search for: oif

...e would be effecting the other, but it does. Here is my iptables -t mangle -L on tunnel server 2, before adding, and after adding. Chain POSTROUTING (policy ACCEPT) target prot opt source destination ROUTE all -- anywhere (Network C) every 2th packet #0 ROUTE oif:AMC_TUN1 gw:172.16.0.38 ROUTE all -- anywhere (Network C) every 2th packet #1 ROUTE oif:AMC_TUN2 gw:172.16.0.42 ROUTE all -- anywhere (Network D) every 2th packet #0 ROUTE oif:TB_TUN1 gw:172.16.0.26 ROUTE all -- anywhere (Network D) every...

...e-mail and pretty much deny everything else. If someone would have the time to have a quick look at this to see if there's anything wrong with it i would really appreciate it! Bye, jurjen. ps. here is my ruleset: #!/bin/sh ipfw -q flush cmd="ipfw -q add" ks="keep-state" oif="ath0" #setup the loopback $cmd 001 allow all from any to any via lo0 $cmd 002 deny all from any to 127.0.0.0/8 $cmd 003 deny ip from 127.0.0.0/8 to any #check state of incoming packets $cmd 010 check-state #### # Outgoing #allow outgoing connections to internetsites, ssh sites #...

...at netfilter.org Reporter: f30 at f30.me Reverse path filtering means dropping a packet if connections to its source IP wouldn't use the same interface the packet arrived on. The nftables wiki states [1] that this can be implemented like: nft add rule x prerouting fib saddr . iif oif eq 0 drop Slides by Florian Westphal [2] suggest to use: nft add rule ... fib saddr . oif oif = 0 drop But this fails with "Invalid argument" even when replacing "=" by "==" or "eq". `fib saddr . iif oif eq 0` achieves the desired goal (except for bugs...

...sl_qos_queue adds a QUEUE Target to the POSTROUTING chain for reading the MARKed packets , and i recently added a -j ROUTE target for my load balancing configuration to this chain: /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 0 -j ROUTE --oif ppp1 /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 1 -j ROUTE --oif ppp1 /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 2 -j ROUTE --oif ppp1 /sbin/iptables -A POSTROUTING -o ppp+ -t...

Hi there, Is there some way to configure ipfw to do traffic normalizing ("scrubbing", as in ipf for OpenBSD)? Is there any tool to do it for FreeBSD firewalling? I've heard that ipf was ported on current, anything else? TIA, /Dorin. __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools

https://bugzilla.netfilter.org/show_bug.cgi?id=884 Summary: the rule of TEE target with '--oif' option cannot be deleted. Product: iptables Version: 1.4.x Platform: i386 OS/Version: Fedora Status: NEW Severity: minor Priority: P5 Component: iptables AssignedTo: netfilter-buglog at...

In my recent security email, I got the following errors: cantona.dnswatchdog.com login failures: Aug 20 02:37:19 cantona sshd[9444]: fatal: Write failed: Operation not permitted Aug 20 04:30:42 cantona sshd[16142]: fatal: Write failed: Operation not permitted Aug 20 21:21:51 cantona sshd[45716]: fatal: Write failed: Operation not permitted So three questions: What is it? Should I be worried?

The man page gives this example, however, when I attempt to use it, it seems to block the whole set? Could someone tell me what's going wrong here please. Thanks heaps.. This works, ${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif} This blocks the whole IP block, not just the list? ${fwcmd} add deny log all from any to 203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif} the man page bit... list: {num | num-num}[,list] Matches all addresses with base address addr (specified as a dot-...

...OS: Debian GNU/Linux Status: NEW Severity: major Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: f30 at f30.me I am trying to implement reverse path filtering using "fib" rules like `fib saddr . iif oif 0 drop`. I don't understand why exactly (see #1220), but this generally works for IPv4 and IPv6 without a default route. However, "fib" starts to behave strangely with a v6 default route. Assume a host with two interfaces, enp0s5 and enp0s6, and the following IP addresses: > ip...

...e history by code. Any ideas? Thanks and best regards, Norbert -- ********************************************************** Mag. Norbert Neuwirth ?sterreichisches Institut f?r Familienforschung (?IF) - Universit?t Wien Austrian Institute for Family Studies - University of Vienna http://www.oif.ac.at e-mail: norbert.neuwirth at oif.ac.at tel: +43-1-4277-489-11 fax: +43-1-4277-9-489 address: A-1010 Wien, Grillparzerstra?e 7/9

...ip addr add 172.16.0.2/30 dev client_tun1 ip addr add 172.16.0.6/30 dev client_tun2 traffic outbound from the client doesnt need to go out the tunnel, but it does need to be split --client-- iptables -A POSTROUTING --source 66.81.23.0/24 -t mangle -m nth --counter 0 --every 2 --packet 0 -j ROUTE --oif eth1 --gw 64.20.12.45 iptables -A POSTROUTING --source 66.81.23.0/24 -t mangle -m nth --counter 0 --every 2 --packet 1 -j ROUTE --oif eth2 --gw 64.20.12.49 traffic inbound to the client will go to the server, and come to client through the tunnel --server-- iptables -A POSTROUTING --destination 66...

