Can anyone fluent with IPFW-2 help me by explaining what's happening with the following rules? I'm not getting the results I expect and can't make any logical conclusions regarding them.
SERVER CONFIGURATION -------------------- FBSD v5.2.1 with IPFW-2 Four port NIC, but for simplicity sake I am only showing two ports in this example of the rules. FBSD box router/gateway contains: dc1 is 192.168.1.1 dc2 is 192.168.2.1 One machine (192.168.1.10) is attached to the 1.0 network. One machine (192.168.2.254) is attached to the 2.0 network. With an open firewall, anything hanging off the 1.0 network can talk to the 2.0 network and vice-versa. So routing is fine. RULESET ------- 01600 skipto 4000 ip from any to any via dc1 01800 skipto 8000 ip from any to any via dc2 04000 check-state 04200 allow ip from any to any in via dc1 keep-state 04400 deny ip from any to any 08000 deny ip from any to 192.168.2.254 dst-port 23 08100 check-state 08200 allow ip from any to any in via dc2 keep-state 65000 deny ip from any to any MY CONFUSION ------------ 1. I want machines on dc1 to be able to go anywhere, but I want to block telnet into 192.168.2.254. 2. Rule 8000 is not blocking access to 192.168.2.254 dst-port 23 as I thought it would. I can telnet to 2.254 without any problem. The dynamic rule 4200 is setup with bidirectional communication between 1.10 and 2.254, but Rule 8000 has no impact on packets traveling through dc2 with a target of 2.254. 3. If I move Rule 8000 before Rule 1600, packets are blocked from 192.168.2.254 dst-port 23 as I expect them to be. MY QUESTION ----------- Why are packets blocked if the deny rule is placed prior to Rule 1600 but not within the block of rules defined for traffic in and out of dc2? Is this because static rules referencing the interface do not match packets that were initially introduced using a dynamic rule? Thanks, Jon _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"