Thread: Firewall routing
View Single Post
  #9   (View Single Post)  
Old 4th November 2008
Magoo Magoo is offline
New User
  
Join Date: Oct 2008
Posts: 6
Default
Code:
---
# ifconfig rl0

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet XXX.XXX.XXX.69 netmask 0xfffffe00 broadcast 255.255.255.255
        ether 00:c0:f0:54:c0:bd
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

---
# ifconfig rl1

rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 169.254.75.1 netmask 0xffffff00 broadcast 169.254.75.255
        ether 00:50:ba:5f:0c:d4
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

---
# netstat -rn

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            XXX.XXX.XXX.1         UGS         0        4    rl0
XXX.XXX.XXX/23        link#1             UC          0        0    rl0
XXX.XXX.XXX.1         00:1a:2f:8b:30:05  UHLW        2        0    rl0   1190
127.0.0.1          127.0.0.1          UH          0        0    lo0
169.254.75/24      link#2             UC          0        0    rl1
169.254.75.254     00:1f:33:cd:a9:59  UHLW        2      194    rl1   1160

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UHL         lo0
fe80::%lo0/64                     fe80::1%lo0                   U           lo0
fe80::1%lo0                       link#3                        UHL         lo0
ff01:3::/32                       fe80::1%lo0                   UC          lo0
ff02::%lo0/32                     fe80::1%lo0                   UC          lo0

---
# pgrep -lf natd

419 natd -same_ports -use_sockets -dynamic -interface rl0

---
# ipfw show

00010   0     0 allow ip from any to any via lo0
00020   0     0 deny ip from any to 127.0.0.0/8
00030   0     0 deny ip from 127.0.0.0/8 to any
00040   0     0 deny tcp from any to any frag
00050   0     0 check-state
00060 685 69553 allow tcp from any to any established
00070   9   697 allow ip from any to any out keep-state
00080   1    61 allow icmp from any to any
00130   3   180 allow tcp from any to any dst-port 22 in
00140   0     0 allow tcp from any to any dst-port 22 out
00170   0     0 allow udp from any to any dst-port 53 in
00175   0     0 allow tcp from any to any dst-port 53 in
00180   0     0 allow udp from any to any dst-port 53 out
00185   0     0 allow tcp from any to any dst-port 53 out
00200   0     0 allow tcp from any to any dst-port 80 in
00210   0     0 allow tcp from any to any dst-port 80 out
00341   2    80 divert 8668 ip from any to me in recv rl0
00342   0     0 allow ip from any to 169.254.75.0/24 in recv rl0
00343   0     0 allow ip from any to 169.254.75.0/24 out xmit rl1
00344   0     0 allow ip from 169.254.75.0/24 to any in recv rl1
00345   0     0 divert 8668 ip from 169.254.75.0/24 to any out xmit rl0
00346   0     0 allow ip from me to any out xmit rl0
00500  52 19988 deny log logamount 10 ip from any to any
65535   0     0 allow ip from any to any
I wasn't sure what level to put the nat divert rules at, I tried putting them at the beginning and at the end.
Reply With Quote