Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 06 May 2002 00:46:58 +0200
From:      Jens Rehsack <rehsack@liwing.de>
To:        "Karsten W. Rohrbach" <karsten@rohrbach.de>
Cc:        Michael Riexinger <mailinglists@grindking.de>, freebsd-stable@freebsd.org
Subject:   Re: ipfilter problem
Message-ID:  <3CD5B662.26298116@liwing.de>
References:  <20020504223450.GA1025@grind.grind.dom> <20020505152314.B73550@mail.webmonster.de> <20020505133204.GA667@grind.grind.dom> <20020505184630.A76286@mail.webmonster.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
"Karsten W. Rohrbach" wrote:
> 
> Michael Riexinger(mailinglists@grindking.de)@2002.05.05 15:32:04 +0000:
> > On Sun May  5 15:23:14 2002, Karsten W. Rohrbach wrote:
> > > the problem can only be analyzed efficiently if you show us the rest of
> > > the ruleset. anything else is pure guesswork, based on assumptions about
> > > your ipf configuration.
> > >
> > > regards,
> > > /k
> > Ok, here they are. But I wonder why it worked withot problems with
> > previous versions of FreeBSD/ipfilter. With netstat I can see FIN_WAIT_1
> > states to the newsserver.
> > (tcp4       0      0  dialin-212-144-1.49368 news.fu-berlin.d.nntp
> > FIN_WAIT_1)
> >
> >
> > pass in quick on lo0 all
> > pass out quick on lo0 all
> >
> > pass in quick on ed0 all
> > pass out quick on ed0 all
> >
> > pass out quick on isp0 proto tcp/udp from any to any keep state
> 
> pass out quick on isp0 proto tcp from any to any flags S/SA keep state
> pass out quick on isp0 proto udp from any to any keep state
I don't use the flags, but my ruleset works. But I have seen many times
(others and me, too) that being confused about the "last rule match" and
the "quick leaves promptly" behaviour.

I do following: I write all global rules at the top of the file/section,
in this case the 3 lines with "return-unr". Then I specialize in the next
lines using "quick" rules.

This works, if I do not write it after the 4th beer. But sometimes even then ;-)

Jens

> 
> instead of the above one line should work. if it doesn't then give me a
> slap on the head, i'm still a bit drunk from yesterday ;-)
> 
> > pass out quick on isp0 proto icmp from any to any keep state
> >
> > pass in quick on isp0 proto tcp from any to any port = 80
> > pass in quick on isp0 proto tcp from any to any port = 60000
> >
> > block return-icmp-as-dest(host-unr) in log quick on isp0 proto icmp from
> > any to any
> > block return-rst in log quick on isp0 proto tcp from any to any
> > block return-icmp(port-unr) in log quick on isp0 proto udp from any to
> > any
> >
> 
> 'ipfstat -s' on your box will tell you about state statistics.
> 
> when you reload your rule set for testing, you should invoke it like
> 'ipf -Fa -FS -f/etc/ipf.rules' or similar, just to kick out the old
> state table.
> 
> 'ipfstat -t' gives you a "top" style display of current states, so you
> can check them in realtime.
> 
> regards,
> /k
> 
> --
> > MCSE: Minesweeper Consultant & Solitaire Engineer
> WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD
> http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
> GnuPG:   0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4  A113 B393 6BF4 DEC9 48A6
> REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46
> REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C  5F 0B E0 6B 4D CD 8C 44
> My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/
> Please do not remove my address from To: and Cc: fields in mailing lists. 10x
> 
>                                                   ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature

-- 
L     i  W     W     W  i                 Jens Rehsack
L        W     W     W
L     i   W   W W   W   i  nnn    gggg    LiWing IT-Services
L     i    W W   W W    i  n  n  g   g
LLLL  i     W     W     i  n  n  g   g    Friesenstraße 2
                                  gggg    06112 Halle
                                     g
                                 g   g
Tel.:  +49 - 3 45 - 5 17 05 91    ggg     e-Mail: <rehsack@liwing.de>
Fax:   +49 - 3 45 - 5 17 05 92            http://www.liwing.de/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CD5B662.26298116>