From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 11 07:55:36 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C854437B401 for ; Fri, 11 Apr 2003 07:55:36 -0700 (PDT) Received: from gate.killian.com (gate.killian.com [205.179.65.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6C2A43F93 for ; Fri, 11 Apr 2003 07:55:35 -0700 (PDT) (envelope-from earl@killian.com) Received: (from smmsp@localhost) by gate.killian.com (8.12.6/8.12.6) id h3BEtYS0064957 for ; Fri, 11 Apr 2003 07:55:34 -0700 (PDT) (envelope-from earl@killian.com) Date: Fri, 11 Apr 2003 07:55:34 -0700 (PDT) Message-Id: <200304111455.h3BEtYS0064957@gate.killian.com> Received: from sax.killian.com(199.165.155.18) via SMTP by gate.killian.com, id smtpdAxCvYo; Fri Apr 11 07:55:31 2003 From: "Earl A. Killian" To: freebsd-ipfw@freebsd.org Subject: dynamic rules, FIN lifetime X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2003 14:55:37 -0000 I am looking for suggestions on how to debug a firewall that uses dynamic rules and is generating some log messages that I don't expect. Briefly, I have the following snippet for packets orginating on the firewall host being output on the external interface xl1: add 3100 check-state add 3200 allow udp from any to any domain,ntp,kerberos,6277 keep-state add 3300 allow udp from any to any 33434-33494 keep-state add 3400 allow tcp from any to any setup keep-state add 3500 allow icmp from any to any keep-state add 3600 deny log all from any to any I am seeing ipfw log messages in /var/log/security such as Apr 11 00:08:11 gate /kernel: ipfw: 3600 Deny TCP 205.179.65.162:25 207.217.120.19:33296 out via xl1 Apr 11 00:08:42 gate last message repeated 4 times Apr 11 00:09:09 gate /kernel: ipfw: 3600 Deny TCP 205.179.65.162:25 216.187.127.114:40614 out via xl1 Apr 11 00:09:14 gate /kernel: ipfw: 3600 Deny TCP 205.179.65.162:25 207.217.120.19:33296 out via xl1 I picked the above because it is for SMTP, and so I can correlate with /var/log/maillog. (I run smtpd on port 25, not sendmail, so the log format may be unfamiliar.) Apr 11 00:08:07 gate smtpd[61280]: SMTP HELO from deathrow.mail.pas.earthlink.net(207.217.120.19) as "deathrow.mail.pas.earthlink.net" Apr 11 00:08:07 gate smtpd[61280]: mail from Apr 11 00:08:08 gate smtpd[61280]: smtp connection from UNKNOWN@deathrow.mail.pas.earthlink.net(207.217.120.19) MAIL FROM: RCPT TO: , allowed by line 127 of /etc/smtpd_check_rules Apr 11 00:08:08 gate smtpd[61280]: Recipient Apr 11 00:08:09 gate smtpd[61280]: Received 26296 bytes of message body from deathrow.mail.pas.earthlink.net(207.217.120.19) This was a spam delivery, as you might guess, but it is coming through earthlink, so it should be a reasonable SMTP implementation. The message was delivered to the recipient (email address excised above for privacy). So it appears at 00:08:07 a SMTP connection was started and it finished at 00:08:09 from the point of veiw of the application. At 00:08:11 the firewall started rejecting packets the gateway was still trying to send to the other side. Is this because the host tried to retransmit the FIN or something? Note that net.inet.ip.fw.dyn_fin_lifetime: 1 is set to the default value. Is this just too short? If so, why don't I see it when I run firewall_type=simple? Comments? Suggestions?