...: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: karol at babioch.de Since DNS is allowed over both UDP as well as TCP, I have to specify two rules each time I want to allow DNS traffic. This looks something like this: oif eth0 udp dport domain accept oif eth0 tcp dport domain accept In an example found online [1] someone showed the following example: {udp, tcp} sport domain ip daddr 127.0.0.1 accept Apparently this was never tested. At least it doesn't work for me. For the example above it would look...

...0.1 (Ack+Reset zero data) with source MAC of my default gateway and I can't seem to block this traffic. Snort picked up the traffic and I have confirmed with tcpdump. So I decided I needed to examine my anti-spoof rules. I already had this one deny ip from any to 127.0.0.0/8 in recv ${oif} This never triggered on this traffic so I figured it must be looking for a SYN before it would trigger. So I added the following: deny tcp from 127.0.0.1 to ${oif} tcpflags ack,rst This still didn't block the traffic. So, I added the following: deny ip from 127.0.0.0/8 to ${o...

...Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: tad1073 at gmail.com code snippet table inet nat { chain prerouting { type nat hook prerouting priority dstnat; policy accept; fib saddr . iif oif 0 counter drop fib saddr . iif oif "lo" counter accept fib saddr . iif oif "$inet_if" counter accept fib daddr . iif type { local, broadcast, multicast } counter accept ip daddr 10.0.0.11 tcp dport 80 dnat to 8080 ip daddr 10.0.0.11 udp dp...

Hi. We just opened a gaming center and have chosen to run a FreeBsd box for our firewall. IPFW is configured at it's very basic running natd through rl0 and allowing any to any connections from the lan to the outer world. Natd controls access to the lan. We have a 6.0 mb/s ADSL net connection for all the gaming clients to use, however if a gamer starts downloading a file, that file

...5 y......!36:;w9.. 0x0130: c03d 17ff ff00 0064 0004 c75b 2dfc 6e1b .=.....d...[-.n. 0x0140: 42ba 8108 c849 f941 dfcb 5000 9101 01ff B....I.A..P..... 0x0150: 0000 0000 0000 0000 ........ nft monitor : trace id 195bb0a6 netdev filter egress packet: oif "enp6s19.100" @nh,0,320 0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000 trace id 195bb0a6 netdev filter egress rule meta nftrace set 1 (verdict continue) trace id 195bb0a6 netdev filter egress rule log group 30 (verdict continue) trace id 195bb0a6 netdev...

...5 y......!36:;w9.. 0x0130: c03d 17ff ff00 0064 0004 c75b 2dfc 6e1b .=.....d...[-.n. 0x0140: 42ba 8108 c849 f941 dfcb 5000 9101 01ff B....I.A..P..... 0x0150: 0000 0000 0000 0000 ........ nft monitor : trace id 195bb0a6 netdev filter egress packet: oif "enp6s19.100" @nh,0,320 0xe5050000401194a000000000ffffffff00440043013486f501010600f97b4c020000000000000000 trace id 195bb0a6 netdev filter egress rule meta nftrace set 1 (verdict continue) trace id 195bb0a6 netdev filter egress rule log group 30 (verdict continue) trace id 195bb0a6 netdev...

In my project, I tried to use iptables, instead of bridge, to direct networking traffics from one VM to another in one host. What I am doing is I delete xen-br0, and I have two VMs that have IP addresses of 10.8.0.51 and 10.8.0.52. I use iptables -t mangle -A FORWARD -d 10.8.0.51 -j ROUTE --oif vif1.0 iptables -t mangle -A FORWARD -d 10.8.0.52 -j ROUTE --oif vif2.0 vif1.0 and vif2.0 are the virtual network interfaces of two VMs. In order to debug the above rules, I log all the traffics: iptables -t mangle -A PREROUTING -j LOG --log-level debug --log-prefix "log-everything" I...

The man page gives this example, however, when I attempt to use it, it ssems to block the whole set? Could someone tell me what's going wrong here please. Thanks heaps.. This works, ${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif} This blocks the whole IP block, not just the list? ${fwcmd} add deny log all from any to 203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif} the man page bit... list: {num | num-num}[,list] Matches all addresses with base address addr (specified as a dot-...

...used iproute2 to do iif specific routing on wifi routers with 2 wifi 802.11b interfaces on non overlapping interfaces. I set rule as follows on router-2 (shown below) use table 100 if incomming interface is wlan0 use table 200 if incomming interface is wlan1 all routes in table 100 have wlan1 as oif all routes in table 200 have wlan0 as oif --wlan0-- --wlan0---- router-1 + + router-2 + + router-3 + + + + --wlan1-- --wlan1---- (actual setup used 6 routers linerly) Theroy says that using 2 i...