From owner-freebsd-ipfw@FreeBSD.ORG Tue May 10 06:36:43 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 988DD16A511 for ; Tue, 10 May 2005 06:36:43 +0000 (GMT) Received: from venus.slicmedia.com (dsl-202-173-145-174.qld.westnet.com.au [202.173.145.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id F208243D39 for ; Tue, 10 May 2005 06:36:41 +0000 (GMT) (envelope-from simon@quo.com.au) Received: from [192.168.1.150] ([192.168.1.150]) by venus.slicmedia.com (Merak 5.4.2) with ESMTP id KOB36964; Tue, 10 May 2005 16:46:46 +1000 Message-ID: <42805673.2070401@quo.com.au> Date: Tue, 10 May 2005 16:36:35 +1000 From: Simon Litchfield User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: Joshua Paech Subject: IPFW2 statefulness over bridge? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2005 06:36:43 -0000 Hi. We've noticed ipfw2 doesnt seem to maintain state on outgoing connections over our bridge (running 5.3 generic). A similar configuration worked fine using pf on openbsd. Are we missing something? Here's the guts of our rule script -- .... some init stuff here ..... # allow arps (oh yeah, this is important) ipfw add allow layer2 mac-type arp # deny spurious source addresses and spoof attempts ipfw add deny log all from $addr_rfc1918 to any in via $ext_if ipfw add deny log all from any to $addr_rfc1918 out via $ext_if ipfw add deny log all from 'table(0)' to any in via $ext_if ipfw add deny log all from any to 'table(0)' out via $ext_if ipfw add deny log all from me to any in via $ext_if # deny illegal TCP flag combinations ipfw add deny log tcp from any to any tcpflags fin,urg,psh ipfw add deny log tcp from any to any tcpflags syn,fin,rst,ack ipfw add deny log tcp from any to any tcpflags '!syn,!fin,!ack' .... a bunch of allows for the usual tcp/udp ports like 80 etc to various servers 'inside' the bridged network go here .... # leave the inside of the firewall open ipfw add allow layer2 via $int_if # allow loopback ipfw add allow ip from 127.0.0.0/8 to 127.0.0.0/8 # allow firewalled address to make any outgoing connections ipfw add allow ip from 'table(0)' to any setup keep-state ipfw add allow ip from me to any setup keep-state # firewalling UDP is pretty pointless ipfw add allow udp from any to any # final denys ipfw add allow icmp from any to any ipfw add allow tcp from any to any setup keep-state ipfw add allow ip from any to any etup keep-state ipfw add reset tcp from any to any ipfw add unreach port udp from any to any ipfw add deny log ip from any to any -- Quo Consulting info@quo.com.au http://www.quo.com.au/ Phone +61 (0)7 5520 2665 Fax +61 (0)2 8569 2377 Level 3 : Old Burleigh Theatre Arcade 66 Goodwin Terrace : Burleigh Heads Queensland : Australia