ipfw show sagt:
65535 0 0 allow ip from any to any
iptables-save sagt:
# Generated by iptables-save v1.4.0 on Tue Jun 22 22:29:04 2010
*mangle
REROUTING ACCEPT [38:4007]
:INPUT ACCEPT [33:3369]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20:2674]
OSTROUTING ACCEPT [885:144673]
:CHECKIIF - [0:0]
:INCOMINGMARK - [0:0]
:LOCALMARK - [0:0]
:LOCALPOLICYROUTING - [0:0]
:LOCALROUTING - [0:0]
:MARKIIF - [0:0]
OLICYROUTING - [0:0]
:QOS - [0:0]
:ROUTING - [0:0]
:VPNFWDST - [0:0]
:ZONEFW - [0:0]
:ZONETRAFFIC - [0:0]
-A PREROUTING -i lo -j ACCEPT
-A PREROUTING -j ROUTING
-A INPUT -i lo -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state NEW -m mark --mark 0x0/0xfff80000 -j ZONETRAFFIC
-A FORWARD -m state --state RELATED,ESTABLISHED -j MARK --and-mark 0xfffbffff
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j LOCALROUTING
-A POSTROUTING -j QOS
-A CHECKIIF -i ! eth0 -m connmark --mark 0x800/0x3f800 -j MARK --and-mark 0xfffff807
-A CHECKIIF -i ! br0 -m connmark --mark 0x1000/0x3f800 -j MARK --and-mark 0xfffff807
-A INCOMINGMARK -j POLICYROUTING
-A INCOMINGMARK -j CONNMARK --restore-mark
-A LOCALMARK -j LOCALPOLICYROUTING
-A LOCALMARK -j CONNMARK --restore-mark
-A LOCALROUTING -i lo -j RETURN
-A LOCALROUTING -o lo -j RETURN
-A LOCALROUTING -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -m connmark ! --mark 0x0 -j CONNMARK --restore-mark
-A LOCALROUTING -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -m connmark ! --mark 0x0 -j CHECKIIF
-A LOCALROUTING -m state --state NEW -j MARKIIF
-A LOCALROUTING -m state --state NEW -j LOCALMARK
-A MARKIIF -i eth0 -j CONNMARK --set-mark 0x800/0x3f800
-A MARKIIF -i br0 -j CONNMARK --set-mark 0x1000/0x3f800
-A ROUTING -i lo -j RETURN
-A ROUTING -o lo -j RETURN
-A ROUTING -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -m connmark ! --mark 0x0 -j CONNMARK --restore-mark
-A ROUTING -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -m connmark ! --mark 0x0 -j CHECKIIF
-A ROUTING -m state --state NEW -j MARKIIF
-A ROUTING -m state --state NEW -j INCOMINGMARK
-A ZONEFW -i br0 -o br0 -j ACCEPT
-A ZONEFW -i br0 -o br2 -j ACCEPT
-A ZONEFW -i br0 -o br1 -j ACCEPT
-A ZONEFW -i br2 -o br2 -j ACCEPT
-A ZONEFW -i br1 -o br1 -j ACCEPT
-A ZONETRAFFIC -i br0 -o br0 -j VPNFWDST
-A ZONETRAFFIC -i br0 -o br0 -j ZONEFW
-A ZONETRAFFIC -i br0 -o br0 -j RETURN
COMMIT
# Completed on Tue Jun 22 22:29:04 2010
# Generated by iptables-save v1.4.0 on Tue Jun 22 22:29:04 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [943:151825]
:ALLOW - [0:0]
:ALLOW_HOOKS - [0:0]
:BADTCP - [0:0]
:BADTCP_LOGDROP - [0:0]
:CUSTOMFORWARD - [0:0]
:CUSTOMINPUT - [0:0]
:CUSTOMOUTPUT - [0:0]
:HAFORWARD - [0:0]
:ICMP_LOGDROP - [0:0]
:INCOMINGFW - [0:0]
:INPUTFW - [0:0]
:INPUTFW_LOGDROP - [0:0]
:INPUTTRAFFIC - [0:0]
:LOG_FORWARD - [0:0]
:LOG_INPUT - [0:0]
:NEWNOTSYN - [0:0]
:NEWNOTSYN_LOGDROP - [0:0]
:OPENVPNCLIENTDHCP - [0:0]
:OPENVPNDHCP - [0:0]
:OUTGOINGFW - [0:0]
ORTFWACCESS - [0:0]
:REDINPUT - [0:0]
:VPNFW - [0:0]
:VPNFWDST - [0:0]
:VPNFW_LOGDROP - [0:0]
