[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Q: ipfilter problem
From:       Darren Reed <darrenr () cyber ! com ! au>
Date:       1997-01-27 10:56:56
[Download RAW message or body]

In some mail I received from Josef Pojsl, sie wrote
> 
> 
> Hello folks,
> 
> might anyone help with the following issue:
> we have ipfilter version 3.1.5 from Daren Reed on a FreeBSD 2.1.6
> system. we want to use it to route packets to a specific
> ethernet card on the machine according to its protocol.
> Namely, the rules for ipf look like this:
> 
> pass in quick on ep1 to ep0:193.165.192.129 proto icmp all
> pass in quick on ep0 to ep1:192.168.10.2 proto imcp from any to
> 192.168.10.0/24

> The feature is described, it should not obey
> normal routing table, but place the packets immediately on the queue
> of the specified ethernet.

Ah, no.  What the above will do is send ALL icmp packets inbound on ep1
to 193.165.192.129 via ep0.  That is, it will look for a route to that
IP address via ep0 (usually there should be an ARP cache entry or will
be resolved when it tries to send).  The reverse will happen for packets
coming in on ep0 that will be routed to 192.168.10.2 via ep1.  Both these
addresses should be some other interface on that subnet.

> Behind ep1 is only 1 machine (192.168.10.2), behind ep0 is
> an ethernet segment, 193.165.192.129 is one of the machines on it.
> If we use it for icmp, it works fine. However, if we put
> udp instead of icmp, it causes to hang all the machines on the outside
> ethernet behind ep0, and the FreeBSD machine itself as well.

What's "hang" ?  Do DNS lookups take forever or does the machine (i.e.
kernel) stop ?  If other machines are hangng too, it is likely ARP trouble.

If you're doing this for UDP, are you using NFS ?

Darren

[prev in list] [next in list] [prev in thread] [next in thread]