From owner-freebsd-questions Wed Jun 19 19: 2:26 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smtp.a1poweruser.com (oh-chardon6a-62.clvhoh.adelphia.net [68.65.175.62]) by hub.freebsd.org (Postfix) with ESMTP id B0E2F37B401 for ; Wed, 19 Jun 2002 19:02:10 -0700 (PDT) Received: from barbish (unknown [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id 7014480; Wed, 19 Jun 2002 22:05:00 -0400 (EDT) Reply-To: From: "Joe & Fhe Barbish" To: "Corey Snow" Cc: "FBSDQ" Subject: RE: ipfw dropping legit packets? Date: Wed, 19 Jun 2002 22:02:08 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <3D10C128.8915.1C677A9@localhost> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have the same thing. You will be surprised when you see what is happening. Do this test, take the ip address you see in the log messages and use it in your browser as the URL. I think you will find out that what is being denied is the auto spawn web pages that are hidden in the original viewed URL. You are using exclusively advanced stateful keep-state ipfw rules and an undocumented benefit is the blocking of auto spawn URL's. This is a good think. If you do not want to see them in your log then add a rule just before your last rule like this add deny tcp from any to any 80 out via ed0 -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Corey Snow Sent: Wednesday, June 19, 2002 8:37 PM To: freebsd-questions@freebsd.org Subject: ipfw dropping legit packets? I have a filtering bridge set up on my LAN betwixt my DSL and my DMZ. I've set it up with ipfw and built the kernel with the appropriate options. Everything seems to be working well, although I recently turned on the "log" flag for my last rule- deny ip from any to any. It's strange, but it seems as though the firewall is denying some traffic (only a few packets here and there) that should be considered legitimate. Here's my ipfw ruleset (addresses munged): ratbastard# cat rc.ratbastardfw #ratbastard firewall initialization script. This bridge #firewall simply passes packets from the Internet to an internal DMZ, #filtering them along the way. As such, we allow very little traffic in. #1.2.3.1 - DNS and Web #1.2.3.3 - Secondary DNS and Mail #1.2.3.2 - Workstation add check-state #allow inbound DNS add allow udp from any to 1.2.3.1 53 in via ed0 keep-state add allow udp from any to 1.2.3.3 53 in via ed0 keep-state #allow outbound DNS add allow udp from 1.2.3.1 to any 53 in via ed1 keep-state add allow udp from 1.2.3.3 to any 53 in via ed1 keep-state #allow HTTP add allow tcp from any to 1.2.3.1 80,443 in via ed0 setup keep-state #allow SMTP and POP3 add allow tcp from any to 1.2.3.3 25,110 in via ed0 setup keep-state #allow SMTP relay so we can send out through a machine with reverse DNS add allow tcp from 1.2.3.3 to isprelay 25 in via ed1 setup keep-state #allow internal traffic out. add allow tcp from 1.2.3.2 to any in via ed1 setup keep-state add allow udp from 1.2.3.2 to any in via ed1 keep-state #Allow ssh to this machine on internal interface. add allow tcp from securews to me 22 in via ed1 keep-state #allow internal machines to ping add allow icmp from any to me in via ed1 icmptypes 8 keep-state #deny anything else and log it add deny log ip from any to any ratbastard# --- When this set of rules is in effect, I will get stuff like this in my security log (addresses munged). The IP address that is being denied is a web site I tried to visit. I can see the web site and all seems to be well- but these keep popping up in my log, indicating that something is being denied that shouldn't be- shouldn't the "keep- state" rules take care of this kind of thing? ratbastard# tail security Jun 19 17:29:39 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3197 in via ed0 Jun 19 17:29:39 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3199 in via ed0 Jun 19 17:29:40 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3200 in via ed0 Jun 19 17:29:40 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3202 in via ed0 Jun 19 17:29:43 ratbastard /kernel: ipfw: 1600 Deny TCP 1.2.3.2:3175 216.150.6.70:80 in via ed1 Jun 19 17:30:51 ratbastard /kernel: ipfw: 1600 Deny TCP 1.2.3.2:3224 216.150.16.239:80 in via ed1 Jun 19 17:30:52 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3240 in via ed0 Jun 19 17:30:52 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3230 in via ed0 Jun 19 17:30:54 ratbastard /kernel: ipfw: 1600 Deny TCP 1.2.3.2:3240 216.150.6.70:80 in via ed1 Jun 19 17:30:54 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3244 in via ed0 Jun 19 17:30:54 ratbastard /kernel: ipfw: 1600 Deny TCP 216.150.6.70:80 1.2.3.2:3226 in via ed0 ratbastard# Other data: FreeBSD 4.5-RELEASE, 486 DX2/66, 32 MB RAM, 2 ISA NICs. ed0: Internet, ed1: internal interface. System is in bridging mode, and only has one IP addess that I use to access it via ssh. Thanks for any suggestions or comments. Regard, Corey Snow To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message