:VPNTRAFFIC - [0:0]
:ZONEFW - [0:0]
:ZONEFW_LOGDROP - [0:0]
:ZONETRAFFIC - [0:0]
-A INPUT -j REDINPUT
-A INPUT -j BADTCP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j NEWNOTSYN_LOGDROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
-A INPUT -j CUSTOMINPUT
-A INPUT -m state --state RELATED,ESTABLISHED -j ALLOW
-A INPUT -p icmp -j ICMP_LOGDROP
-A INPUT -i lo -m state --state NEW -j ALLOW
-A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -m state --state NEW -j INPUTTRAFFIC
-A INPUT -j LOG_INPUT
-A FORWARD -j OPENVPNCLIENTDHCP
-A FORWARD -j OPENVPNDHCP
-A FORWARD -j BADTCP
-A FORWARD -j CUSTOMFORWARD
-A FORWARD -m state --state RELATED,ESTABLISHED -j ALLOW
-A FORWARD -p icmp -j ICMP_LOGDROP
-A FORWARD -i lo -m state --state NEW -j ALLOW
-A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
-A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
-A FORWARD -j HAFORWARD
-A FORWARD -m state --state NEW -j PORTFWACCESS
-A FORWARD -j VPNTRAFFIC
-A FORWARD -m state --state NEW -j OUTGOINGFW
-A FORWARD -m state --state NEW -j INCOMINGFW
-A FORWARD -j ZONETRAFFIC
-A FORWARD -j LOG_FORWARD
-A OUTPUT -j CUSTOMOUTPUT
-A ALLOW -j ALLOW_HOOKS
-A ALLOW -j ACCEPT
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j BADTCP_LOGDROP
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j BADTCP_LOGDROP
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j BADTCP_LOGDROP
-A BADTCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOGDROP
-A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j BADTCP_LOGDROP
-A BADTCP -p tcp -m tcp --sport 0 -j BADTCP_LOGDROP
-A BADTCP -p udp -m udp --sport 0 -j BADTCP_LOGDROP
-A BADTCP -p tcp -m tcp --dport 0 -j BADTCP_LOGDROP
-A BADTCP -p udp -m udp --dport 0 -j BADTCP_LOGDROP
-A BADTCP_LOGDROP -j DROP
-A ICMP_LOGDROP -p icmp -m icmp --icmp-type 8 -j RETURN
-A ICMP_LOGDROP -p icmp -m icmp --icmp-type 30 -j RETURN
-A ICMP_LOGDROP -j DROP
-A INPUTFW -i br0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUTFW -i br2 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUTFW -i br1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUTFW -i br0 -p tcp -m tcp --dport 10443 -j ACCEPT
-A INPUTFW -i br0 -p tcp -m tcp --dport 3001 -j ACCEPT
-A INPUTFW -i br2 -p tcp -m tcp --dport 3001 -j ACCEPT
-A INPUTFW -i br1 -p tcp -m tcp --dport 3001 -j ACCEPT
-A INPUTFW -i br0 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUTFW -i br0 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ACCEPT
-A INPUTFW -i br2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUTFW -i br2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ACCEPT
-A INPUTFW -i br1 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUTFW -i br1 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ACCEPT
-A INPUTFW -i ipsec+ -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUTFW -i ipsec+ -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ACCEPT
-A INPUTFW -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -m physdev --physdev-in tap0 -j ACCEPT
