On 19.12.2017 21:46, wishmaster wrote: >>> /sbin/ipfw add 15002 netgraph 100 ip from me to not me recv "*" >> >> Why do you have incoming ip packets sourced from your IP? > > It's ok. I use per-interface ACL. > > # out > ipfw -fq table tbl_OUT_IF flush > ... > ipfw table tbl_OUT_IF add tun1 15000 # > ... > > > $cmd 100 skipto tablearg log all from any to any in recv "table(tbl_IN_IF)" > $cmd 110 skipto tablearg log all from any to any out xmit "table(tbl_OUT_IF)" > > > ### OUT ext_if tun0 > $cmd 15000 nat 1 log all from not me to not me recv "*" # LAN traffic > # !!! 15002 here > $cmd 15020 allow log all from me to not me recv "*" # LAN traffic
It is not OK. It does not make any sense: "from me ... recv" is NOT any kind of normal LAN traffic. This expression describes spoofed traffic. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
