Date: Sat, 27 Jul 2002 00:08:31 +0200 From: "Jo B. Grasmo" <needle+ipfw@verloid.net> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@freebsd.org Subject: Re: IPFW2 Message-ID: <20020727000831.A2252@resentment.verloid.net> In-Reply-To: <20020725104256.B806@iguana.icir.org>; from rizzo@icir.org on Thu, Jul 25, 2002 at 10:42:56AM -0700 References: <20020725125346.A8987@dustpuppy.world-online.no> <20020725104256.B806@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 25, 2002 at 10:42:56AM -0700, Luigi Rizzo wrote: | On Thu, Jul 25, 2002 at 12:53:46PM +0200, Jo B. Grasmo wrote: (...) | > IPFW1 also rewrote rules like this: | > ipfw add 2000 allow tcp from any to 10.1.1.1 22 in via xl0 setup keep-state | > into this: | > 02000 allow tcp from any to 10.1.1.1 22 keep-state in recv xl0 setup | > | > IPFW2 doesn't, which broke my scripts. | | because "via" is different from "recv" :) though i agree that | "in via" can never match an output interface because there isn't one. Quite, but also notice that "keep-state" is moved from after "setup" to after the port number. With IPFW2 you can add the "keep-state, setup, via, in, <interface>" options in almost whichever order you prefer, and they're displayed exactly like you typed them. The flexibility when adding rules might be nice, but I'd like some consistency when they are displayed. Examples: allow tcp from any to 10.1.1.1 22 setup setup setup allow tcp from any to 10.1.1.1 22 setup in keep-state via xl0 setup allow tcp from any to 10.1.1.1 22 keep-state setup in via xl0 via lo0 in via xl1 All 3 seem to work, but what exactly the side-effects of the last one are I haven't had a chance to test yet. I discovered another curiosity. This rule works as expected: allow tcp from any to 10.1.1.1 22 via xl0 in setup keep-state But this seems to also trigger on already established connections: allow tcp from any to 10.1.1.1 22 keep-state in via xl0 setup Having "65000 allow ip from any to any" and adding the above rule results in this: # ipfw -atd list 01000 36 3216 Fri Jul 26 23:46:03 2002 allow tcp from any to 10.1.1.1 22 keep-state in via xl0 setup 65000 9983 1629861 Fri Jul 26 23:46:03 2002 allow ip from any to any 65535 216625 26858297 Thu Jul 25 13:17:10 2002 deny ip from any to any ## Dynamic rules (1): 01000 8 704 (1s) STATE tcp 10.1.1.2 3807 <-> 10.1.1.1 22 If I have 2 connections open to the box when I add the rule, and there's activity on both connections, I get 2 dynamic rules like the one above listed. Of course, I'm also getting a lot of "/kernel: install_state: entry already present, done" in my logs, so I'm guessing this is related to the overloading you mentioned earlier. Regards, Jo B. Grasmo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020727000831.A2252>