-A INPUTFW -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -m physdev --physdev-in tap0 -j ACCEPT
-A INPUTFW -i br0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUTFW -i br0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUTFW -i br2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUTFW -i br2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUTFW -i br1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUTFW -i br1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUTFW -i ipsec+ -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUTFW -i ipsec+ -p udp -m udp --dport 53 -j ACCEPT
-A INPUTFW -p tcp -m tcp --dport 53 -m physdev --physdev-in tap0 -j ACCEPT
-A INPUTFW -p udp -m udp --dport 53 -m physdev --physdev-in tap0 -j ACCEPT
-A INPUTFW -i br0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUTFW -i br0 -p udp -m udp --dport 123 -j ACCEPT
-A INPUTFW -i br0 -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUTFW -i br2 -p udp -m udp --dport 123 -j ACCEPT
-A INPUTFW -i br2 -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUTFW -i br1 -p udp -m udp --dport 123 -j ACCEPT
-A INPUTFW -i br1 -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUTFW -i ipsec+ -p udp -m udp --dport 123 -j ACCEPT
-A INPUTFW -i ipsec+ -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUTFW -p udp -m udp --dport 123 -m physdev --physdev-in tap0 -j ACCEPT
-A INPUTFW -p tcp -m tcp --dport 123 -m physdev --physdev-in tap0 -j ACCEPT
-A INPUTFW -i br0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUTFW -i ipsec+ -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUTFW -p tcp -m tcp --dport 8080 -m physdev --physdev-in tap0 -j ACCEPT
-A INPUTFW -i br0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUTFW -i br0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUTFW -i br2 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUTFW -i br2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUTFW -i br1 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUTFW -i br1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUTFW -i ipsec+ -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUTFW -i ipsec+ -p udp -m udp --dport 67 -j ACCEPT
-A INPUTFW -p tcp -m tcp --dport 67 -m physdev --physdev-in tap0 -j ACCEPT
-A INPUTFW -p udp -m udp --dport 67 -m physdev --physdev-in tap0 -j ACCEPT
-A INPUTFW_LOGDROP -j DROP
-A INPUTTRAFFIC -i ipsec+ -j INPUTFW
-A INPUTTRAFFIC -i ipsec+ -j INPUTFW_LOGDROP
-A INPUTTRAFFIC -i tap+ -j INPUTFW
-A INPUTTRAFFIC -i tap+ -j INPUTFW_LOGDROP
-A INPUTTRAFFIC -i openvpntun+ -j INPUTFW
-A INPUTTRAFFIC -i openvpntun+ -j INPUTFW_LOGDROP
-A INPUTTRAFFIC -m physdev --physdev-in tap+ -j INPUTFW
-A INPUTTRAFFIC -m physdev --physdev-in tap+ -j INPUTFW_LOGDROP
-A INPUTTRAFFIC -m physdev --physdev-in openvpntun+ -j INPUTFW
-A INPUTTRAFFIC -m physdev --physdev-in openvpntun+ -j INPUTFW_LOGDROP
-A INPUTTRAFFIC -i br0 -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUTTRAFFIC -i br0 -j INPUTFW
-A INPUTTRAFFIC -i br0 -j INPUTFW_LOGDROP
-A INPUTTRAFFIC -j INPUTFW
-A NEWNOTSYN -i br0 -o br0 -j RETURN
