusted to any dst-port 21,25,80 etc

This is the way I've always done it, and I've never tried it yours, so
I don't have an answer to why it does not work. I've just stuck what
does ;o)

HTH,

Steve

>                  ^^
> 00106 0 0 allow udp from any to any dst-port 33435-33524 keep-state
> 00200 473701 204681004 divert 8668 ip from any to any via sis0
> 65535 944012 409148687 allow ip from any to any
>
> Can anyone let me know why this is not working, because the rule is
> recognized on the following test firewall:
>
> gate1.276EN
>
>> sudo ipfw show
> 00098    76    7306 allow ip from any to any via lo0
> 00099 28425 3694972 divert 8668 ip from any to any via sis0
> 00100  3126  990373 queue 1 log ip from any to 192.168.1.0/24 in recv
> sis0
>
> 00150     0       0 allow ip from 127.0.0.1 to 127.0.0.1
> 00151  3548  290790 allow tcp from any to any dst-port 22 setup
> keep-state
>
> 00202     0       0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port
> 67,68 setup keep-state
> 00203  1032  101807 allow udp from any to any dst-port 53 via fxp0
> keep-state
>
> 00204 21864 2369464 deny udp from any to any dst-port 137,138,513
>
> ****00205  2664  964612 allow tcp from 192.168.1.0/24 to any dst-port
> 21,25,80,110,443,995 via fxp0 setup keep-state****
>                    ^^^  ^^^^
> 00206     0       0 allow udp from any to any dst-port 33435-33524
> keep-state
>
> 65535  3303  340052 allow ip from any to any
>
> As you can see by the asterisks, and the "^" the rule works on the
> test
> firewall, however, fails on the production one.  I think it has to do
> with my use of multiple NICS, and/or address-lists in the production
> firewall.
>
> As always, any help is greatly appreciated.
>
> Respectfully.
> --
>
>
> M.G.W.
> Wiggtekmicro, Corp.
>
> System:
> Asus M6N
> Intel Dothan 1.7
> 512MB RAM
> 40GB HD
> 10/100/1000 NIC
> Wireless b/g (not working yet)
> BSD-5.2.1
> KDE-3.1.4
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to
> "freebsd-ipfw-unsubscribe at freebsd.org"
>

More information about the freebsd-ipfw mailing list