Date: Sat, 29 Jan 2005 23:27:50 +0200 From: "Vahric MUHTARYAN" <vahric@doruk.net.tr> To: "'Gerard Meijer'" <gmeijer@palmweb.nl>, <freebsd-ipfw@freebsd.org> Subject: RE: ipfw statefull ruleset problem Message-ID: <200501292126.j0TLQkjg097142@smtp.doruk.net.tr> In-Reply-To: <084c01c50644$d5e87010$9600000a@guus>
next in thread | previous in thread | raw e-mail | index | archive | help
Use like this intip="your machine ip address" int="yourinterfacefor example fxp0 for intel" ${fwcmd} add 400 drop all from any to any frag ${fwcmd} add 500 check-state ${fwcmd} add 600 deny tcp from any to any established ${fwcmd} add 1100 pass tcp from any to ${intip} 21 in via ${int} setup keep-state ${fwcmd} add 1204 pass tcp from ${intip} 20 to any out via ${int} setup keep-state Bye ... -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Gerard Meijer Sent: Saturday, January 29, 2005 10:55 PM To: freebsd-ipfw@freebsd.org Subject: ipfw statefull ruleset problem Hi everyone, First of all, I'm not very experienced with ipfw, so if this is a stupid question, I'm sorry. I have a question regarding my statefull ipfw ruleset. I have the following rules: ---begin--- $cmd 00015 check-state #www $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state #mail $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state #ftp $cmd 00283 allow tcp from any to any 21 out via $pif setup keep-state # Allow in standard www function because I have apache server $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 # Allow in FTP $cmd 00410 allow tcp from any to me 21 in via $pif setup limit src-addr 2 # Allow in mail $cmd 00420 allow tcp from any to me 110 in via $pif ---end--- (there are more rules, but these are the ones that it's about) The problem that I'm having is that I can't check mail, and can't FTP and see a lot of: ipfw: 299 Deny TCP [my-server-ip]:80 [some-ip]:[some-port-other-than-80] out via em0 messages in my logfile. When I try to check mail I see in my log: ipfw: 299 Deny TCP [my-server-ip]:110 [my-home-pc-ip]:[some-port-other-than-110] out via em0 What happens (I think, as far as I understand ipfw), there is an connection setup on port 21/80/110 (ftp/http/mail), which is allowed by the rules. A dynamic rules is created, but then the other computer switches ports. The check-state command checks for a dynamic rule, but the port doesn't match anymore and so it doesn't find a dynamic rule and the other rules also don't apply, since they only allow connection initialization. Am I correct? I can solve all this by putting in the rule: # $cmd 00020 allow tcp from any to any established But I learned that that is not the right way to do this in a statefull ruleset, because the dynamic rules don't have any use in this way. So what is the right way to solve this? Thanks a lot in advance! _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501292126.j0TLQkjg097142>