-A NEWNOTSYN -i tap+ -j RETURN
-A NEWNOTSYN -o tap+ -j RETURN
-A NEWNOTSYN -i openvpntun+ -j RETURN
-A NEWNOTSYN -o openvpntun+ -j RETURN
-A NEWNOTSYN -j NEWNOTSYN_LOGDROP
-A NEWNOTSYN_LOGDROP -j DROP
-A VPNFW -j ACCEPT
-A VPNFW_LOGDROP -j DROP
-A VPNTRAFFIC -o ipsec+ -j VPNFW
-A VPNTRAFFIC -o ipsec+ -j VPNFW_LOGDROP
-A VPNTRAFFIC -i ipsec+ -j VPNFW
-A VPNTRAFFIC -i ipsec+ -j VPNFW_LOGDROP
-A VPNTRAFFIC -o tap+ -j VPNFW
-A VPNTRAFFIC -o tap+ -j VPNFW_LOGDROP
-A VPNTRAFFIC -o openvpntun+ -j VPNFW
-A VPNTRAFFIC -o openvpntun+ -j VPNFW_LOGDROP
-A VPNTRAFFIC -i tap+ -j VPNFW
-A VPNTRAFFIC -i tap+ -j VPNFW_LOGDROP
-A VPNTRAFFIC -i openvpntun+ -j VPNFW
-A VPNTRAFFIC -i openvpntun+ -j VPNFW_LOGDROP
-A VPNTRAFFIC -m physdev --physdev-out tap+ --physdev-is-bridged -j VPNFW
-A VPNTRAFFIC -m physdev --physdev-out tap+ --physdev-is-bridged -j VPNFW_LOGDROP
-A VPNTRAFFIC -m physdev --physdev-out openvpntun+ --physdev-is-bridged -j VPNFW
-A VPNTRAFFIC -m physdev --physdev-out openvpntun+ --physdev-is-bridged -j VPNFW_LOGDROP
-A VPNTRAFFIC -m physdev --physdev-in tap+ -j VPNFW
-A VPNTRAFFIC -m physdev --physdev-in tap+ -j VPNFW_LOGDROP
-A VPNTRAFFIC -m physdev --physdev-in openvpntun+ -j VPNFW
-A VPNTRAFFIC -m physdev --physdev-in openvpntun+ -j VPNFW_LOGDROP
-A ZONEFW -i br0 -o br0 -j ACCEPT
-A ZONEFW -i br0 -o br2 -j ACCEPT
-A ZONEFW -i br0 -o br1 -j ACCEPT
-A ZONEFW -i br2 -o br2 -j ACCEPT
-A ZONEFW -i br1 -o br1 -j ACCEPT
-A ZONEFW_LOGDROP -j DROP
-A ZONETRAFFIC -i br0 -o br0 -j ZONEFW
-A ZONETRAFFIC -i br0 -o br0 -j ZONEFW_LOGDROP
COMMIT
# Completed on Tue Jun 22 22:29:04 2010
# Generated by iptables-save v1.4.0 on Tue Jun 22 22:29:04 2010
*nat
REROUTING ACCEPT [19:1780]
OSTROUTING ACCEPT [89:5063]
:OUTPUT ACCEPT [89:5063]
:CUSTOMPOSTROUTING - [0:0]
:CUSTOMPREROUTING - [0:0]
:OPENVPNCLIENT - [0:0]
ORTFW - [0:0]
OSTPORTFW - [0:0]
ROXIES - [0:0]
:SOURCENAT - [0:0]
-A PREROUTING -j CUSTOMPREROUTING
-A PREROUTING -j PROXIES
-A PREROUTING -j PORTFW
-A POSTROUTING -j CUSTOMPOSTROUTING
-A POSTROUTING -j OPENVPNCLIENT
-A POSTROUTING -j SOURCENAT
-A POSTROUTING -j POSTPORTFW
-A OUTPUT -j PORTFW
COMMIT
# Completed on Tue Jun 22 22:29:04 2010
netstat -rn sagt:
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGSc 52 0 en1
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 0 0 lo0
169.254 link#5 UCS 0 0 en1
192.168.1 link#5 UCS 8 0 en1
192.168.1.1 0:1c:10:27:f0:90 UHLWI 11 18 en1 1180
192.168.1.101 127.0.0.1 UHS 0 0 lo0
192.168.20 link#7 UC 1 0 vboxnet
Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UH lo0
fe80::%lo0/64 fe80::1%lo0 Uc lo0
fe80::1%lo0 link#1 UHL lo0
fe80::%en1/64 link#5 UC en1
fe80::5ab0:35ff:fe77:2462%en1 58:b0:35:77:24:62 UHL lo0
ff01::/32 ::1 Um lo0
ff02::/32 ::1 UmC lo0
ff02::/32 link#5 UmC en1
route in der vm:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.20.0 * 255.255.255.0 U 0 0 0 br0
brctl show:
bridge name bridge id STP enabled interfaces
br0 0000.080027bbece9 no eth0
netzwerktechnik ist nicht so 100% mein ding muss ich zugeben
da hab ich noch was zum nachholen.