Problems with ipfw2 ?

2005-03-24 Thread Stefan Cars 
Hi!
I have a very strange problem with our firewall using ipfw2.  Below is 
my configuration file. The firewall is a briding firewall (em2,em3). 
After a few seconds (7-12 seconds) of ICMP pings to a machine behind the 
firewall suddenly starts blocking all traffic to that specific host. 
This is also true for networks that I have permitted at the top of the 
config. It rejects everything regardless of any rules I have made.

Any ideas anyone ?
# Trusted networks
add permit ip from /28 to any
add permit ip from /26 to any
add permit ip from /25 to any
add permit ip from any to any established
# DNS
add permit ip from any to any 53
# ICMP
add permit icmp from any to any
# HTTP
add permit ip from any to any 80
add permit ip from any to any 443
# SSH
add permit ip from any to any 22


# Deny everything else
add deny ip from any to any
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

problems with ipfw2 divert

2004-12-28 Thread Zijian Zhou 
Hi:

I am trying to set up a freebsd machine as a bridge to implement a
sort of firewall at the bridging layer.

I am running:  FreeBSD 4.11-PRERELEASE i386

I have a divert socket bound to the port 8668 for outgoing traffic and
I have another divert socket bound to the port 8669 for incoming
traffic. I am using ipfw2 for diverting traffic.

has anybody experienced this problem; only one side of the traffic
gets diverted and the other side is never touched? if so, has anyone
fixed this problems?

here is my simple ipfw2 rule set:

rp6# ipfw show
00100   8458   2774224 divert 8668 udp from any 68 to any dst-port 67 recv dc0
00101  0 0 divert 8669 udp from any 67 to any dst-port 68 recv dc1
65535 502777 113629564 allow ip from any to any

these are some of my kernel variables for bridging.
rp6# sysctl -a |grep bridg
net.link.ether.bridge_cfg: dc0,dc1
net.link.ether.bridge: 1
net.link.ether.bridge_ipfw: 1
net.link.ether.bridge_ipf: 0
net.link.ether.bridge_ipfw_drop: 0
net.link.ether.bridge_ipfw_collisions: 0


thank you
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]