Is there anything weird I should know about using ipfw on alias addresses?

Mon, 01 Dec 2008 19:25:31 -0800 

Relevant ifconfig entry shows the alias addresses correctly bound.

bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
     options=3b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU>
     inet 210.5.50.5 netmask 0xffffffe0 broadcast 210.5.50.31
     inet 210.5.51.32 netmask 0xffffffff broadcast 210.5.51.32
     inet 210.5.51.27 netmask 0xffffffff broadcast 210.5.51.27
     inet 210.5.51.33 netmask 0xffffffff broadcast 210.5.51.33
     inet 210.5.51.34 netmask 0xffffffff broadcast 210.5.51.34
     inet 210.5.51.42 netmask 0xffffffff broadcast 210.5.51.42
     inet 210.5.51.4 netmask 0xffffffff broadcast 210.5.51.4
     ether 00:1c:c4:c0:56:94
     media: Ethernet autoselect (1000baseSX <full-duplex>)
     status: active

Relevant /etc/rc.conf entries :
        ifconfig_bce1="inet 210.5.50.5  netmask 255.255.255.224"
        ifconfig_bce1_alias0="inet 210.5.50.5 netmask 255.255.255.224"
        ifconfig_bce1_alias1="inet 210.5.51.4 netmask 255.255.255.255"
        ifconfig_bce1_alias2="inet 210.5.51.27 netmask 255.255.255.255"
        ifconfig_bce1_alias3="inet 210.5.51.32 netmask 255.255.255.255"
        ifconfig_bce1_alias4="inet 210.5.51.33 netmask 255.255.255.255"
        ifconfig_bce1_alias5="inet 210.5.51.34 netmask 255.255.255.255"
        ifconfig_bce1_alias6="inet 210.5.51.42 netmask 255.255.255.255"
Creating an ipfw rule and testing it from the command line works (connects out from master address, not alias) 
ipfw -q add 02012 allow tcp from any to 208.69.123.164 80 out via bce1 setup 
keep-state


From website on alias address, the firewall blocks the packets.


Interesting entries in /var/log/security :

Dec  1 16:42:25 <servername> kernel: ipfw: 9999 Deny TCP 210.5.50.5:49708 
208.69.123.164:80 out via bce1

In a normal world the packet would match!!!!!

What's goin' on here Willis?


From what I can see, this MUST have something to do with the way ipfw is 
working with aliased addresses but I'm blowed if I know what is wrong.


Cheers,
Brett.

_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to