Date: Fri, 4 Apr 2008 13:11:58 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Julian Elischer <julian@elischer.org> Cc: freebsd-net@freebsd.org, Ivan Voras <ivoras@freebsd.org> Subject: Re: Trouble with IPFW or TCP? Message-ID: <Pine.BSF.3.96.1080404123439.19138A-100000@gaia.nimnet.asn.au> In-Reply-To: <47F5748F.9050207@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 3 Apr 2008, Julian Elischer wrote: > Ivan Voras wrote: > > Erik Trulsson wrote: > >> On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote: > >>> In which case would an ipfw ruleset like this: > >>> > >>> 00100 114872026 40487887607 allow ip from any to any via lo0 > >>> 00200 0 0 deny ip from any to 127.0.0.0/8 > >>> 00300 0 0 deny ip from 127.0.0.0/8 to any > >>> 00600 1585 112576 deny ip from table(0) to me > >>> 01000 90279 7325972 allow icmp from any to any > >>> 05000 475961039 334422494257 allow tcp from me to any setup keep-state > >>> 05100 634155 65779377 allow udp from me to any keep-state > >>> 06022 409604 69177326 allow tcp from any to me dst-port 22 > >>> setup keep-state > >>> 06080 52159025 43182548092 allow tcp from any to me dst-port 80 > >>> setup keep-state > >>> 06443 6392366 2043532158 allow tcp from any to me dst-port 443 > >>> setup keep-state > >>> 07020 517065 292377553 allow tcp from any to me dst-port 8080 > >>> setup keep-state > >>> 65400 12273387 629703212 deny log ip from any to any > >>> 65535 0 0 deny ip from any to any > >> > >> If you are using 'keep-state' should there not also be some rule > >> containing > >> 'check-state' ? > > > > Not according to the ipfw(8) manual: > > > > """ > > These dynamic rules, which have a limited lifetime, are checked at the > > first occurrence of a check-state, keep-state or limit rule, and > > are typ- > > ically used to open the firewall on-demand to legitimate traffic only. > > See the STATEFUL FIREWALL and EXAMPLES Sections below for more > > informa- > > tion on the stateful behaviour of ipfw. > > """ > > > > I read this to mean the dynamic rules are checked at rule #5000 from the > > above list. Is there an advantage to having an explicit check-state rule > > in simple rulesets like this one? > > the docs are wrong then I think. If so, they've been wrong since 4.something .. certainly before 4.8. It's hard to imagine nobody else has ever relied on that doc behaviour, so perhaps the docs, if wrong, have become so at some more recent time? I guess the simple way to find out is for Ivan to add a check-state somewhere before the first keep-state, affecting all new connections. If that doesn't fix the problem, then it looks like the denied packets really are coming in from non-established sessions, as they would appear on the surface - if it wasn't known that the sources should be good! No chance net.inet.ip.fw.dyn_count is hitting net.inet.ip.fw.dyn_max ? cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1080404123439.19138A-100000>