Date: Tue, 5 Jun 2007 23:31:25 +0200 From: "Robert Usle" <robertus.n@gmail.com> To: freebsd-ipfw@freebsd.org Subject: ipfw tcp/udp dropping - why ? Message-ID: <3713853f0706051431u26528562u85cc237f1e41c533@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I'm not sure if my ruleset is correct, but I've noticed a strange ruleset behavior. OS: FreeBSD 4.11-STABLE #7: Here's my ruleset. desc: table 5 ip+bw for download table 6 ip+bw for upload ($ip,$bw) table 1 (ip, hosts allowed to use internet) NAT via IPNAT + patch for ipnat/ipfw order ------------- ## sysctls sysctl -w net.inet.ip.fw.one_pass=0 sysctl -w net.inet.ip.fw.dyn_max=10000 # Flush rules ############## ${fwcmd} -fq flush ${fwcmd} -f pipe flush ${fwcmd} -f queue flush ${fwcmd} zero ${fwcmd} table 1 flush ${fwcmd} table 5 flush ${fwcmd} table 6 flush myip="x.x.x.x" int_if1="rl0" int_if2="rl1" ext_if1="xl0" trusted="x.x.x.y,z.z.z.z" up_conn_limit=20 down_conn_limit=20 goodtcptoports="22,21,25,80,110,443,3389,3306,8074,995,993,567" ## trusted hosts ${fwcmd} add 20 allow ip from $trusted to me ${fwcmd} add 20 allow ip from me to $trusted # me -> outside PASS ${fwcmd} add 30 allow tcp from me to any out setup keep-state ${fwcmd} add 30 allow udp from me to any out keep-state ${fwcmd} add 100 set 1 allow ip from any to any via lo0 ${fwcmd} add 110 set 1 deny ip from any to 127.0.0.0/8 ${fwcmd} add 120 set 1 deny ip from 127.0.0.0/8 to any # netbios BLOCK ${fwcmd} add 130 deny ip from any to any 137-139 # icmp ${fwcmd} add 140 allow icmp from any to any ${fwcmd} add 150 allow ip from any to any via $int_if1 ${fwcmd} add 150 allow ip from any to any via $int_if2 # SNORT p2p (table 1 = hosts allowed for internet usage) ${fwcmd} add 160 divert 8000 ip from table\(1\) to any ${fwcmd} add 161 divert 8000 ip from any to table\(1\) # these are pipes with mask src-addr 0xffffffff ipfw table($ip,$bw) ${fwcmd} add 10001 pipe 11 ip from any to table\(5,2048\) in recv $ext_if1 ${fwcmd} add 10002 pipe 13 ip from any to table\(5,256\) in recv $ext_if1 ${fwcmd} add 10003 pipe 15 ip from any to table\(5,512\) in recv $ext_if1 ${fwcmd} add 10004 pipe 18 ip from any to table\(5,128\) in recv $ext_if1 ${fwcmd} add 10005 pipe 19 ip from any to table\(5,1024\) in recv $ext_if1 ${fwcmd} add 10006 pipe 12 ip from table\(6,2048\) to any out xmit $ext_if1 ${fwcmd} add 10007 pipe 14 ip from table\(6,256\) to any out xmit $ext_if1 ${fwcmd} add 10008 pipe 16 ip from table\(6,512\) to any out xmit $ext_if1 ${fwcmd} add 10009 pipe 17 ip from table\(6,128\) to any out xmit $ext_if1 ${fwcmd} add 10010 pipe 20 ip from table\(6,1024\) to any out xmit $ext_if1 ${fwcmd} add 45000 check-state ${fwcmd} add 45100 allow tcp from table\(1\) to any not $goodtcptoports out xmit $ext_if1 setup limit src-addr $up_conn_limit ${fwcmd} add 45200 allow udp from table\(1\) to any out xmit $ext_if1 limit src-addr $up_conn_limit ${fwcmd} add 45300 allow tcp from table\(1\) to any out xmit $ext_if1 setup keep-state ${fwcmd} add 45400 allow udp from table\(1\) to any out xmit xl0 keep-state # outside -> me PASS ${fwcmd} add 64000 allow tcp from any to me 80,443,22 setup keep-state # outside -> LAN hosts PASS ${fwcmd} add 64100 allow tcp from any to 10.0.5.36 3389 setup keep-state ${fwcmd} add 65000 deny log logamount 10000000 ip from any to any -------- ENDRULES -------------- Thought I see http working I notice in ipfw logs in rule 65000: Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3182 38.99.77.44:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3180 38.99.77.44:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.62:2259 62.129.240.58:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3204 85.25.133.18:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3171 209.172.60.89:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3079 207.44.164.103:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3080 207.44.164.103:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.0.91:1353 213.180.131.42:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3203 85.25.133.18:80 out via xl0 Jun 5 23:28:28 wall /kernel: ipfw: 65000 Deny TCP 10.0.6.70:3202 85.25.133.18:80 out via xl0 .... Shouldn't this be handled by: ${fwcmd} add 45300 allow tcp from table\(1\) to any out xmit $ext_if1 setup keep-state ? Thanks, -- Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3713853f0706051431u26528562u85cc237f1e41c533>