From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 5 21:59:54 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6DD3016A41F for ; Tue, 5 Jun 2007 21:59:54 +0000 (UTC) (envelope-from robertusn@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.226]) by mx1.freebsd.org (Postfix) with ESMTP id 1B16413C44C for ; Tue, 5 Jun 2007 21:59:53 +0000 (UTC) (envelope-from robertusn@gmail.com) Received: by wr-out-0506.google.com with SMTP id 69so1137417wra for ; Tue, 05 Jun 2007 14:59:53 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=A+DAZci6Ywuf7WXyXeVIh2LR20ic372GRWKIOCdp1kYbF3LExxco6d5Y6rfaY0nfb5pxQVou2aB2GXtMT9YBe+YLsBviNQVY+zf6tdmubzBntB7Uc5fXXyN7jpn2hZv1Ml9C54ZZ1haXdyVR0+qk7cn6lKBwPRi8Q33lzt1FOLI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=GLgYe/eMEqVUBdVmtDhEfBkxL2HYoBRzDXWumYqGyXUcPGwFPVEA8XwaSdeWsuv/ctiIa6XA9eMD30CXMufaowJXXBLKWsysyNH2Zu69jOPERvOFxGfy3Usxi+V5s0Gqrv1xliX2O3mnSVObRHMTVp33nzd5EOQTWiBEFDhC3Do= Received: by 10.100.92.17 with SMTP id p17mr3620121anb.1181079085632; Tue, 05 Jun 2007 14:31:25 -0700 (PDT) Received: by 10.100.134.17 with HTTP; Tue, 5 Jun 2007 14:31:25 -0700 (PDT) Message-ID: <3713853f0706051431u26528562u85cc237f1e41c533@mail.gmail.com> Date: Tue, 5 Jun 2007 23:31:25 +0200 From: "Robert Usle" Sender: robertusn@gmail.com To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: cc90aa39217fa8ce Subject: ipfw tcp/udp dropping - why ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 21:59:54 -0000 Hello, I'm not sure if my ruleset is correct, but I've noticed a strange ruleset behavior. OS: FreeBSD 4.11-STABLE #7: Here's my ruleset. desc: table 5 ip+bw for download table 6 ip+bw for upload ($ip,$bw) table 1 (ip, hosts allowed to use internet) NAT via IPNAT + patch for ipnat/ipfw order ------------- ## sysctls sysctl -w net.inet.ip.fw.one_pass=0 sysctl -w net.inet.ip.fw.dyn_max=10000 # Flush rules ############## ${fwcmd} -fq flush ${fwcmd} -f pipe flush ${fwcmd} -f queue flush ${fwcmd} zero ${fwcmd} table 1 flush ${fwcmd} table 5 flush ${fwcmd} table 6 flush myip="x.x.x.x" int_if1="rl0" int_if2="rl1" ext_if1="xl0" trusted="x.x.x.y,z.z.z.z" up_conn_limit=20 down_conn_limit=20 goodtcptoports="22,21,25,80,110,443,3389,3306,8074,995,993,567" ## trusted hosts ${fwcmd} add 20 allow ip from $trusted to me ${fwcmd} add 20 allow ip from me to $trusted # me -> outside PASS ${fwcmd} add 30 allow tcp from me to any out setup keep-state ${fwcmd} add 30 allow udp from me to any out keep-state ${fwcmd} add 100 set 1 allow ip from any to any via lo0 ${fwcmd} add 110 set 1 deny ip from any to 127.0.0.0/8 ${fwcmd} add 120 set 1 deny ip from 127.0.0.0/8 to any # netbios BLOCK ${fwcmd} add 130 deny ip from any to any 137-139 # icmp ${fwcmd} add 140 allow icmp from any to any ${fwcmd} add 150 allow ip from any to any via $int_if1 ${fwcmd} add 150 allow ip from any to any via $int_if2 # SNORT p2p (table 1 = hosts allowed for internet usage) ${fwcmd} add 160 divert 8000 ip from table\(1\) to any ${fwcmd} add 161 divert 8000 ip from any to table\(1\) # these are pipes with mask src-addr 0xffffffff ipfw table($ip,$bw) ${fwcmd} add 10001 pipe 11 ip from any to table\(5,2048\) in recv $ext_if1 ${fwcmd} add 10002 pipe 13 ip from any to table\(5,256\) in recv $ext_if1 ${fwcmd} add 10003 pipe 15 ip from any to table\(5,512\) in recv $ext_if1 ${fwcmd} add 10004 pipe 18 ip from any to table\(5,128\) in recv $ext_if1 ${fwcmd} add 10005 pipe 19 ip from any to table\(5,1024\) in recv $ext_if1 ${fwcmd} add 10006 pipe 12 ip from table\(6,2048\) to any out xmit $ext_if1 ${fwcmd} add 10007 pipe 14 ip from table\(6,256\) to any out xmit $ext_if1 ${fwcmd} add 10008 pipe 16 ip from table\(6,512\) to any out xmit $ext_if1 ${fwcmd} add 10009 pipe 17 ip from table\(6,128\) to any out xmit $ext_if1 ${fwcmd} add 10010 pipe 20 ip from table\(6,1024\) to any out xmit $ext_if1 ${fwcmd} add 45000 check-state ${fwcmd} add 45100 allow tcp from table\(1\) to any not $goodtcptoports out xmit $ext_if1 setup limit src-addr $up_conn_limit ${fwcmd} add 45200 allow udp from table\(1\) to any out xmit $ext_if1 limit src-addr $up_conn_limit ${fwcmd} add 45300 allow tcp from table\(1\) to any out xmit $ext_if1 setup keep-state ${fwcmd} add 45400 allow udp from table\(1\) to any out xmit xl0 keep-state # outside -> me PASS ${fwcmd} add 64000 allow tcp from any to me 80,443,22 setup keep-state # outside -> LAN hosts PASS ${fwcmd} add 64100 allow tcp from any to 10.0.5.36 3389 setup keep-state ${fwcmd} add 65000 deny log logamount 10000000 ip from any to any -------- ENDRULES -------------- Thought I see http working I notice in ipfw logs in rule 65000: Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3182 38.99.77.44:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3180 38.99.77.44:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.62:2259 62.129.240.58:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3204 85.25.133.18:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3171 209.172.60.89:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3079 207.44.164.103:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3080 207.44.164.103:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.0.91:1353 213.180.131.42:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3203 85.25.133.18:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3202 85.25.133.18:80 out via xl0 .... Shouldn't this be handled by: ${fwcmd} add 45300 allow tcp from table\(1\) to any out xmit $ext_if1 setup keep-state ? Thanks, -- Robert