Hi and thanks for your reply!
> Am 29.01.2017 um 17:40 schrieb Thomás <thoms...@gmail.com>:
>
> Sat, Jan 28, 2017 at 01:58:01PM +0100, Rakor:
>> As far as I know a packet is once scanned by IPFW an then first hit wins.
>> So, if I set the following a packet coming from VLAN3 for port 80 is
>> permitted to travel all way it wants, even to VLAN2. Putting an
> +other rule behind just allowing to travel out using igb2 is not checked,
> because the search terminated after first hit.
>> ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state
>
> Have you tried something like this?
>
> ipfw add deny tcp 10.10.30.0/24 to 10.10.10.0/24 setup keep-state
> ipfw add deny tcp 10.10.30.0/24 to 10.10.20.0/24 setup keep-state
> ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state
This will work. But for any new subnet I’ll have to remember to deny it for any
other subnets. I think this can become unhandy very soon.
>> If I try the follwing the packets are all rejected. I think the inspection
>> is done before the routing, so IPFW does not know it should be forwarded
>> using igb2.
>> ipfw add allow tcp 10.10.30.0/24 to any 80 out via igb2 setup keep-state
>
> IPFW can do routing table lookups as needed. Something else must be
> going on here. Log rules may be of help to debug and understand your
> ruleset.
I also tried it using recv and xmit rules.
First I tried:
ipfw add allow tcp from 10.10.30.0/24 to any out recv igb0.30 xmit igb2
setup keep-state
it does not work.
and later I tried this
ipfw add allow tcp from 10.10.30.0/24 to any out xmit igb2 setup
keep-state
also not working
Anytime it was caught by my default rule at the end:
00150 deny log logamount 5 ip from any to any
/var/log/security said:
150 Deny TCP 10.10.30.5:51145 82.193.243.115:80 in via igb0.30
So to me it looks like he does not know that the packet will be transmitted via
igb2 at the moment it is inspected.
>> So I don’t know how to filter packets that should be routed in a exact
>> manner. Can you help me?
>
> There are plenty of ways to filter packets in that setup, the "exact"
> one depends on what you are trying to achieve.
OK. So I’d like to have deny by default (as ipfw is working). Then I’d like to
say exactly which traffic is allowed. So in my mind I’ll have no additional
deny-rules. I’d like to say from which interface to which interface the traffic
is traveling, because this respects my VLANs. OK, because there is an IP
attached to the devices using the subnets would do it also (but I feel more
comfortable seeing my interfaces - maybe it’s stupid).
So the rules I’d like to write say:
"allow tcp from VLAN3 to Internet using ports 80,443 coming from igb0.3 going
to igb2 and deny all the rest."
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
